How do you feel about a decade-old vulnerability in a range of Unix-based operating systems, like Linux, OpenBSD, NetBSF, FreeBSD and Solaris? Unfortunately, this question is not a theoretical one as such a vulnerability (identified as CVE-2017-1000364) has been discovered, letting attackers perform escalation of privileges attacks where root access is granted and a full system takeover is in place.
CVE-2017-1000364 has been dubbed Stack Slash and was discovered in the way memory was being allocated on the stack for user space binaries, as explained by the researchers who discovered it.
CVE-2017-1000364 Stack Slash Flaw Technical Resume
How is the bug explained? It’s quite simple – programs use special memory regions known as stacks, used to store short-term data. The stack can expand and contract on an automatic basis during program execution, in relation to the needs of the given program.
Qualys researchers reveal that a maliciously crafted program may try to use more memory space than the one available on the stack. This could easily lead to memory overflow, causing the stack to clash with nearby memory regions and overwrite their content.
In addition to the above, the flaw can bypass the stack guard-page. This is a memory management protection from 2010 which was introduced after the flaw was exploited in previous years. As described by Qualys researchers in their advisory:
Unfortunately, a stack guard-page of a few kilobytes is insufficient: if the stack-pointer ‘jumps’ over the guard-page—if it moves from the stack into another memory region without accessing the guard-page—then no page-fault exception is raised and the stack extends into the other memory region.
CVE-2017-1000364 also necessitates local access to the vulnerable system. However, it could also be exploited remotely according to the applications involved.
In actuality, CVE-2017-1000364 could be exploited together with other critical flaws such as the Sudo vulnerability which was patched just recently. The Sudo vulnerability, CVE-2017-1000367, is a severe root Linux vulnerability once again discovered by Qualys researchers. The flaw was found to reside in Sudo’s “get_process_ttyname()” function for Linux and could allow a user with Sudo privileges to run commands as root or elevate privileges to root.
Unfortunately, the bad news doesn’t end here as 7 proof-of-concept exploits have been created for the vulnerability suitable for Linux, OpenBSD, NetBSD, FreeBSD, Solaris on both 32- and 64-bit processors. The researchers were initially considerate enough not to push their proof-of-concepts allowing both users and admins to address the flaw by patching their vulnerable systems. These were however made public after updates were published by Fedora and Slackware. FreeBSD and NetBSD also issued patches.
The proof-of-concepts include four steps – clashing the stack with another memory region, running the stack pointer to the stack’s start, jumping over the stack guard-page, and finally, smashing the stack or other memory regions.
Mitigation against CVE-2017-1000364
Based on their research, Qualys researchers recommend that the affected operating systems do the following:
Increase the size of the stack guard-page to at least 1MB, and allow system administrators to easily modify this value (for example, grsecurity/PaX introduced /proc/sys/vm/heap_stack_gap in 2010). This first, short-term solution is cheap, but it can be defeated by a
very large stack-based buffer.Recompile all userland code (ld.so, libraries, binaries) with GCC’s “-fstack-check” option, which prevents the stack-pointer from moving into another memory region without accessing the stack guard-page (it writes one word to every 4KB page allocated on the stack). This second, long-term solution is expensive, but it cannot be defeated (even if the stack guard-page is only 4KB, one page) — unless a vulnerability is discovered in the implementation of the stack guard-page or the “-fstack-check” option.
Other Operating Systems (Windows, Android, Mac) Also Vulnerable to CVE-2017-1000364
Maybe things won’t end here as the researchers also believe that other operating systems such as Windows and macOS and even Android could also be vulnerable to this flaw. This however needs to be additionally confirmed.
Nonetheless, affected parties are urged to update as soon as possible.
If no patches are available yet for a particular OS, users and admins may try to reboot their systems or manually apply stack limits to local users’ apps to avoid exploits. Another useful tip is to recompile all userland code with the -fstack-check feature, as visible in the tips above.