Lucene search

K
myhack58佚名MYHACK58:62201783974
HistoryMar 05, 2017 - 12:00 a.m.

How to by CVE-2015-7547(GLIBC getaddrinfo)vulnerability to bypass ASLR-exploits warning-the black bar safety net

2017-03-0500:00:00
佚名
www.myhack58.com
238

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.975 High

EPSS

Percentile

100.0%

!

0x01 introduction

2016 2 on 16 May, Google disclosed a critical buffer overflow vulnerability in the GLIBC library in the getaddrinfo function in the trigger. At the same time they also provided a copy of the PoC. Based on this, in this article, we will show how to by CVE-2015-7547 bypass ASLR.

0x02 vulnerability description

getaddrinfo()function is the role by querying the DNS service, the host name and the server resolves to the addrinfo structure.

!

In the getaddrinfo()function implementation, use the alloca()function(on the stack allocated buffer)to the DNS response. The beginning, the function first allocates a section of stack space for the DNS response, if the response time is too long, it will re-allocate a heap buffer for the response. But since the update to the code the buffer to the newly allocated heap buffer, stack of old buffer delay in the release, still use. This dangling pointer will cause a classic buffer overflow.

ASLR? ASLR!

In the above case, by this vulnerability cover the getaddrinfo()function’s return address, but we should be the return address of the cover to where? When you enable ASLR system, The module address is random. Therefore, the attacker can not be attack stream address is set to the pre-set address.

fork()

fork()is Linux create a new process. A typical fork using the method as shown below:

!

fork a child process and the parent process use the same instruction segment, they only have the pid is not the same, and pid is the fork function returns to the child process. And windows under the code multiplexing, the difference is that here means that the child process and its parent processes share many characteristics-have the same register state, stack and memory layout.

0x03 program flow example

Consider a server application, its mode of operation is as follows:

!

1. Client remote connection to the application.

2. Application your fork a child process for responding to client requests

3. In processing the client request process, sub-process using"getaddrinfo()"function to parse the host name. At the same time, it to which DNS server to send DNS requests.

4. The DNS server for the DNS request to make a legitimate response.

5. The sub-process started and has parsed the host connection.

Each time the main process performed in response to processing, it will own fork a sub-process. According to the foregoing Description, This means that all the child processes share the same memory layout-including load module address. This scene for many services(e.g. HTTP proxy, mail server or DNS server)is very common.

0x04 attack process example

In the implementation of the attack process, we assume that the attacker has to be able to respond to victims of any DNS request capability. To achieve this situation completely by ARP spoofing, DNS spoofing is complete. Attack scenarios the following figure:

!

1. An attacker constructs a request is sent to the victim Server

2. In response to the attacker’s request, the victim Server daemon fork a child process

3. The sub-process processing request, initiates a DNS request

4. The attacker replies with a malicious DNS response, the response will be a child process of the return address of the cover, and here we set it not 0x12121212

5. Attacker to obtain sub-process with the connect()function initiates the TCP back connection

If 0x12121212 is indeed getaddrinfo()return the correct address, then the process will run normally, and by the connect()initiates a tcp connection.

!

If this is not the case, and the attacker is the return address is written as any other address, the application will be due to a memory segmentation fault, or execution of an invalid instruction and crashes.

!

This way you can be judged as an address is getaddrinfo()returns the address of a method, the reason is that if the address is correct, then a TCP connection will be successfully established. Since the module base address in a different sub-process is not randomized(the previously mentioned common memory layout), then this address in all the sub-processes can be common. An attacker can use this way to go through each possible address, and know the right to establish a TCP connection and get the correct address.

However, using this manner is the base address of the positioning need to guess 2 of the 64-th power of the number of addresses, this is not much practical significance.

Byte-by-byte approach

However, an attacker can each cover only one byte. For example, assume that getaddrinfo returns addresses for 0x00007fff01020304: the

!

!

First we’ll cover the getaddrinfo()function returns the address of the least significant bit(LSB)of the byte. Here with 0x00 overwritten. Due to the assumption that getaddrinfo()returns addresses for 0x00007fff01020304,the lowest bit coverage is 0x00, then this return address will be changed to 0x00007fff01020300, since the address is illegal address, the function returns after the program will crash. So we continue the above operation is repeated, and each repetition is the LSB only plus 1(i.e., the first 0x00,the second 0x01,the third 0x02,…), when we will be the LSB is increased to 0x04, the getaddrinfo function returns the address to the correct return address 0x00007fff01020304, then the program does not crash, the establishment of a tcp connection. So the lowest bit of the value will be determined.

[1] [2] next

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.975 High

EPSS

Percentile

100.0%