Re: The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence

[Charles Fol <c.fol () lexfo fr>]

Hello all,

Although very late, here is a follow up explaining the impact of the 
vulnerability.

Provided that you can force an application to convert a partially 
controlled buffer to ISO-2022-CN-EXT, you get an
overflow of 1 to 3 bytes whose value you don't control.

This can be triggered in at least two ways in PHP:

- Through direct calls to iconv()
- Through the use of PHP filters (i.e. using a "file read" vulnerability)

Due to the way PHP's heap is built, you can use such a memory corruption 
to alter part of a free list pointer,
which can in turn give you an arbitrary write primitive in the program's 
memory.

With this bug, any person that has a file read vulnerability with a 
controlled prefix on a PHP application has RCE.
Any person that can force PHP into calling iconv() with controlled 
parameters has RCE.

We have provided more explanations on a blogpost of ours (I do not think 
that I can post it here, it shouldn't be too
hard to find if you're interested).

Best regards,
Charles

On 18/04/2024 18:42, Solar Designer wrote:
> On Wed, Apr 17, 2024 at 02:36:02PM -0300, Adhemerval Zanella Netto wrote:
> > GLIBC-SA-2024-0004:
> > ===================
> > ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence
> >
> > The iconv() function in the GNU C Library versions 2.39 and older may
> > overflow the output buffer passed to it by up to 4 bytes when converting
> > strings to the ISO-2022-CN-EXT character set, which may be used to
> > crash an application or overwrite a neighbouring variable.
> >
> > ISO-2022-CN-EXT uses escape sequences to indicate character set changes
> > (as specified by RFC 1922).  While the SOdesignation has the expected
> > bounds checks, neither SS2designation nor SS3designation have its;
> > allowing a write overflow of 1, 2, or 3 bytes with fixed values:
> > '$+I', '$+J', '$+K', '$+L', '$+M', or '$*H'.
> >
> > CVE-Id: CVE-2024-2961
> > Public-Date: 2024-04-17
> > Vulnerable-Commit: 755104edc75c53f4a0e7440334e944ad3c6b32fc (2.1.93-169)
> > Fix-Commit: f9dc609e06b1136bb0408be9605ce7973a767ada (2.40)
> > Fix-Commit: 31da30f23cddd36db29d5b6a1c7619361b271fb4 (2.39-31)
> > Fix-Commit: e1135387deded5d73924f6ca20c72a35dc8e1bda (2.38-66)
> > Fix-Commit: 89ce64b269a897a7780e4c73a7412016381c6ecf (2.37-89)
> > Fix-Commit: 4ed98540a7fd19f458287e783ae59c41e64df7b5 (2.36-164)
> > Fix-Commit: 36280d1ce5e245aabefb877fe4d3c6cff95dabfa (2.35-315)
> > Fix-Commit: a8b0561db4b9847ebfbfec20075697d5492a363c (2.34-459)
> > Fix-Commit: ed4f16ff6bed3037266f1fa682ebd32a18fce29c (2.33-263)
> > Fix-Commit: 682ad4c8623e611a971839990ceef00346289cc9 (2.32-140)
> >
> > Reported-By: Charles Fol
> I hope Charles will share further detail with oss-security in due time,
> but meanwhile his upcoming OffensiveCon talk abstract reveals a bit:
>
> https://www.offensivecon.org/speakers/2024/charles-fol.html
>
> > CHARLES FOL
> > ICONV, SET THE CHARSET TO RCE: EXPLOITING THE GLIBC TO HACK THE PHP ENGINE
> >
> > Abstract
> > A few months ago, I stumbled upon a 24 years old buffer overflow in the
> > glibc. Despite being reachable in multiple well-known libraries or
> > programs, it proved rarely exploitable. Indeed, this was not a foos bug:
> > with hard-to-achieve preconditions, it did not even provide a nice
> > primitive. On PHP however, it lead to amazing results: a new
> > exploitation technique that affects the whole PHP ecosystem, and the
> > compromission of several applications.
> >
> > This talk will first walk you through the discovery of the bug and its
> > limitations, before describing the conception of several remote binary
> > PHP exploits, and through them offer unique insight in the internal of
> > the engine of the web language, and the difficulties one faces when
> > exploiting it.
> >
> > BIO
> > Charles Fol, also known as cfreal, is a security researcher at LEXFO /
> > AMBIONICS. He has discovered remote code execution vulnerabilities
> > targeting renowned CMS and frameworks such as Drupal, Magento, Symfony
> > or Laravel, but also enjoys binary exploitation, to escalate privileges
> > (Apache, PHP-FPM) or compromise security solutions (DataDog's Sqreen,
> > Fortinet SSL VPN, Watchguard). He is the creator for PHPGGC, the go-to
> > tool to exploit PHP deserialization, and an expert in PHP internals.
> The event is on May 10-11th, so in 3 weeks from now.
>
> Alexander