"Blood cases" caused by the Ghost Vulnerability"

"Blood cases" caused by the Ghost Vulnerability"
0x00 background

A security company recently discovered the glibc gethostbyname buffer overflow vulnerability, which is named as ghost because the Gethostbyname function of glibc caused a heap overflow when processing incoming malformed Domain Name Information for resolution, many network applications dependent on the glibc module will be affected. It has been confirmed that the affected version is glibc 2.2 <= version <= 2.17, however, our security researchers triggered another interesting format string vulnerability during the test. Let's take a look at the specific process.

0x01 analyze details

Test environment: ubuntu glibc 2.12 python 2.6.6

The program crashed when our researchers executed the following python code:

import socketsocket.gethostbyname('0'*10000000)

Let's take a look at the vulnerability trigger process and look at it on gdb.

You can view the exception information and find that the exception occurs in the following code:

An error occurred while copying the memory of the memcpy function.

The analysis shows that rdx is the copy length, rsi is the source buffer, and rdi is the destination buffer. The analysis shows that rsi is the data we pass in, and rdi cannot be accessed, therefore, when the memcpy function performs a copy operation, it will fail to write data to the destination address space. Through analysis, it is found that this address is not initialized and eventually causes the program crash.

Through analysis, we found that python statements

Import socketSocket.gethostbyname(‘0’*10000000)

The sscanf format will be called to convert string '0' * 10000000 to integer data "% d. % d. % d. % d ", we analyze the source code stdio-common/vfscanf in glibc. c found that the processing will be as follows:

The key issue occurs in the macro ADDW. The following code is glibc 2.12

The purpose of the code here is to copy the input string to the stack. The alloca function is used to open up the stack space. We know that the Linux stack space is 8 MB by default, when the input parameter is too long, the stack space will be exhausted, leading to memory write overflow. When we write unpredictable unmapped memory, the program will crash. this format string vulnerability was fixed in version 2.15 by searching

The patch code is as follows:

The processing logic of patch code is to copy the incoming data to the heap memory instead of in the stack space.

0x02 vulnerability Exploitation

The format string vulnerability is difficult to exploit. The copied destination address is unpredictable and difficult to control.

0x03 conclusion & reference

This vulnerability may cause Remote crash. Upgrade glibc.