Understanding Core Unix Components and their Historical Security Issues (GlibC)

I have a mantra, you can’t pwn something you can’t build, well, of course you can but it’s much easier if you can build it. Take web apps, I had RCE on redis years ago because I knew how to configure it; take AD — because I deployed early on Azure I knew a few bugs that allowed me to take over traditional AD from Azure and finally by building my own Unix system I was able to figure out a number of priv. escs by simply mounting file systems or changing core start up libs etc…the point is, if you can make it, you can break it.

Part of building something is understanding it, today we will try to understand a core unix component, Glibc, what it does and look at previous security issues that have affected them and other exploits that abuses it. I hope all the binaries, libraries and directories listed will be helpful for people looking for good fuzzing targets or places to statically analyse code.

Glibc

The Glibc package contains the main C library. This library provides the basic routines for allocating memory, searching directories, opening and closing files, reading and writing files, string handling, pattern matching, arithmetic, and so on.

Installed Binaries

catchsegv

Can be used to create a stack trace when a program terminates with a segmentation fault

Useful for CTFs, Reverse Engineering and Exploit Dev

gencat

Generates message catalogues

getconf

Displays the system configuration values for file system specific variables

getent

Gets entries from an administrative database

iconv

Performs character set conversion

iconvconfig

Creates fastloading iconv module configuration files

ldconfig

Configures the dynamic linker runtime bindings

ldd

Reports which shared libraries are required by each given program or shared library

ldd is very useful for CTFs, Exploit Dev and Reverse Engineering!

lddlibc4

Assists ldd with object files

locale

Prints various information about the current locale

localedef

Compiles locale specifications

makedb

Creates a simple database from textual input

mtrace

Reads and interprets a memory trace file and displays a summary in human-readable format

nscd

A daemon that provides a cache for the most common name service requests

pldd

Lists dynamic shared objects used by running processes

sln

A statically linked ln program

sotruss

Traces shared library procedure calls of a specified command

Another useful one for CTFs, Exploit Development and Reverse Engineering!

sprof

Reads and displays shared object profiling data

tzselect

Asks the user about the location of the system and reports the corresponding time zone description

xtrace

Traces the execution of a program by printing the currently executed function

zdump

The time zone dumper

zic

The time zone compiler

Installed Libraries

ld-2.28.so

The helper program for shared library executables

libBrokenLocale

Used internally by Glibc as a gross hack to get broken programs (e.g., some Motif applications) running. See comments in glibc-2.28/locale/broken_cur_max.cfor more information

libSegFault

The segmentation fault signal handler, used by catchsegv

libanl

An asynchronous name lookup library

libc

The main C library

libcidn

Used internally by Glibc for handling internationalized domain names in the getaddrinfo() function

libcrypt

The cryptography library

libdl

The dynamic linking interface library

libg

Dummy library containing no functions. Previously was a runtime library for g++

libieee

Linking in this module forces error handling rules for math functions as defined by the Institute of Electrical and Electronic Engineers (IEEE). The default is POSIX.1 error handling

libm

The mathematical library

libmcheck

Turns on memory allocation checking when linked to

libmemusage

Used by memusage to help collect information about the memory usage of a program

libnsl

The network services library

libnss

The Name Service Switch libraries, containing functions for resolving host names, user names, group names, aliases, services, protocols, etc.

libpthread

The POSIX threads library

libresolv

Contains functions for creating, sending, and interpreting packets to the Internet domain name servers

librpcsvc

Contains functions providing miscellaneous RPC services

librt

Contains functions providing most of the interfaces specified by the POSIX.1b Realtime Extension

libthread_db

Contains functions useful for building debuggers for multi-threaded programs

libutil

Contains code for “standard” functions used in many different Unix utilities

Directories

/usr/include/arpa
/usr/include/bits
/usr/include/gnu
/usr/include/net
/usr/include/netash
/usr/include/netatalk
/usr/include/netax25
/usr/include/neteconet
/usr/include/netinet
/usr/include/netipx
/usr/include/netiucv
/usr/include/netpacket
/usr/include/netrom
/usr/include/netrose
/usr/include/nfs
/usr/include/protocols
/usr/include/rpc
/usr/include/rpcsvc
/usr/include/sys
/usr/lib/audit
/usr/lib/gconv
/usr/lib/locale
/usr/libexec/getconf
/usr/share/i18n
/usr/share/zoneinfo
/var/cache/nscd
/var/lib/nss_db

Vulnerabilities

GNU Glibc : List of security vulnerabilities
Security vulnerabilities of GNU Glibc : List of all related CVE security vulnerabilities. CVSS Scores, vulnerability…www.cvedetails.com

Top 10 Critical

  • CVE-2015–0235: Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka “GHOST.”
  • CVE-2017–16997: elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the “./” directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution.
  • CVE-2014–9402: The nss_dns implementation of getnetbyname in GNU C Library (aka glibc) before 2.21, when the DNS backend in the Name Service Switch configuration is enabled, allows remote attackers to cause a denial of service (infinite loop) by sending a positive answer while a network name is being process.
  • CVE-2017–8804: The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc or libc6) 2.25 mishandle failures of buffer deserialization, which allows remote attackers to cause a denial of service (virtual memory allocation, or memory consumption if an overcommit setting is not used) via a crafted UDP packet to port 111, a related issue to CVE-2017–8779.
  • CVE-2000–0335: The resolver in glibc 2.1.3 uses predictable IDs, which allows a local attacker to spoof DNS query results.
  • CVE-2002–0684: Buffer overflow in DNS resolver functions that perform lookup of network names and addresses, as used in BIND 4.9.8 and ported to glibc 2.2.5 and earlier, allows remote malicious DNS servers to execute arbitrary code through a subroutine used by functions such as getnetbyname and getnetbyaddr.
  • CVE-2003–0028: Integer overflow in the xdrmem_getbytes() function, and possibly other functions, of XDR (external data representation) libraries derived from SunRPC, including libnsl, libc, glibc, and dietlibc, allows remote attackers to execute arbitrary code via certain integer values in length fields, a different vulnerability than CVE-2002–0391.
  • CVE-2010–0015: nis/nss_nis/nis-pwd.c in the GNU C Library (aka glibc or libc6) 2.7 and Embedded GLIBC (EGLIBC) 2.10.2 adds information from the passwd.adjunct.byname map to entries in the passwd map, which allows remote attackers to obtain the encrypted passwords of NIS accounts by calling the getpwnam function.
  • CVE-2012–4412: Integer overflow in string/strcoll_l.c in the GNU C Library (aka glibc or libc6) 2.17 and earlier allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string, which triggers a heap-based buffer overflow.
  • CVE-2014–4043: The posix_spawn_file_actions_addopen function in glibc before 2.20 does not copy its path argument in accordance with the POSIX specification, which allows context-dependent attackers to trigger use-after-free vulnerabilities.

Using GLibC to our Advantage

A “return-to-libc” attack is a computer security attack usually starting with a buffer overflow in which a subroutine return address on a call stack is replaced by an address of a subroutine that is already present in the process’ executable memory, bypassing the no-execute bit feature (if present) and ridding the attacker of the need to inject their own code. The first example of this attack in the wild was contributed by Alexander Peslyak on the Bugtraq mailing list in 1997.

On POSIX-compliant operating systems the C standard library (“libc“) is commonly used to provide a standard runtime environment for programs written in the C programming language. Although the attacker could make the code return anywhere, libc is the most likely target, as it is almost always linked to the program, and it provides useful calls for an attacker (such as the system function used to execute shell commands).