http://scary.beasts.org/security/CESA-2009-003.html
The most interesting thing about LittleCMS is how quickly it has become a very critical building block for UNIX desktops. Let's enumerate some of the pieces of software impacted by any lcms vulnerabilities:
- OpenJDK. OpenJDK uses lcms to parse colour profiles embedded in JPEG or BMP files. OpenJDK is on the default browser attack surface of a lot of Linux installations, e.g. Fedora 10.
- Firefox. Firefox 3.1beta uses lcms to parse colour profiles embedded in JPEG files -- by default. (Firefox 3.0 has this ability but not by default, so thankfully this can be addressed before 3.1 goes production).
- GIMP. GIMP uses the system liblcms library to parse colour profiles embedded in at least JPEG files.
Finally, some notes on the various Linux system protections that do or don't help defend against the exploit for this stack-based buffer overflow:
- My exploit targets, but is not limited to, systems with executable heaps. Interestingly 32-bit Ubuntu 8.10 on my laptop shows the heap as non-executable in
/proc/<pid>/maps
, but it lies because the installed kernel is non-PAE. - For systems with non-executable heaps, such as 64-bit Ubuntu 8.10 on my desktop, an exploit is still possible because you can point registers other than
rip
into the heap (e.g.rbp
). I've not written this exploit. - Systems with stack smashing detection, such as Fedora 10, do make the exploit hard or impossible. However, the somewhat risky OpenJDK package on such a system is not compiled with stack smashing detection, leaving the default browsing experience vulnerable.
- I noticed that the Fedora 10 stack smashing detection does not exit cleanly, but gives a SIGSEGV. On 32-bit, the faulting instruction is
cmpw $0xb858,(%eax)
where%eax == 0x1
. Stack frames is__stack_chk_fail __fortify_fail __libc_message backtrace _Unwind_Backtrace ??
. Leave a comment if you know what's going on. Sounds dangerous to me.
Aside from stack smashing, I'd be interested in seeing the exploit run on Fedora 10 with and without SELinux in enforcing. More traditional stack smashing relies on an executable stack, which SELinux plays a direct role in mitigating (orthognal to ASLR/PIE/et al).
ReplyDeleteHowever, you could still leverage the ret2{libc,etc} vectors....
great post
ReplyDeleteSounds like Fedora also messes with glibc's handling of stack-smashes.
ReplyDeleteOr maybe it is Ubuntu (since it seems those are the systems you diff between).
I know the hardened gentoo project wrote their own code [1] for those terminations becouse they thought the original one in glibc did not do a good enought.
You may want to look into that in this case.
[1] http://sources.gentoo.org/viewcvs.py/gentoo-x86/sys-libs/glibc/files/2.6/glibc-2.6-gentoo-stack_chk_fail.c?rev=1.4&view=markup
The original for something to compare with.
ReplyDeletehttp://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/debug/stack_chk_fail.c?rev=1.2&content-type=text/x-cvsweb-markup&cvsroot=glibc
'I see her aion gold second child Eighty FFXIV GIL per cent of that, to aion power leveling which advocacy to the beauty aion gold of the quilt, and this is wow power leveling not, but wow power leveling also by his buy wow gold Shui come 2! Idol ah! Sure wow gold enough, worthy of two wow power leveling ah! 'Honests and four fertilizer Guo looked beautiful and feminine on the sofa, Chen Ying Yang runes of magic gold Si Yu month and Common Sense, roses, heart, the worship maple story mesos of his brother Ben ah like mad cow chaos out of control ... ... ... ...
ReplyDelete