Stack Crash flaw blows local root hole in loads of Linux programs
Linux and Unix operators are about to have a chance to test their emergency bug pathing skills to the test after security researchers at Qualys spotted an old problem that’s refused to go away queitly.
The “Stack Crash” issue occurs when an application’s memory stacks grow too large and allow an attacker to write code into another memory stack, either allowing code to run or crashing the system. It was picked up last month by the Qualys team, which held off disclosing the flaw until patches were in the works.
The issue was first noted by security researcher Gaël Delalleau in 2005 and resurfaced in 2010 when another researcher, Rafal Wojtczuk, also noted similar issues while running an Xorg server running on Linux. Fixes were issued after both discoveries.
The potential for re-visiting the problem’s been known for a while because, as Qualys writes, “The only public exploits are Gaël Delalleau’s and Rafal Wojtczuk’s, and they were written before Linux introduced a protection against stack-clashes (a “guard-page” mapped below the stack).”
It now looks like stack clashes remain possible despite Linux adding protections.
“In this advisory, we show that stack clashes are widespread in user space, and exploitable despite the stack guard-page,” Qualys’ researchers write. “We discovered multiple vulnerabilities in guard-page implementations, and devised general methods for:
- ‘Clashing’ the stack with another memory region: we allocate memory until the stack reaches another memory region, or until another memory region reaches the stack.
- ‘Jumping’ over the stack guard-page: we move the stack-pointer from the stack and into the other memory region, without accessing the stack guard-page.
- ‘Smashing’ the stack, or the other memory region: we overwrite the stack with the other memory region, or the other memory region with the stack.”
The team found 14 exploits or proofs-of-concept for the flaw that affected Linux, OpenBSD, NetBSD, FreeBSD and Solaris on i386 or AMD64 architectures. Fixes have already been issued or are coming soon.
All of the examples allow local privilege escalations on a Linux or UNIX system, giving an attacker the tools they need to turn a minor flaw into a very major problem. As far as the researchers know, these can’t be executed remotely, but they aren’t sure of that and more testing is needed. ®
via The Register – Security http://ift.tt/2jCNZ5O
June 19, 2017 at 09:21PM