Slashdot Mirror

← Back to Stories (view on slashdot.org)

Project Zero Exploits 'Unexploitable' Glibc Bug

Posted by Unknown on from the never-say-never dept.

NotInHere (3654617) writes with news that Google's Project Zero has been busy at work. A month ago they reported an off-by-one error in glibc that would overwrite a word on the heap with NUL and were met with skepticism at its ability to be used in an attack. Google's 'Project Zero' devised an exploit of the out-of-bounds NUL write in glibc to gain root access using the setuid binary pkexec in order to convince skeptical glibc developers. 44 days after being reported, the bug has been fixed. They even managed to defeat address space randomization on 32-bit platforms by tweaking ulimits. 64-bit systems should remain safe if they are using address space randomization.

3 of 98 comments (clear)

  1. "Unexploitable" sudo bug pre-1.6.3p6 by Anonymous Coward · · Score: 5, Interesting

    Reminds me of this overflow bug which was fixed in sudo 1.6.3p6. It writes a single NUL byte past the end of a buffer, calls syslog(), and the restores the original overwritten byte. Seems unexploitable, right?

    Wrong. Here's the detailed writeup of the exploit. It requires some jiggering with the parameters to get the exploit to work on a particular system, but you don't need a local root exploit to work every time, you just need it to work once and you own the system.

  2. Raspberry Pi, obscure NAS boxes by dutchwhizzman · · Score: 4, Interesting

    While you have a point, you shouldn't forget the Raspberry Pi. It is probably the most popular internet facing non-mobile ARM platform today. Literally millions of these run glibc and at least hundreds of thousands are in some way or form directly connected to the internet. While I don't believe that this bug can be exploited without first gaining RCE on the raspberry pi, once an attacker gets access to the rpi, this bug should be able to get them to escalate to root privileges.

    There are quite a few people that put a full debian (or other) distribution on their NAS server. I own a zyxel NSA 325 and it is possible to install a full debian release on this and some other NAS boxes. These might be a limited amount of systems overall, but it's significant enough to deserve mentioning because they too often are internet facing.

    --
    I was promised a flying car. Where is my flying car?
  3. Address space randomization does not help. by Animats · · Score: 5, Interesting

    64-bit systems should remain safe if they are using address space randomization.

    Nah. It just takes more crashes before the exploit achieves penetration.

    (Address space randomization is a terrible idea. It's a desperation measure and an excuse for not fixing problems. In exchange for making penetration slightly harder, you give up repeatable crash bug behavior.)