oss-sec mailing list archives
Mayhem: Targeted Corruption of Register and Stack Variables
From: "Tol, Caner" <mtol () wpi edu>
Date: Thu, 21 Dec 2023 18:54:57 +0000
Our recent paper<https://arxiv.org/pdf/2309.02545.pdf> [AsiaCCS'24] describes a potential vulnerability where stack/register variables can be flipped via fault injection, affecting execution flow in security-sensitive code. There are mitigation strategies you may be interested in incorporating into your code: Take this vulnerable code, for example: int auth = 0; //password check code that sets auth variable if(auth != 0) return AUTH_SUCCESS; else return AUTH_FAILURE; The idea is that any bit can be flipped in auth, and it will result in a mis-authentication. We prove this is a potential vulnerability in OpenSSH, OpenSSL, MySQL, and SUDO. To mitigate this, it is important to have tight logic such that a single-bit flip will not result in unintended execution. For example: int auth = 0xbe405d1a; // password check code that sets auth variable to 0x23ab9701 is successful If(auth == 0x23ab9701) return AUTH_SUCCESS; else return AUTH_FAILURE; In this case, the auth variable must be corrupted into the exact authentication pattern, which is fairly improbable. We issued CVE-2023-42465 for SUDO for this vulnerability. Here is the patch implemented in v1.9.15. https://github.com/sudo-project/sudo/commit/7873f8334c8d31031f8cfa83bd97ac6029309e4f Paper link: https://arxiv.org/abs/2309.02545 Caner Tol ___________________________ Worcester Polytechnic Institute https://vernamlab.org<https://vernamlab.org/>
Current thread:
- Mayhem: Targeted Corruption of Register and Stack Variables Tol, Caner (Dec 21)