Linux PIE/Stack Corruption: CVE-2017-1000253

Qualys Vulnerability and Malware Research Labs (VMRL) has found a Local Privilege Escalation vulnerability in Linux operating system. The vulnerability is named “Linux PIE/stack corruption” with CVE-2017-1000253. Exploiting this vulnerability will result in stack corruption as it is overwritten by data segments of a PIE binary, an unprivileged local user with access to SUID PIE binary could use this to escalate their privileges.

The operating systems listed below are affected by this vulnerability (This list will be updated as more vendors publish their advisories):

– All versions of CentOS 7 < 1708
– All versions of Red Hat Enterprise Linux 7 before 7.4
– All versions of CentOS 6
Red Hat Enterprise Linux 6

As per SUSE bug ticket SUSE Linux Enterprise 12 GA, SP1, SP2 and SP3 are already fixed and SUSE Linux Enterprise 11 SP4 and older are under review.

Background:
Return Oriented Programming (ROP) is an exploitation method to circumvent NX bit, instances where executable stack is disabled. To counter this we use Position Independent Executable(PIE). These are binaries compiled using  linker options -PIE or -pie flags with gcc. When a PIE binary starts executing the kernel loads its dependencies into random locations in virtual memory every time the application is executed. This makes ROP attacks much more difficult to execute reliably.

Similar to PE header in Windows, ELF binaries consists of an ELF  header, followed by a program header table or a section header table, or both. In this case we are interested in the .dynamic section, this section is loaded as part of the data segment and facilitates run-time linking. When we execute a program the generic execve kernel system call handler  looks up for the supported handler and calls it. For ELF binaries its load_elf_binary. This function parses the ELF header and program header to setup the system for executing the binary in question.

Previously a vulnerability existed in the Linux OS, where executing a PIE binary whose data segments are larger than 128MB, causes execve to map the read segments of the PIE on its stack memory space thereby corrupting it. This divides the stack into 3 parts, the middle section/address range of the stack is where the PIE segments are mapped and this is an area of interest for us as we can control what data is overwriting the stack. This vulnerability was addressed in April 2015. Unfortunately it was not back ported to long-term distributions.

Vulnerability:
When an ELF binary is executed, the “gap” between the binary and its stack is guaranteed to be 128MB long. So a PIE binary with data segments larger than 128MB can end up being mapped on to the stack by load_elf_binary. As per the ticket comments this issue was fixed “by calculating the total size of the binary in the same way as load_elf_interp().”.

Qualys research shows that this is not limited to PIEs with data segments larger than 128MB. Similar to stack-clash vulnerability CVE-2017-1000379 passing an argument of 1.5GB of strings to execve will cause the PIE to be mapped below the stack. This can be achieved with a probability of ~1/17331.

Exploitation:
Similar to the vulnerability fixed in April 2015, exploiting CVE-2017-1000253 also divides the stack in to 3 segments with the middle segment overwritten with the PIE read-write segment. This is also the address range where the rsp returns to after execve returns.

So the game plan is to smash the stack with the PIE’s read-write segments using a stack-based string operation and load ld.so to execute our own shared library. This approach is similar to exploiting CVE-2017-1000371. This vulnerability can be exploited only if the attacker/user has local access to the target. As such this is a post remote exploit attack where the adversary has gained access to the target and needs to elevate his privilege for post exploit activity/damage/compromise etc. Qualys has developed a PoC to exploit CentOS-7 kernel versions “3.10.0-514.21.2.el7.x86_64” and “3.10.0-514.26.1.el7.x86_64” at present  the PoC is not public.

Mitigation:
We request organizations to scan their networks with the QIDs listed below to detect vulnerable machines.

QID Description
157565 Oracle Enterprise Linux Security Update for kernel (ELSA-2017-2795)
236515 Red Hat Update for kernel (RHSA-2017:2795)
236511 Red Hat Update for kernel (RHSA-2017:2796)
236510 Red Hat Update for kernel (RHSA-2017:2801)
236509 Red Hat Update for kernel (RHSA-2017:2793)
236508 Red Hat Update for kernel (RHSA-2017:2794)
256304 CentOS 7 Linux PIE Stack Corruption Vulnerability


References:
As always please continue to follow ThreatProtect for more coverage on this vulnerability.

Qualys Security Advisory: CVE-2017-1000253
SUSE:CVE-2017-1000253
Position Independent Executable (PIE)
How programs get run: ELF binaries
Stack-Clash
CVE-2017-1000379

Leave a Reply

Your email address will not be published. Required fields are marked *