Stack-Clash Vulnerability

The security research team at Qualys has discovered multiple vulnerabilities in guard-page implementations in various Linux versions. This bug can be exploited by local users to gain root privileges by compromising memory regions pertaining to other application and shared libraries. Qualys has disclosed these vulnerabilities to vendors and has been working with them for a coordinated patch and signature release.

Background:

Operating systems use stacks to keep track of process executions and heaps for dynamic memory allocations. In general by design the stack grows from higher addresses to lower, and heaps are usually not bound to such a frame of reference. If the stack is exhausted the process in question can request for more space by raising a PAGE_FAULT exception. Stack-Clash refers to the incident where the these two memory structures collide/overlap. To avoid this scenario guard-pages are implemented at the start of the stack, if the stack pointer breaches the guard page then either a PAGE-FAULT exception is raised or the process in question is terminated via SIGSEGV signal. Guard pages are also used in the Windows operating systems for similar memory protection checks.

Vulnerability:

As mentioned in the previous section, guard-page prevents stacks from overflowing. However if the stack can avoid breaching the guard-page by moving the stack pointer it does not raise a page fault and can continue expanding into other memory regions. This means we can  overwrite memory regions mapped directly below the stack. The vulnerabilities in the current guard-page implementation allows us to achieve this. This can result in stack smashing or memory smashing. Please refer the Qualys Security Advisory for more details and history behind this vulnerability.

Exploitation:
At present the target machines can be exploited locally and remote exploitation may be possible in some scenarios. The steps described below are for a traditional stack-clash, all steps need not be applicable for every target OS.

The exploitation process is roughly divided into 4 steps:
Step 1: Clash
– Keep allocating memory till the stack reaches another memory region. These allocations are not freed.
Step 2: Run
– After successful allocation move the stack pointer to the lower end of the stack allocated memory.
Step 3: Jump
– Move the stack pointer from the current stack memory into the memory region without breaching the guard-page. Effectively we are executing in the address space of another process.
Step 4: Smash
– At this point we can either choose to overwrite the stack or overwrite the memory region currently clashing with the stack, this is used for application specific exploitation.

Please refer the Qualys Security Advisory for more details about the exploit and how to check if a machine is vulnerable. Many CVE’s were uncovered during this research.

CVE OS Description
CVE-2017-1084 FreeBSD Stack guard-page is ineffective if memory region mapped below grows up and clashes with the stack.
CVE-2017-1083 Stack guard-page disabled by default.
CVE-2017-1085 Increasing RLIMIT_STACK and call to vm_map_protect() may turn read-only memory region below the stack into a read-write region.
CVE-2017-1000374 NetBSD Setting RLIMIT_STACK to MAXSSIZ eliminates the PROT_NONE part of the stack region which disables guard-page protection.(* remote exploitation not possible)
CVE-2017-1000369 Debian EoP in Exim.
Ubuntu
CVE-2017-1000376 Debian EoP in Exim.
CVE-2017-1000367 Debian local-root EoP vulnerability in Sudo’s get_process_ttyname() for Linux.
Ubuntu
SUSE Enterprise Linux
Oracle enterprise Linux
Fedora
CentOS
CVE-2017-1000366 Debian (x86 and amd64) Vulnerability in ld.so and ld-linux.so* part if glibc allowing EoP.
Fedora
CentOS
Amzon Linux
OpenSUSE
SUSE Enterprise Linux
Oracle Solaris
SELinux-enabled
RHEL
CVE-2017-1000370 Debian Vulnerability in the offset2lib patch allowing local-root EoP.
Fedora
CentOS
CVE-2017-1000371 Debian Vulnerability in the offset2lib patch allowing local-root EoP.
Fedora
CentOS
CVE-2017-1000365 Debian Linux,kernel (/bin/su) enforces size limits on command-line arguments and environment variables but not on argv[] and envp[] pointers.
CVE-2017-1000377 Linux The 64KB grsecurity/PaX stack guard-page is not large enough and can be jumped over with ld.so or gettext(). This can be used to control EIP
Amazon Linux
CVE-2017-1000379 Debian (amd64) The minimum initial mmap-stack distance is only 128MB.
Fedora (amd64)
CentOS (amd64)
Ubuntu (amd64)
Red Hat (amd64)
CVE-2017-1000372 OpenBSD Setting RLIMIT_STACK to MAXSSIZ eliminates the PROT_NONE part of the stack region which disables guard-page protection.(* remote exploitation not possible)
CVE-2017-1000373 OpenBSD qsort() function is not randomized, an attacker can construct a pathological input array of N elements that causes qsort() to deterministically recurse N times. This allows for continuous memory allocation.
CVE-2017-1000375 NetBSD Maps the run-time link-editor ld.so directly below the stack region, even if ASLR is enabled.
CVE-2017-3630 Solaris 11 With or without ASLR runtime linker ld.so is mapped below the guard-page.(With ASLR ld.so is mapped at a random distance from the guard-page)
CVE-2017-3629 Even with ASLR the distance between the end of ld.so’s,read-write segment a nd the start of the stack is exactly 8KB
CVE-2017-3631 Forced-Privilege protection is based on the pathname of SUID-root binaries, which can be execve()d through hard-links under different pathnames.
CVE-2017-1000364 SUSE A 4k stack guard page is not sufficiently large and can be “jumped” over
Red Hat
Linux Kernel =<4.11.5
Debian
Ubuntu
Oracle Enterprise Linux
Amazon Linux
OpenBSd
FreeBSD
NetBSD
Fedora
CentOS
CVE-2017-1000378 NetBSD qsort() function is not randomized, an attacker can construct
a pathological input array of N elements that causes qsort()
to deterministically recurse N times. This allows for continuous
memory allocation.
CVE-2017-1082 FreeBSD

Mitigation:

Qualys has been working with various vendors to ensure effective patch development. The fix is not straightforward as it requires patching the kernel and also the individual affected components like glibc and other applications. Vendors will start releasing their corresponding patches from June 19 2017. We request organizations to scan their network with the corresponding QID’s to detect vulnerable machines.

Please continue to follow ThreatProtect for more coverage on this issue.

Update:
– The PoC for CVE-2017-1000367 has been made public.
– Qualys PoC availble here

References:
Qualys Security Advisory
The Stack Clash
CVE-2017-1000367
Red Hat:Stack Guard Page Circumvention Affecting Multiple Packages

Leave a Reply

Your email address will not be published. Required fields are marked *