Full Disclosure mailing list archives
Re: glibc 2.5 <= reloc types to crash bug
From: Jeffrey Walton <noloader () gmail com>
Date: Sun, 20 Oct 2013 13:26:59 -0400
switch (r_type) { case R_386_GLOB_DAT: case R_386_JMP_SLOT: // *reloc_addr(*relocation addr) = value(relative addr calculated at above codes.) *reloc_addr = value; break; } // XXX BUG: 'defaults:' label not exists!
I believe the lack of a 'default' label is legal C99 (6.8.4.2.5).
the symbol relocation time. It means the ELF object 4bytes altered with unspecified reloc types to crash.
How, precisely, are you writing to those 4 bytes? Or are you saying they are garbage (which leads to a crash)? Jeff On Sun, Oct 20, 2013 at 7:05 AM, x90c <geinblues () gmail com> wrote:
+---------------------------------------------------------+ | XADV-2013002 glibc 2.5 <= reloc types to crash bug | +---------------------------------------------------------+ Vulnerable versions: - glibc 2.5 <= Not vulnerable versions: - glibc 2.6 >= Testbed: linux distro Type: Local Impact: crash Vendor: https://www.gnu.org/software/libc Author: x90c <geinblues *nospam* gmail dot com> Site: x90c.org ========= ABSTRACT: ========= [Unspecified reloc types bug] 'defaults:' label codes on If not defined RTLD_BOOTSTRAP, glibc 2.5 defined RTLD_BOOTSTRAP default. The elf_machine_rel() of the vulnerable glibc 2.5 ld-2.5.so doesn't process 'defaults:' In the symbol relocation time. It means the ELF object 4bytes altered with unspecified reloc types to crash. ('defaults:' label process unspecified reloc types to calc reloc addr) The vulnerable function sets *reloc_addr_arg as 5rd argument (to reloc addr). and calc reloc addr. The unspecified reloc types passed Improper value(on elf binary) on reloc_addr. An elf binary with altered unspecified reloc_types to crash. BUG! The bug can be used for rootkit technique via altering the ELF object. ========= DETAILS: ========= glibc-2.5/dl-machine.h ---- auto inline void __attribute ((always_inline)) elf_machine_rel (struct link_map *map, const Elf32_Rel *reloc, const Elf32_Sym *sym, const struct r_found_version *version, void *const reloc_addr_arg) { // reloc_addr = reloc_addr_arg(5rd argument as relative jump) Elf32_Addr *const reloc_addr = reloc_addr_arg; ... switch (r_type) { case R_386_GLOB_DAT: case R_386_JMP_SLOT: // *reloc_addr(*relocation addr) = value(relative addr calculated at above codes.) *reloc_addr = value; break; } // XXX BUG: 'defaults:' label not exists! ... } #endif /* !RTLD_BOOTSTRAP */ ---- =============== EXPLOIT CODES: =============== Altering reloc types on the ELF binary. ============= PATCH CODES: ============= add 'defaults:' label on above relocation code If RTLD_BOOTSTRAP defined. =============== VENDOR STATUS: =============== 2012/09/04 - The bug Discovered. 2013/10/20 - Advisory released on full-disclosure, bugtraq, exploit-db. ...
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- glibc 2.5 <= reloc types to crash bug x90c (Oct 20)
- Re: glibc 2.5 <= reloc types to crash bug Jeffrey Walton (Oct 20)