1572166 – (CVE-2017-17833) CVE-2017-17833 openslp: Heap memory corruption in slpd/slpd_process.c allows denial of service or potentially code execution

Bug 1572166 (CVE-2017-17833) - CVE-2017-17833 openslp: Heap memory corruption in slpd/slpd_process.c allows denial of service or potentially code execution

Summary: CVE-2017-17833 openslp: Heap memory corruption in slpd/slpd_process.c allows ...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2017-17833
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	CVE-2018-12938 (view as bug list)
Depends On:	1572167 1575697 1575698 1575699 1597725
Blocks:	1572168
TreeView+	depends on / blocked

Reported:	2018-04-26 10:01 UTC by Adam Mariš
Modified:	2021-09-09 13:51 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A use-after-free flaw in OpenSLP 1.x and 2.x baselines was discovered in the ProcessSrvRqst function. A failure to update a local pointer may lead to heap corruption. A remote attacker may be able to leverage this flaw to gain remote code execution.
Clone Of:
Environment:
Last Closed:	2019-06-10 10:20:38 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2018:2240	0	None	None	None	2018-07-23 14:45:41 UTC
Red Hat Product Errata	RHSA-2018:2308	0	None	None	None	2018-07-31 18:07:36 UTC

Description Adam Mariš 2018-04-26 10:01:34 UTC

OpenSLP releases have a heap-related memory corruption issue which may manifest itself as a denial-of-service or a remote code-execution vulnerability.

Upstream patch:

https://sourceforge.net/p/openslp/mercurial/ci/151f07745901cbdba6e00e4889561b4083250da1/

Comment 1 Adam Mariš 2018-04-26 10:01:51 UTC

Created openslp tracking bugs for this issue:

Affects: fedora-all [bug 1572167]

Comment 11 Scott Gayou 2018-07-02 20:20:43 UTC

Reproducible now. See: https://dumpco.re/blog/openslp-2.0.0-double-free

Re-opened this flaw to work on it a bit more.

[root@qeos-8 openslp-2.0.0]# slpd -d
*** Error in `slpd': double free or corruption (fasttop): 0x0000556d19e43ff0 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x81489)[0x7fd1ae42d489]
slpd(+0x10b41)[0x556d18687b41]
slpd(+0xccba)[0x556d18683cba]
slpd(+0x3313)[0x556d1867a313]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7fd1ae3ce3d5]
slpd(+0x355e)[0x556d1867a55e]
======= Memory map: ========
556d18677000-556d1869a000 r-xp 00000000 fd:01 6329358                    /usr/sbin/slpd
556d18899000-556d1889a000 r--p 00022000 fd:01 6329358                    /usr/sbin/slpd
556d1889a000-556d1889b000 rw-p 00023000 fd:01 6329358                    /usr/sbin/slpd
556d19e3b000-556d19e5c000 rw-p 00000000 00:00 0                          [heap]
7fd1a8000000-7fd1a8021000 rw-p 00000000 00:00 0 
7fd1a8021000-7fd1ac000000 ---p 00000000 00:00 0 
7fd1adf83000-7fd1adf98000 r-xp 00000000 fd:01 6291531                    /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7fd1adf98000-7fd1ae197000 ---p 00015000 fd:01 6291531                    /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7fd1ae197000-7fd1ae198000 r--p 00014000 fd:01 6291531                    /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7fd1ae198000-7fd1ae199000 rw-p 00015000 fd:01 6291531                    /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7fd1ae199000-7fd1ae1a5000 r-xp 00000000 fd:01 6341868                    /usr/lib64/libnss_files-2.17.so
7fd1ae1a5000-7fd1ae3a4000 ---p 0000c000 fd:01 6341868                    /usr/lib64/libnss_files-2.17.so
7fd1ae3a4000-7fd1ae3a5000 r--p 0000b000 fd:01 6341868                    /usr/lib64/libnss_files-2.17.so
7fd1ae3a5000-7fd1ae3a6000 rw-p 0000c000 fd:01 6341868                    /usr/lib64/libnss_files-2.17.so
7fd1ae3a6000-7fd1ae3ac000 rw-p 00000000 00:00 0 
7fd1ae3ac000-7fd1ae56e000 r-xp 00000000 fd:01 6341850                    /usr/lib64/libc-2.17.so
7fd1ae56e000-7fd1ae76e000 ---p 001c2000 fd:01 6341850                    /usr/lib64/libc-2.17.so
7fd1ae76e000-7fd1ae772000 r--p 001c2000 fd:01 6341850                    /usr/lib64/libc-2.17.so
7fd1ae772000-7fd1ae774000 rw-p 001c6000 fd:01 6341850                    /usr/lib64/libc-2.17.so
7fd1ae774000-7fd1ae779000 rw-p 00000000 00:00 0 
7fd1ae779000-7fd1ae78f000 r-xp 00000000 fd:01 6341878                    /usr/lib64/libresolv-2.17.so
7fd1ae78f000-7fd1ae98e000 ---p 00016000 fd:01 6341878                    /usr/lib64/libresolv-2.17.so
7fd1ae98e000-7fd1ae98f000 r--p 00015000 fd:01 6341878                    /usr/lib64/libresolv-2.17.so
7fd1ae98f000-7fd1ae990000 rw-p 00016000 fd:01 6341878                    /usr/lib64/libresolv-2.17.so
7fd1ae990000-7fd1ae992000 rw-p 00000000 00:00 0 
7fd1ae992000-7fd1ae9a8000 r-xp 00000000 fd:01 6341860                    /usr/lib64/libnsl-2.17.so
7fd1ae9a8000-7fd1aeba8000 ---p 00016000 fd:01 6341860                    /usr/lib64/libnsl-2.17.so
7fd1aeba8000-7fd1aeba9000 r--p 00016000 fd:01 6341860                    /usr/lib64/libnsl-2.17.so
7fd1aeba9000-7fd1aebaa000 rw-p 00017000 fd:01 6341860                    /usr/lib64/libnsl-2.17.so
7fd1aebaa000-7fd1aebac000 rw-p 00000000 00:00 0 
7fd1aebac000-7fd1aecad000 r-xp 00000000 fd:01 6341858                    /usr/lib64/libm-2.17.so
7fd1aecad000-7fd1aeeac000 ---p 00101000 fd:01 6341858                    /usr/lib64/libm-2.17.so
7fd1aeeac000-7fd1aeead000 r--p 00100000 fd:01 6341858                    /usr/lib64/libm-2.17.so
7fd1aeead000-7fd1aeeae000 rw-p 00101000 fd:01 6341858                    /usr/lib64/libm-2.17.so
7fd1aeeae000-7fd1aeec5000 r-xp 00000000 fd:01 6341876                    /usr/lib64/libpthread-2.17.so
7fd1aeec5000-7fd1af0c4000 ---p 00017000 fd:01 6341876                    /usr/lib64/libpthread-2.17.so
7fd1af0c4000-7fd1af0c5000 r--p 00016000 fd:01 6341876                    /usr/lib64/libpthread-2.17.so
7fd1af0c5000-7fd1af0c6000 rw-p 00017000 fd:01 6341876                    /usr/lib64/libpthread-2.17.so
7fd1af0c6000-7fd1af0ca000 rw-p 00000000 00:00 0 
7fd1af0ca000-7fd1af2fe000 r-xp 00000000 fd:01 6377314                    /usr/lib64/libcrypto.so.1.0.2k
7fd1af2fe000-7fd1af4fe000 ---p 00234000 fd:01 6377314                    /usr/lib64/libcrypto.so.1.0.2k
7fd1af4fe000-7fd1af51a000 r--p 00234000 fd:01 6377314                    /usr/lib64/libcrypto.so.1.0.2k
7fd1af51a000-7fd1af527000 rw-p 00250000 fd:01 6377314                    /usr/lib64/libcrypto.so.1.0.2k
7fd1af527000-7fd1af52b000 rw-p 00000000 00:00 0 
7fd1af52b000-7fd1af540000 r-xp 00000000 fd:01 6363337                    /usr/lib64/libz.so.1.2.7
7fd1af540000-7fd1af73f000 ---p 00015000 fd:01 6363337                    /usr/lib64/libz.so.1.2.7
7fd1af73f000-7fd1af740000 r--p 00014000 fd:01 6363337                    /usr/lib64/libz.so.1.2.7
7fd1af740000-7fd1af741000 rw-p 00015000 fd:01 6363337                    /usr/lib64/libz.so.1.2.7
7fd1af741000-7fd1af743000 r-xp 00000000 fd:01 6341856                    /usr/lib64/libdl-2.17.so
7fd1af743000-7fd1af943000 ---p 00002000 fd:01 6341856                    /usr/lib64/libdl-2.17.so
7fd1af943000-7fd1af944000 r--p 00002000 fd:01 6341856                    /usr/lib64/libdl-2.17.so
7fd1af944000-7fd1af945000 rw-p 00003000 fd:01 6341856                    /usr/lib64/libdl-2.17.so
7fd1af945000-7fd1af967000 r-xp 00000000 fd:01 6341843                    /usr/lib64/ld-2.17.so
7fd1afb58000-7fd1afb5e000 rw-p 00000000 00:00 0 
7fd1afb63000-7fd1afb66000 rw-p 00000000 00:00 0 
7fd1afb66000-7fd1afb67000 r--p 00021000 fd:01 6341843                    /usr/lib64/ld-2.17.so
7fd1afb67000-7fd1afb68000 rw-p 00022000 fd:01 6341843                    /usr/lib64/ld-2.17.so
7fd1afb68000-7fd1afb69000 rw-p 00000000 00:00 0 
7fffc8a29000-7fffc8a4a000 rw-p 00000000 00:00 0                          [stack]
7fffc8afa000-7fffc8afc000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted

Comment 14 Scott Gayou 2018-07-03 13:13:15 UTC

*** Bug 1596450 has been marked as a duplicate of this bug. ***

Comment 16 Scott Gayou 2018-07-03 15:15:17 UTC

CVE-2018-12938 appears to be a duplicate of this. The proof of concept works against OpenSLP 2.0 and using the upstream patch appears to fix the issue.

Comment 17 errata-xmlrpc 2018-07-23 14:45:37 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:2240 https://access.redhat.com/errata/RHSA-2018:2240

Comment 18 Scott Gayou 2018-07-23 15:18:30 UTC

I have verified that the patch posted by amaris appears to fix this issue. There was originally some confusion on other distro lists/by the discover about this not being patched. The reproducer webpage at https://dumpco.re/blog/openslp-2.0.0-double-free now accurately reflects that.

As it states, there does not appear to be an official release out with the patch.

Comment 19 Scott Gayou 2018-07-23 15:28:25 UTC

External References:

https://dumpco.re/blog/openslp-2.0.0-double-free

Comment 20 errata-xmlrpc 2018-07-31 18:07:30 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:2308 https://access.redhat.com/errata/RHSA-2018:2308

Note You need to log in before you can comment on or make changes to this bug.