Other issues in this category (35)
About another "achievement"
Thursday, March 22, 2018
Media outlets usually gravitate towards stories with catchy phrases about gaping loopholes one could drive a tank through (even though later those huge holes get covered by undergrowth and remain unused). This time we'll make an exception and tell our readers about an ordinary vulnerability that only stands out because of its ID.
Because getcwd() can return an incomplete path and replace a portion of it with "(unreachable)", and the realpath() call is unable to handle this behaviour correctly, it won't stop at "(unreachable)" but will continue to look for the path's root directory in the memory. And since the redundant elements ("/./", "/../" and "//") in a pathname are routinely removed from a path string to get a canonical path, the allocated buffer size doesn't factor in that the function will not stop at "(unreachable)" and will continue parsing data in the memory before the buffer's beginning. Because the buffer is filled in reverse order, getting realpath() to process a symbolic link containing "/../" can move the pointer to a desired memory area before the buffer's beginning, and a fragment of the path string will be written in this area outside the buffer.
The researchers who discovered the vulnerability also came up with an exploit prototype.
Now, let’s explain it in simple words. There exist relative and absolute pathnames. Here is an absolute pathname: C:\Windows. If an absolute pathname is used, a file or directory’s exact location is totally clear. Meanwhile, a relative pathname doesn't start from the root directory but instead begins from the current user's location and can start with "..". This can come in handy in a variety of situations. For example, if one needs to move to a different directory.
Problems start when a relative pathname needs to be converted to an absolute one. When the corresponding function is called, there is no way to tell how long the absolute path will be, and it can exceed the allocated buffer. And it is quite possible for a certain program processing data in the buffer (acting in accordance with the instructions of the attacker who provided it with the specific chunk of data) to go beyond the buffer's boundaries. This is how buffer overflow attacks work.
But with regards to the vulnerability we're talking about, a different issue occurred. The path retrieval function (getcwd(), which copies the full path to the current working directory as a string of a specific length), replied that some portion of the path couldn't be retrieved (it was “(unreachable)”). The command that used getcwd() didn't factor that possibility in and continued to look for the absolute pathname and thus moved outside the string boundaries.
It's a typical situation when the commands responsible for different parts of a project operate in an uncoordinated way.
Naturally, a vulnerability patch was released.
An interesting fact:
The average age of the oldest security updates never installed to close system vulnerabilities (according to security audits) is 108 months (9 years).
Information about the oldest of the vulnerabilities (CVE-1999-0024) was published over 17 years ago and was released because recursive queries were being allowed for DNS servers. Attackers could exploit the vulnerability to cause a denial of service.
Such is life. Vulnerabilities are discovered, and security patches get released but never get installed. The server operated for 17-18 years, but nobody bothered to install the updates.
By the way, did you know that Oscar-like awards, complete with nominating categories, exist for information security achievements and blunders?
The most overhyped security warning. Awarded for the security problem most widely publicised on the Internet and in the mass media, especially if in reality the security issue couldn't be leveraged to mount a real attack. The nominees include:
- Dirty Cow (CVE-2016-5195) – a local privilege escalation issue in Linux which is quite similar to other issues being discovered on a regular basis. But unlike other similar vulnerabilities, Dirty Cow enjoys its own site, logo and Twitter account.
- A Cryptsetup issue (CVE-2016-4484) was demonised beyond reason despite the fact that an attack could only be facilitated by physically proximate attackers;
- The researcher who discovered the Wannacry kill switch was portrayed by the media as a hero and the saviour of humankind;
- The Cloak and Dagger attack, for which a website was also crafted, is unfeasible because it requires a user to install a specific application that will have permission to display overlay screens.
The Anti-virus Times recommends
Vulnerabilities exist in abundance and take many forms. And some "stars", like Meltdown, can overshadow other less well-known loopholes that are actually way more dangerous and far more frequently exploited.