Linux PIE/stack corruption (opens in new tab)

(qualys.com)

55 pointsfntlnz8y ago10 comments

10 comments

> the loader can allow part of that application's data segment to map over the memory area reserved for its stack resulting in corruption of the stack, with possible privilege escalation

So if you can craft and execute an executable, and you can write to things that you already have write access to, how does that result in a privilege escalation?

If you could overlap with things you shouldn't be able to access, e.g. your kernel stack, then that makes sense. But how does being able to overlap your own user-space result in you being able to do anything you previously couldn't?

bennofs8y ago

You can exploit existing binaries such as ping that have special capabilities or are setuid to get privilege escalation.

A better link would have been https://www.qualys.com/2017/09/26/cve-2017-1000253/cve-2017-... which also explains an actual exploit.

willvarfar8y ago

Fair enough.

(But e.g. ping doesn't >128MB .data+.bss? ;) )

1 more reply

saurik8y ago

It seems like the idea is that if you pass a very large number of arguments to the process you can force the size of the initial stack to be sufficiently large as to trigger this bug with extremely high probability even on binaries where you otherwise would not have expected the issue; like: it isn't a bug that is being exploited by a weird executable file, it is a true bug in the kernel that can be coaxed to mess with random PIE binaries to gain access to their setuid user access of special capability bits.

mfukar8y ago

https://www.qualys.com/2017/06/19/stack-clash/stack-clash.tx... might help understand the exploitation method.

ConfucianNardin8y ago

Here's the actual advisory: https://www.qualys.com/2017/09/26/cve-2017-1000253/cve-2017-...

Most (all?) major distributions (that were affected) have already released patched kernel packages.

wepple8y ago

This was/is really interesting work but should maybe be marked [April 2017] or something so waking sysadmins don't get a fright.

chomp8y ago

The fix was committed in April, but some distros never pulled it in because it wasn't marked as a security fix. Sysadmins should make sure all kernels are updated since as of a couple days ago there was no Cent6 kernel with the fix.

zython8y ago

I dont understand how a potential exploit would work.

>he loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption

do they expect an attacker to redirect code execution to an address on the stack which they previously wrote when loading the binary, so they can make use of suid to escalate priveliges ?

j / k navigate · click thread line to collapse

10 comments

willvarfar8y ago

> the loader can allow part of that application's data segment to map over the memory area reserved for its stack resulting in corruption of the stack, with possible privilege escalation

So if you can craft and execute an executable, and you can write to things that you already have write access to, how does that result in a privilege escalation?

bennofs8y ago

You can exploit existing binaries such as ping that have special capabilities or are setuid to get privilege escalation.

A better link would have been https://www.qualys.com/2017/09/26/cve-2017-1000253/cve-2017-... which also explains an actual exploit.

willvarfar8y ago

Fair enough.

(But e.g. ping doesn't >128MB .data+.bss? ;) )

1 more reply

saurik8y ago

mfukar8y ago

https://www.qualys.com/2017/06/19/stack-clash/stack-clash.tx... might help understand the exploitation method.

ConfucianNardin8y ago

Here's the actual advisory: https://www.qualys.com/2017/09/26/cve-2017-1000253/cve-2017-...

Most (all?) major distributions (that were affected) have already released patched kernel packages.

wepple8y ago

This was/is really interesting work but should maybe be marked [April 2017] or something so waking sysadmins don't get a fright.

chomp8y ago

zython8y ago

I dont understand how a potential exploit would work.

>he loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption

do they expect an attacker to redirect code execution to an address on the stack which they previously wrote when loading the binary, so they can make use of suid to escalate priveliges ?

j / k navigate · click thread line to collapse