Understanding Core Unix Components and their Historical Security Issues (GlibC)
I have a mantra, you can’t pwn something you can’t build, well, of course you can but it’s much easier if you can build it. Take web apps, I had RCE on redis years ago because I knew how to configure it; take AD — because I deployed early on Azure I knew a few bugs that allowed me to take over traditional AD from Azure and finally by building my own Unix system I was able to figure out a number of priv. escs by simply mounting file systems or changing core start up libs etc…the point is, if you can make it, you can break it.
Part of building something is understanding it, today we will try to understand a core unix component, Glibc, what it does and look at previous security issues that have affected them and other exploits that abuses it. I hope all the binaries, libraries and directories listed will be helpful for people looking for good fuzzing targets or places to statically analyse code.
The Glibc package contains the main C library. This library provides the basic routines for allocating memory, searching directories, opening and closing files, reading and writing files, string handling, pattern matching, arithmetic, and so on.
Can be used to create a stack trace when a program terminates with a segmentation fault
Generates message catalogues
Displays the system configuration values for file system specific variables
Gets entries from an administrative database
Performs character set conversion
Creates fastloading iconv module configuration files
Configures the dynamic linker runtime bindings
Reports which shared libraries are required by each given program or shared library
Assists ldd with object files
Prints various information about the current locale
Compiles locale specifications
Creates a simple database from textual input
Reads and interprets a memory trace file and displays a summary in human-readable format
A daemon that provides a cache for the most common name service requests
Lists dynamic shared objects used by running processes
A statically linked ln program
Traces shared library procedure calls of a specified command
Reads and displays shared object profiling data
Asks the user about the location of the system and reports the corresponding time zone description
Traces the execution of a program by printing the currently executed function
The time zone dumper
The time zone compiler
The helper program for shared library executables
Used internally by Glibc as a gross hack to get broken programs (e.g., some Motif applications) running. See comments in
glibc-2.28/locale/broken_cur_max.cfor more information
The segmentation fault signal handler, used by catchsegv
An asynchronous name lookup library
The main C library
Used internally by Glibc for handling internationalized domain names in the
The cryptography library
The dynamic linking interface library
Dummy library containing no functions. Previously was a runtime library for g++
Linking in this module forces error handling rules for math functions as defined by the Institute of Electrical and Electronic Engineers (IEEE). The default is POSIX.1 error handling
The mathematical library
Turns on memory allocation checking when linked to
Used by memusage to help collect information about the memory usage of a program
The network services library
The Name Service Switch libraries, containing functions for resolving host names, user names, group names, aliases, services, protocols, etc.
The POSIX threads library
Contains functions for creating, sending, and interpreting packets to the Internet domain name servers
Contains functions providing miscellaneous RPC services
Contains functions providing most of the interfaces specified by the POSIX.1b Realtime Extension
Contains functions useful for building debuggers for multi-threaded programs
Contains code for “standard” functions used in many different Unix utilities
Top 10 Critical
- CVE-2015–0235: Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka “GHOST.”
- CVE-2017–16997: elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the “./” directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution.
- CVE-2014–9402: The nss_dns implementation of getnetbyname in GNU C Library (aka glibc) before 2.21, when the DNS backend in the Name Service Switch configuration is enabled, allows remote attackers to cause a denial of service (infinite loop) by sending a positive answer while a network name is being process.
- CVE-2017–8804: The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc or libc6) 2.25 mishandle failures of buffer deserialization, which allows remote attackers to cause a denial of service (virtual memory allocation, or memory consumption if an overcommit setting is not used) via a crafted UDP packet to port 111, a related issue to CVE-2017–8779.
- CVE-2000–0335: The resolver in glibc 2.1.3 uses predictable IDs, which allows a local attacker to spoof DNS query results.
- CVE-2002–0684: Buffer overflow in DNS resolver functions that perform lookup of network names and addresses, as used in BIND 4.9.8 and ported to glibc 2.2.5 and earlier, allows remote malicious DNS servers to execute arbitrary code through a subroutine used by functions such as getnetbyname and getnetbyaddr.
- CVE-2003–0028: Integer overflow in the xdrmem_getbytes() function, and possibly other functions, of XDR (external data representation) libraries derived from SunRPC, including libnsl, libc, glibc, and dietlibc, allows remote attackers to execute arbitrary code via certain integer values in length fields, a different vulnerability than CVE-2002–0391.
- CVE-2010–0015: nis/nss_nis/nis-pwd.c in the GNU C Library (aka glibc or libc6) 2.7 and Embedded GLIBC (EGLIBC) 2.10.2 adds information from the passwd.adjunct.byname map to entries in the passwd map, which allows remote attackers to obtain the encrypted passwords of NIS accounts by calling the getpwnam function.
- CVE-2012–4412: Integer overflow in string/strcoll_l.c in the GNU C Library (aka glibc or libc6) 2.17 and earlier allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string, which triggers a heap-based buffer overflow.
- CVE-2014–4043: The posix_spawn_file_actions_addopen function in glibc before 2.20 does not copy its path argument in accordance with the POSIX specification, which allows context-dependent attackers to trigger use-after-free vulnerabilities.
Using GLibC to our Advantage
A “return-to-libc” attack is a computer security attack usually starting with a buffer overflow in which a subroutine return address on a call stack is replaced by an address of a subroutine that is already present in the process’ executable memory, bypassing the no-execute bit feature (if present) and ridding the attacker of the need to inject their own code. The first example of this attack in the wild was contributed by Alexander Peslyak on the Bugtraq mailing list in 1997.
On POSIX-compliant operating systems the C standard library (“
libc“) is commonly used to provide a standard runtime environment for programs written in the C programming language. Although the attacker could make the code return anywhere,
libcis the most likely target, as it is almost always linked to the program, and it provides useful calls for an attacker (such as the
systemfunction used to execute shell commands).