Hello all,
Although very late, here is a follow up explaining the impact of the
vulnerability.
Provided that you can force an application to convert a partially
controlled buffer to ISO-2022-CN-EXT, you get an
overflow of 1 to 3 bytes whose value you don't control.
This can be triggered in at least two ways in PHP:
- Through direct calls to iconv()
- Through the use of PHP filters (i.e. using a "file read" vulnerability)
Due to the way PHP's heap is built, you can use such a memory corruption
to alter part of a free list pointer,
which can in turn give you an arbitrary write primitive in the program's
memory.
With this bug, any person that has a file read vulnerability with a
controlled prefix on a PHP application has RCE.
Any person that can force PHP into calling iconv() with controlled
parameters has RCE.
We have provided more explanations on a blogpost of ours (I do not think
that I can post it here, it shouldn't be too
hard to find if you're interested).
Best regards,
Charles
On 18/04/2024 18:42, Solar Designer wrote:
On Wed, Apr 17, 2024 at 02:36:02PM -0300, Adhemerval Zanella Netto wrote:
GLIBC-SA-2024-0004:
===================
ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence
The iconv() function in the GNU C Library versions 2.39 and older may
overflow the output buffer passed to it by up to 4 bytes when converting
strings to the ISO-2022-CN-EXT character set, which may be used to
crash an application or overwrite a neighbouring variable.
ISO-2022-CN-EXT uses escape sequences to indicate character set changes
(as specified by RFC 1922). While the SOdesignation has the expected
bounds checks, neither SS2designation nor SS3designation have its;
allowing a write overflow of 1, 2, or 3 bytes with fixed values:
'$+I', '$+J', '$+K', '$+L', '$+M', or '$*H'.
CVE-Id: CVE-2024-2961
Public-Date: 2024-04-17
Vulnerable-Commit: 755104edc75c53f4a0e7440334e944ad3c6b32fc (2.1.93-169)
Fix-Commit: f9dc609e06b1136bb0408be9605ce7973a767ada (2.40)
Fix-Commit: 31da30f23cddd36db29d5b6a1c7619361b271fb4 (2.39-31)
Fix-Commit: e1135387deded5d73924f6ca20c72a35dc8e1bda (2.38-66)
Fix-Commit: 89ce64b269a897a7780e4c73a7412016381c6ecf (2.37-89)
Fix-Commit: 4ed98540a7fd19f458287e783ae59c41e64df7b5 (2.36-164)
Fix-Commit: 36280d1ce5e245aabefb877fe4d3c6cff95dabfa (2.35-315)
Fix-Commit: a8b0561db4b9847ebfbfec20075697d5492a363c (2.34-459)
Fix-Commit: ed4f16ff6bed3037266f1fa682ebd32a18fce29c (2.33-263)
Fix-Commit: 682ad4c8623e611a971839990ceef00346289cc9 (2.32-140)
Reported-By: Charles Fol
I hope Charles will share further detail with oss-security in due time,
but meanwhile his upcoming OffensiveCon talk abstract reveals a bit:
https://www.offensivecon.org/speakers/2024/charles-fol.html
CHARLES FOL
ICONV, SET THE CHARSET TO RCE: EXPLOITING THE GLIBC TO HACK THE PHP ENGINE
Abstract
A few months ago, I stumbled upon a 24 years old buffer overflow in the
glibc. Despite being reachable in multiple well-known libraries or
programs, it proved rarely exploitable. Indeed, this was not a foos bug:
with hard-to-achieve preconditions, it did not even provide a nice
primitive. On PHP however, it lead to amazing results: a new
exploitation technique that affects the whole PHP ecosystem, and the
compromission of several applications.
This talk will first walk you through the discovery of the bug and its
limitations, before describing the conception of several remote binary
PHP exploits, and through them offer unique insight in the internal of
the engine of the web language, and the difficulties one faces when
exploiting it.
BIO
Charles Fol, also known as cfreal, is a security researcher at LEXFO /
AMBIONICS. He has discovered remote code execution vulnerabilities
targeting renowned CMS and frameworks such as Drupal, Magento, Symfony
or Laravel, but also enjoys binary exploitation, to escalate privileges
(Apache, PHP-FPM) or compromise security solutions (DataDog's Sqreen,
Fortinet SSL VPN, Watchguard). He is the creator for PHPGGC, the go-to
tool to exploit PHP deserialization, and an expert in PHP internals.
The event is on May 10-11th, so in 3 weeks from now.
Alexander
