Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62201787358
HistoryJun 25, 2017 - 12:00 a.m.

Linux in the Stack Clash vulnerabilities that may be exploited by hackers to obtain local root privileges-bug warning-the black bar safety net

2017-06-2500:00:00
佚名
www.myhack58.com
37
JSON

Last month, Qualys security researchers in a variety of Unix-based Systems found on called the“Stack Clash”the vulnerability could allow an attacker on a UNIX system to gain root privileges and take over the attack computer. Currently security researchers discovered this flaw and are working with various suppliers as soon as possible publish a fix.
! [](/Article/UploadPic/2017-6/20176254419819. png? www. myhack58. com)
According to the Qualys researchers, this issue affects many UNIX systems, such as Linux, OpenBSD, And NetBSD, FreeBSD and Solaris. The researchers only tested the i386 and amd64 platforms on the Stack Clash, and not to the exclusion of other vendors and platforms may also be affected.
In fact, this problem as early as 2005 it was first discovered, then Linux introduction to cope with the protection mechanism of the Stack guard page in. And now the vulnerability of the core also is still since 2005 already knew the problem, after the patch after the repair the issue again in 2010, find and get the patch, and now the third discovery of the presence of vulnerabilities.
What is the Stack Clash vulnerabilities
This problem mainly relates to a memory stack: the stack memory is the app in the computer RAM in the execution of the code memory area. And as the application becomes larger, the memory area also“gone.”
Now the problem is that, when a stack memory to grow too much, that is too close to another procedure the stack memory may occur when you confuse the issues. Application of stack memory contact to the heap memory, if an attacker can inject some data and then operate the stack in memory to store information, he can cover part of the stack and hijack the application flow of execution, and accordingly, can even contact to the more important data structure.
From 2005 to 2010, and then to 2017, the researchers found has been by stack leaked code to deceive theoperating system. Currently, the Qualys researcher has disclosed a vulnerability proof-of-concept [see original report】, you can see the low-level code from the malicious application’s memory stack jump to have root access permissions of a legitimate application’s memory area.
In the present study, we found a stack clash vulnerabilities can still be exploited by attackers, although now there is a Stack guard page protection mechanisms, we still find a variety of use of methods, as shown below:

  1. So the stack memory with other memory regions of conflict: the allocation of memory until the other regional conflicts
  2. Bypass stack-guard-page mechanism for the stack pointer from the stack is moved to other memory regions, but do not touch the stack guard-page
  3. Destroy the stack memory or other memory area: use another memory area overwriting the original stack memory data, or in turn cover
    Vulnerability
    ! [](/Article/UploadPic/2017-6/20176254419295. png? www. myhack58. com)
    The research team says they can make out of the 14 virus and the corresponding proof-of-concept exploits for Linux, OpenBSD, And NetBSD, FreeBSD and Solaris systems.
    And relates to the software program including Debian, Ubuntu and CentOS on Sudo; the Debian on Exim; the Solaris 11 on rsh, and so on. Red Hat Enterprise Linux 5 to 7, Enterprise MRG 2.5 and Virtualization and RHEL Atomic Host is also affected by the Stack Clash effects.
    Follow-up studies
    Of course, at present, to achieve this attack, the attacker needs local access, remote method of attack is unclear. Now take advantage of this vulnerability method of attack is a classic elevation of Privilege(EoP)vulnerabilities. Since the EoP issue requires an attacker to intrude into the user’s system to be, under normal circumstances will not be considered to be a dangerous problem.
    Qualys said they will summarize a variety ofOSon the Stack Clash of PoC vulnerability will be disclosed. All PoC are requires that the attacker has local access, but the researchers do not exclude the attacker from a remote location, such as through an HTTP request or JavaScript code using Stack Clash in some cases.
    System supplier follow up
    Red Hat has been for Stack Clash vulnerability released security patches, Qualys represents other suppliers will soon follow to provide the corresponding patch.
    If the user cannot be updated, theoperating systemthe owner may be a local user and a remote service RLIMIT_STACK and RLIMIT_AS is set to some lower value. Of course, such a set would cause the application of the memory becomes small, and therefore inadvertently to the performance of the machine to produce a certain effect.
JSON