Full Disclosure mailing list archives

Re: glibc 2.5 <= reloc types to crash bug

From: Jeffrey Walton <noloader () gmail com>
Date: Sun, 20 Oct 2013 13:26:59 -0400

      switch (r_type)
{

case R_386_GLOB_DAT:
case R_386_JMP_SLOT:
          // *reloc_addr(*relocation addr) = value(relative addr calculated
at above codes.)
 *reloc_addr = value;
 break;
}
// XXX BUG: 'defaults:' label not exists!

I believe the lack of a 'default' label is legal C99 (6.8.4.2.5).

the symbol relocation time. It means the ELF object 4bytes
altered with unspecified reloc types to crash.

How, precisely, are you writing to those 4 bytes? Or are you saying
they are garbage (which leads to a crash)?

Jeff

On Sun, Oct 20, 2013 at 7:05 AM, x90c <geinblues () gmail com> wrote:

+---------------------------------------------------------+
| XADV-2013002 glibc 2.5 <= reloc types to crash bug       |
+---------------------------------------------------------+

 Vulnerable versions:
 - glibc 2.5 <=
 Not vulnerable versions:
 - glibc 2.6 >=
 Testbed: linux distro
 Type: Local
 Impact: crash
 Vendor: https://www.gnu.org/software/libc
 Author: x90c <geinblues *nospam* gmail dot com>
 Site: x90c.org


=========
ABSTRACT:
=========

[Unspecified reloc types bug]
'defaults:' label codes on If not defined RTLD_BOOTSTRAP, glibc 2.5
defined RTLD_BOOTSTRAP default. The elf_machine_rel() of the
vulnerable glibc 2.5 ld-2.5.so doesn't process 'defaults:' In
the symbol relocation time. It means the ELF object 4bytes
altered with unspecified reloc types to crash.
('defaults:' label process unspecified reloc types to
  calc reloc addr)

The vulnerable function sets *reloc_addr_arg as 5rd argument
(to reloc addr). and calc reloc addr. The unspecified reloc types
passed Improper value(on elf binary) on reloc_addr. An elf binary
with altered unspecified reloc_types to crash. BUG!

The bug can be used for rootkit technique via altering the ELF object.

=========
DETAILS:
=========

glibc-2.5/dl-machine.h
----
auto inline void
__attribute ((always_inline))
elf_machine_rel (struct link_map *map, const Elf32_Rel *reloc,
const Elf32_Sym *sym, const struct r_found_version *version,
void *const reloc_addr_arg)
{
  // reloc_addr = reloc_addr_arg(5rd argument as relative jump)
  Elf32_Addr *const reloc_addr = reloc_addr_arg;

...

      switch (r_type)
{

case R_386_GLOB_DAT:
case R_386_JMP_SLOT:
          // *reloc_addr(*relocation addr) = value(relative addr calculated
at above codes.)
 *reloc_addr = value;
 break;
}
// XXX BUG: 'defaults:' label not exists!
...

}
#endif /* !RTLD_BOOTSTRAP */
----


===============
EXPLOIT CODES:
===============
Altering reloc types on the ELF binary.

=============
PATCH CODES:
=============
add 'defaults:' label on above relocation code
If RTLD_BOOTSTRAP defined.


===============
VENDOR STATUS:
===============
2012/09/04 - The bug Discovered.
2013/10/20 - Advisory released on full-disclosure, bugtraq, exploit-db.

...


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

glibc 2.5 <= reloc types to crash bug x90c (Oct 20)
- Re: glibc 2.5 <= reloc types to crash bug Jeffrey Walton (Oct 20)