Ali Cloud security ยท 2015/02/03 22:18
0 x00 background
Recently, a security company discovered the glibc GethostbyName buffer overflow vulnerability, named ghost, because glibc’s gethostbyName function causes a heap overflow when parsing the incoming malformed domain name information. Many network applications that rely on the glibc module will be affected. It has been confirmed that the affected version is glibc 2.2<=version<=2.17, but our security researchers triggered another interesting format string vulnerability during testing. Let’s take a look at the process.
0x01 Analyze details
Test environment Ubuntu Glibc 2.12 Python 2.6.6
Our researchers found the program crashed while executing python’s following code
#! python import socket socket.gethostbyname('0'*10000000)Copy the code
Let’s take a look at the bug trigger process, check it out on GDB
By viewing the exception information points, it is found that the exception occurs in the following code
Error making memory copy in memcpy function
Through analysis, it is found that RDX is the copy length, RSI is the source buffer, and RDI is the destination buffer. Through analysis, it is found that RSI is the data we passed in, and the address RDI cannot be accessed, so the memcpy function will fail to write to the destination address space during the copy operation, and the address is not initialized. Finally, the program crashed.
We found Python statements through analysis
#! Python Import socket socket. Gethostbyname (' 0 '* 10000000)Copy the code
The sscanf format will be called to convert string ‘0’ *10000000 into integer data ‘% D. % D. % D. %d’
The key problem occurs in the macro ADDW, which is glibc 2.12
Here the role of the code is copied into our incoming string cycle on the stack, alloca function is opened up the stack space, we know that by default Linux stack space is 8 MB, when we pass in the parameters of the long, can lead to run out of stack space and write overflow, causing the memory when we write unpredictable unmapped memory to crash the program. A search revealed that this format string vulnerability was fixed in version 2.15
The patch code is as follows:
The logic of the patch code is to copy incoming data into heap memory rather than stack space. https://sourceware.org/bugzilla/show_bug.cgi?id=13138
0x02 Vulnerability exploited
The format string vulnerability is difficult to exploit and the destination address copied to is unpredictable and difficult to control.
0x03 Conclusion & Quote
This vulnerability can cause remote crashes, so update glibc.
Thanks to ali security research team and vulnerability analysis team for their efforts
Reference:
https://sourceware.org/git/?p=glibc.git; a=commit; f=stdio-common/vfscanf.c; h=3f8cc204fdd077da66ffc8e9595158b469e2b8e5
https://sourceware.org/git/?p=glibc.git; a=blob; f=stdio-common/vfscanf.c; h=7356eeb3626665a0524bbf1be37398ea22e05d7e; hb=6164128f1ca84eea240b66f977054e16b94b3c86
http://seclists.org/fulldisclosure/2015/Jan/111
source:http://blog.sina.com.cn/s/blog_e8e60bc00102vhz7.html