Understanding Core Unix Components and their Historical Security Issues (GlibC)
I have a mantra, you can’t pwn something you can’t build, well, of course you can but it’s much easier if you can build it. Take web apps, I had RCE on redis years ago because I knew how to configure it; take AD — because I deployed early on Azure I knew a few bugs that allowed me to take over traditional AD from Azure and finally by building my own Unix system I was able to figure out a number of priv. escs by simply mounting file systems or changing core start up libs etc…the point is, if you can make it, you can break it.
Part of building something is understanding it, today we will try to understand a core unix component, Glibc, what it does and look at previous security issues that have affected them and other exploits that abuses it. I hope all the binaries, libraries and directories listed will be helpful for people looking for good fuzzing targets or places to statically analyse code.
Glibc
The Glibc package contains the main C library. This library provides the basic routines for allocating memory, searching directories, opening and closing files, reading and writing files, string handling, pattern matching, arithmetic, and so on.
Installed Binaries
catchsegv
Can be used to create a stack trace when a program terminates with a segmentation fault
gencat
Generates message catalogues
getconf
Displays the system configuration values for file system specific variables
getent
Gets entries from an administrative database
iconv
Performs character set conversion
iconvconfig
Creates fastloading iconv module configuration files
ldconfig
Configures the dynamic linker runtime bindings
ldd
Reports which shared libraries are required by each given program or shared library
lddlibc4
Assists ldd with object files
locale
Prints various information about the current locale
localedef
Compiles locale specifications
makedb
Creates a simple database from textual input
mtrace
Reads and interprets a memory trace file and displays a summary in human-readable format
nscd
A daemon that provides a cache for the most common name service requests
pldd
Lists dynamic shared objects used by running processes
sln
A statically linked ln program
sotruss
Traces shared library procedure calls of a specified command
sprof
Reads and displays shared object profiling data
tzselect
Asks the user about the location of the system and reports the corresponding time zone description
xtrace
Traces the execution of a program by printing the currently executed function
zdump
The time zone dumper
zic
The time zone compiler
Installed Libraries
ld-2.28.so
The helper program for shared library executables
libBrokenLocale
Used internally by Glibc as a gross hack to get broken programs (e.g., some Motif applications) running. See comments in glibc-2.28/locale/broken_cur_max.cfor more information
libSegFault
The segmentation fault signal handler, used by catchsegv
libanl
An asynchronous name lookup library
libc
The main C library
libcidn
Used internally by Glibc for handling internationalized domain names in the getaddrinfo() function
libcrypt
The cryptography library
libdl
The dynamic linking interface library
libg
Dummy library containing no functions. Previously was a runtime library for g++
libieee
Linking in this module forces error handling rules for math functions as defined by the Institute of Electrical and Electronic Engineers (IEEE). The default is POSIX.1 error handling
libm
The mathematical library
libmcheck
Turns on memory allocation checking when linked to
libmemusage
Used by memusage to help collect information about the memory usage of a program
libnsl
The network services library
libnss
The Name Service Switch libraries, containing functions for resolving host names, user names, group names, aliases, services, protocols, etc.
libpthread
The POSIX threads library
libresolv
Contains functions for creating, sending, and interpreting packets to the Internet domain name servers
librpcsvc
Contains functions providing miscellaneous RPC services
librt
Contains functions providing most of the interfaces specified by the POSIX.1b Realtime Extension
libthread_db
Contains functions useful for building debuggers for multi-threaded programs
libutil
Contains code for “standard” functions used in many different Unix utilities
Directories
/usr/include/arpa
/usr/include/bits
/usr/include/gnu
/usr/include/net
/usr/include/netash
/usr/include/netatalk
/usr/include/netax25
/usr/include/neteconet
/usr/include/netinet
/usr/include/netipx
/usr/include/netiucv
/usr/include/netpacket
/usr/include/netrom
/usr/include/netrose
/usr/include/nfs
/usr/include/protocols
/usr/include/rpc
/usr/include/rpcsvc
/usr/include/sys
/usr/lib/audit
/usr/lib/gconv
/usr/lib/locale
/usr/libexec/getconf
/usr/share/i18n
/usr/share/zoneinfo
/var/cache/nscd
/var/lib/nss_db
Vulnerabilities
Top 10 Critical
- CVE-2015–0235: Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka “GHOST.”
- CVE-2017–16997: elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the “./” directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution.
- CVE-2014–9402: The nss_dns implementation of getnetbyname in GNU C Library (aka glibc) before 2.21, when the DNS backend in the Name Service Switch configuration is enabled, allows remote attackers to cause a denial of service (infinite loop) by sending a positive answer while a network name is being process.
- CVE-2017–8804: The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc or libc6) 2.25 mishandle failures of buffer deserialization, which allows remote attackers to cause a denial of service (virtual memory allocation, or memory consumption if an overcommit setting is not used) via a crafted UDP packet to port 111, a related issue to CVE-2017–8779.
- CVE-2000–0335: The resolver in glibc 2.1.3 uses predictable IDs, which allows a local attacker to spoof DNS query results.
- CVE-2002–0684: Buffer overflow in DNS resolver functions that perform lookup of network names and addresses, as used in BIND 4.9.8 and ported to glibc 2.2.5 and earlier, allows remote malicious DNS servers to execute arbitrary code through a subroutine used by functions such as getnetbyname and getnetbyaddr.
- CVE-2003–0028: Integer overflow in the xdrmem_getbytes() function, and possibly other functions, of XDR (external data representation) libraries derived from SunRPC, including libnsl, libc, glibc, and dietlibc, allows remote attackers to execute arbitrary code via certain integer values in length fields, a different vulnerability than CVE-2002–0391.
- CVE-2010–0015: nis/nss_nis/nis-pwd.c in the GNU C Library (aka glibc or libc6) 2.7 and Embedded GLIBC (EGLIBC) 2.10.2 adds information from the passwd.adjunct.byname map to entries in the passwd map, which allows remote attackers to obtain the encrypted passwords of NIS accounts by calling the getpwnam function.
- CVE-2012–4412: Integer overflow in string/strcoll_l.c in the GNU C Library (aka glibc or libc6) 2.17 and earlier allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string, which triggers a heap-based buffer overflow.
- CVE-2014–4043: The posix_spawn_file_actions_addopen function in glibc before 2.20 does not copy its path argument in accordance with the POSIX specification, which allows context-dependent attackers to trigger use-after-free vulnerabilities.
Using GLibC to our Advantage
A “return-to-libc” attack is a computer security attack usually starting with a buffer overflow in which a subroutine return address on a call stack is replaced by an address of a subroutine that is already present in the process’ executable memory, bypassing the no-execute bit feature (if present) and ridding the attacker of the need to inject their own code. The first example of this attack in the wild was contributed by Alexander Peslyak on the Bugtraq mailing list in 1997.
On POSIX-compliant operating systems the C standard library (“
libc“) is commonly used to provide a standard runtime environment for programs written in the C programming language. Although the attacker could make the code return anywhere,libcis the most likely target, as it is almost always linked to the program, and it provides useful calls for an attacker (such as thesystemfunction used to execute shell commands).