Saturday, September 6, 2014

Software flaw #5: NUL byte off-by-one overwrite into the heap

CVE-2014-5119 vulnerability was reported in glibc by Tavis Ormandy member of Google's Zero Project.


Vulnerable code lies in glibc's internal function __gconv_translit_find, here's vulnerable part (from glibc's bugzilla):

cp = __mempcpy (__stpcpy ((char *) newp->fname, runp->name),
                  trans->name, name_len);
if (need_so)
    memcpy (cp, ".so", sizeof (".so"));

cp points after the NUL terminator, so the memcpy call does not actually append ".so", but copies four bytes starting after the terminating NUL character, not changing the string at all - and writing a single NUL byte after the end of the buffer.


Zero Project Team released PoC exploit for this innocent looking flaw.

pkexec binary is chosen as a target of this PoC. Main idea behind it is to take advantage of so called backward consolidation of a heap but since the size of chunk is fixed and always the same (".so" as 32bit pointer is equal to 0x6f732e00), so also memory leak found in pkexec had to be used to spray the heap.