CVE-2013-4788 - Eglibc PTR MANGLE vulnerability

Authors: Hector Marco & Ismael Ripoll CVE: CVE-2013-4788 Dates: March 2013 - Discovered the vulnerability

Description

Impact

Vulnerable packages

Vulnerability

Exploit

$ gcc poc-bug-mangle.c -o poc-bug-mangle -static

$ gcc poc-bug-mangle.c -o poc-bug-mangle_32 -static -m32 $ gcc poc-bug-mangle.c -o poc-bug-mangle_64 -static -m64

$ ./poc-bug-mangle_32 [+] Exploiting ... [+] hacked !! $

$ arm-linux-gnueabi-gcc poc-bug-mangle.c -o poc-bug-mangle_arm -static

$ qemu-arm ./poc-bug-mangle_arm [+] Exploiting ... [+] hacked !! $

FIX

diff -rupN glibc-2.17/csu/libc-start.c glibc-2.17-mangle-fix/csu/libc-start.c --- glibc-2.17/csu/libc-start.c 2012-12-25 04:02:13.000000000 +0100 +++ glibc-2.17-mangle-fix/csu/libc-start.c 2013-07-10 00:13:48.000000000 +0200 @@ -38,6 +38,12 @@ extern void __pthread_initialize_minimal in thread local area. */ uintptr_t __stack_chk_guard attribute_relro; # endif + +# ifndef THREAD_SET_POINTER_GUARD +uintptr_t __pointer_chk_guard_local + attribute_relro attribute_hidden __attribute__ ((nocommon)); +# endif + #endif #ifdef HAVE_PTR_NTHREADS @@ -184,6 +190,14 @@ LIBC_START_MAIN (int (*main) (int, char # else __stack_chk_guard = stack_chk_guard; # endif + uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random, + stack_chk_guard); +# ifdef THREAD_SET_POINTER_GUARD + THREAD_SET_POINTER_GUARD (pointer_chk_guard); +# else + __pointer_chk_guard_local = pointer_chk_guard; +# endif + #endif /* Register the destructor of the dynamic linker if there is any. */

$ wget http://hmarco.org/bugs/patches/ptr_mangle-eglibc-2.17.patch $ cd glibc-2.17 $ patch -p1 < ../ptr_mangle-eglibc-2.17.patch

Discussion