|
Full Disclosure
mailing list archives
Re: glibc 2.5 <= reloc types to crash bug
From: Jeffrey Walton <noloader () gmail com>
Date: Sun, 20 Oct 2013 13:26:59 -0400
switch (r_type)
{
case R_386_GLOB_DAT:
case R_386_JMP_SLOT:
// *reloc_addr(*relocation addr) = value(relative addr calculated
at above codes.)
*reloc_addr = value;
break;
}
// XXX BUG: 'defaults:' label not exists!
I believe the lack of a 'default' label is legal C99 (6.8.4.2.5).
the symbol relocation time. It means the ELF object 4bytes
altered with unspecified reloc types to crash.
How, precisely, are you writing to those 4 bytes? Or are you saying
they are garbage (which leads to a crash)?
Jeff
On Sun, Oct 20, 2013 at 7:05 AM, x90c <geinblues () gmail com> wrote:
+---------------------------------------------------------+
| XADV-2013002 glibc 2.5 <= reloc types to crash bug |
+---------------------------------------------------------+
Vulnerable versions:
- glibc 2.5 <=
Not vulnerable versions:
- glibc 2.6 >=
Testbed: linux distro
Type: Local
Impact: crash
Vendor: https://www.gnu.org/software/libc
Author: x90c <geinblues *nospam* gmail dot com>
Site: x90c.org
=========
ABSTRACT:
=========
[Unspecified reloc types bug]
'defaults:' label codes on If not defined RTLD_BOOTSTRAP, glibc 2.5
defined RTLD_BOOTSTRAP default. The elf_machine_rel() of the
vulnerable glibc 2.5 ld-2.5.so doesn't process 'defaults:' In
the symbol relocation time. It means the ELF object 4bytes
altered with unspecified reloc types to crash.
('defaults:' label process unspecified reloc types to
calc reloc addr)
The vulnerable function sets *reloc_addr_arg as 5rd argument
(to reloc addr). and calc reloc addr. The unspecified reloc types
passed Improper value(on elf binary) on reloc_addr. An elf binary
with altered unspecified reloc_types to crash. BUG!
The bug can be used for rootkit technique via altering the ELF object.
=========
DETAILS:
=========
glibc-2.5/dl-machine.h
----
auto inline void
__attribute ((always_inline))
elf_machine_rel (struct link_map *map, const Elf32_Rel *reloc,
const Elf32_Sym *sym, const struct r_found_version *version,
void *const reloc_addr_arg)
{
// reloc_addr = reloc_addr_arg(5rd argument as relative jump)
Elf32_Addr *const reloc_addr = reloc_addr_arg;
...
switch (r_type)
{
case R_386_GLOB_DAT:
case R_386_JMP_SLOT:
// *reloc_addr(*relocation addr) = value(relative addr calculated
at above codes.)
*reloc_addr = value;
break;
}
// XXX BUG: 'defaults:' label not exists!
...
}
#endif /* !RTLD_BOOTSTRAP */
----
===============
EXPLOIT CODES:
===============
Altering reloc types on the ELF binary.
=============
PATCH CODES:
=============
add 'defaults:' label on above relocation code
If RTLD_BOOTSTRAP defined.
===============
VENDOR STATUS:
===============
2012/09/04 - The bug Discovered.
2013/10/20 - Advisory released on full-disclosure, bugtraq, exploit-db.
...
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
| 
