From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 7DD083861899; Mon, 28 Dec 2020 23:15:07 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 7DD083861899 From: "willcoster at gmail dot com" To: glibc-bugs@sourceware.org Subject: [Bug stdio/27124] New: libio vtable hardening bypass via obstack files Date: Mon, 28 Dec 2020 23:15:07 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: stdio X-Bugzilla-Version: 2.32 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: willcoster at gmail dot com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: glibc-bugs@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Glibc-bugs mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Dec 2020 23:15:07 -0000 https://sourceware.org/bugzilla/show_bug.cgi?id=3D27124 Bug ID: 27124 Summary: libio vtable hardening bypass via obstack files Product: glibc Version: 2.32 Status: UNCONFIRMED Severity: normal Priority: P2 Component: stdio Assignee: unassigned at sourceware dot org Reporter: willcoster at gmail dot com Target Milestone: --- It is possible to bypass existing libio vtable hardening by using the _IO_obstack_jumps vtable and a forged obstack. The obstack struct contains unmangled pointers to a custom allocator [1] wh= ich is used when growing an obstack [2, 3, 4]. Both of the methods listed in the=C2=A0_IO_obstack_jumps vtable attempt to = grow an obstack when certain conditions are met [5, 6]. This is similar to Bug=C2=A023236 and would allow an attacker with the abil= ity=C2=A0to corrupt FILE objects to gain code execution. I have tested and confirmed th= at this works on glibc 2.32. I am filing this in the public tracker in accordance with the guidance=C2= =A0that hardening bypasses are not considered security issues in and of themselves = [7]. [1] https://sourceware.org/git/?p=3Dglibc.git;a=3Dblob;f=3Dmalloc/obstack.h;h= =3D4b1ba80047b378fa63739e5dbbbf748ca026e197;hb=3Drefs/heads/release/2.32/ma= ster#l153 [2] https://sourceware.org/git/?p=3Dglibc.git;a=3Dblob;f=3Dmalloc/obstack.h;h= =3D4b1ba80047b378fa63739e5dbbbf748ca026e197;hb=3Drefs/heads/release/2.32/ma= ster#l296 [3] https://sourceware.org/git/?p=3Dglibc.git;a=3Dblob;f=3Dmalloc/obstack.c;h= =3D0d652be9f5d4c0e88e55bf84bbc1053c20d7ce83;hb=3Drefs/heads/release/2.32/ma= ster#l261 [4] https://sourceware.org/git/?p=3Dglibc.git;a=3Dblob;f=3Dmalloc/obstack.c;h= =3D0d652be9f5d4c0e88e55bf84bbc1053c20d7ce83;hb=3Drefs/heads/release/2.32/ma= ster#l121 [5] https://sourceware.org/git/?p=3Dglibc.git;a=3Dblob;f=3Dlibio/obprintf.c;h= =3De440cd74c3caf3ee5bbfec9aa1e3ff880f0b3fb7;hb=3Drefs/heads/release/2.32/ma= ster#l48 [6] https://sourceware.org/git/?p=3Dglibc.git;a=3Dblob;f=3Dlibio/obprintf.c;h= =3De440cd74c3caf3ee5bbfec9aa1e3ff880f0b3fb7;hb=3Drefs/heads/release/2.32/ma= ster#l76 [7] https://sourceware.org/glibc/wiki/Security%20Exceptions#Post-exploitation_c= ountermeasures --=20 You are receiving this mail because: You are on the CC list for the bug.=