HEAP HEAP HOORAY: Unveiling GLIBC heap overflow vulnerability (CVE-2023–6246)

okay ladies and gentlemen we are ready to move on we will have time for questions at the end of this uh presentation so please pay attention for Jose Lopez Martinez thanks everyone can you hear me okay H thanks for thanks everyone for coming I'm Jose but everybody calls me Pepe and I'm here today to talk about uh hip over flows more specifically about a hep overflow vulnerability in one of the most important uh H libraries in Linux system gipc it was discover uh this year January by qualis they did such an amazing job they could escalate privileges in by just changing the program name of any program name because it's a vulnerability in the gipc so

we're going to get to it but first let me introduce myself I'm Jose everybody calls me pep again I'm I work in offensive security as a Vester and I'm uh Prett interested in in rers engineer exploit development so this is a most accurate picture for me so okay let's go into the this talk so some we're going to start H talking a little bit about some basic concepts uh what's the hip uh how does it work and then we're going to go straight to the Heap overflows and this specifically this is specific vulnerability we're going to be talking about at the end I'm going to show you some PC's and some conclusions okay so basic concepts let's

go into Linux 101 operating systems 101 what's the hip I guess most of you guys know what is the hip of course but I wanted to explain for everyone so the hip is basically a memory region so you can store information inside of it and I explain it with the stack because it's quite similar but it's extremely different so the the the hip is H used for storing information not associated to a specific function so you want to store information inside the hip uh for longer time this is global uh global data Global attributes in objectoriented program and in the stack you want you want to store information about one specific function Co like the return instruction

the return pointer of this of of this of this SC or all the information that it declare inside a function so that whenever when this function ends all that information is gone that's the reason the hip is to stay longer the hip information is going to stay longer okay and I always use this example because it's quite similar the parking is extremely similar to a parking lot is similar to The Hip because you are going to see there are some cars there are some spaces and you can go driving with your car and and say okay I want to park here there a space here or maybe you want to park in some other places but it's taken so you

cannot of course it would be weird but so the the the normal State should be something like this and you can see some gaps you can see some places in the hip that's okay that's normal so it's kind of a little bit like chaotic because there's no there's no order like in the stack where it's a life of Q where you you have lasting first Out Here Is Random Access but it's not exactly chaotic there has some order behind uh this is an basic example you for example you you malate you reserve uh space in in the hip a chunk those are called chunks uh of of a for example then you reserve another chunk for B

this is another size okay now you free the information from a that the space is added to the to the free list so later you can use it but imagine for example now you want to malate another space which is another block which is bigger it's not the corresponding size so it cannot fit on the on the first place now it goes next to to the to the to to B uh so the order is not exactly temporal as you can see now another block comes in and D is placed before B and C so this is this is what I mean there's no such things as order so you cannot go to to the hip and say okay

this is the status that that would be chaos because you are going to see some spaces everywhere and you're not going to understand what's going on you have to understand the whole concept the the whole status what what has happened into the program so you can understand it the status of the hip and let's zoom in into the chunks what's inside the chunk a chunk it's divided into two pieces the hip metadata and the hip data in h because the hip H works like a like a like a b like a list like a link list let's say that way uh the HP manager is the responsible to check the the status the whole status of

the HP so it needs to go to the hip uh metadata to see uh what's going on inside the hip it goes uh to this information to previous tun the tun size so we can understand what's going on basically and then you have the data that's the place where you store your information okay so what are he overflows like any other buffer overflow it's a situation when you start writing more information that you are expected to to be writing so you reserve one space for the but then you start writing more information that's going to overwrite all the chunks at even the space between the hip uh this is an exam an extreme H simple example uh you have one malop of

10 bytes and then you write more information more than 10 bytes that's going to make some errors of course Mal look invalid size double free invalid size all those errors might be different why why is that well because the errors are not triggered are are not raised uh due to the overwriting operation they are raised because H as a side effect of the writing operation in those cases you are writing the metadata of other chunks when the Hep manager or when the program continues and tries to Malo information into the hip and then the Hep manager realize there's something wrong on the hip because you have overreaching it the that that's when that those errors

happen so that's important the errors are not triggered as soon as you overwrite information this is also the same for stack buff stack C buff flows so in a hippo flow exploitation you you you have two different approaches a metadata approach it's a little bit more complex you have some examples here from fantasma Fantasia ER we try to go into directly changing a specific Parts into in inside the metadata of the of each tank to maybe uh take advantage of the Hep algorithm itself uh for example if I remember House of L House of force H tried to change the size of a tank in order to make a a leak of information somewhere uh but today

we're going to be talking about the data approach so we want to uh overwrite the data tanks the the the the DAT part so imagine we have a vulnerable buffer where we can overwrite and start writing more information from that point and we have a Target buffer as soon as we start overwriting uh the we're going to be able to overwrite the information in other parts of the program so that's too idealistic let's say uh what happens if the vulnerable buffer is not uh before the target buffer that's not that's not a that's not a valid situation because we're not going to be able to overwrite the information of of of our Target buffer so what can we do in those

cases okay we have some techniques called uh hip shaping the hip shaping uh the hip shaping techniques are those techniques used to H alter or change the hip lout so you can H obtain one specific uh valid layout that can help you to overwrite all the information whatever so in this example I use fenry a is a technique to to shape the hip so you can change some specific variables you know that they going to be placed into the hip and you can change the sizes of each uh variable in this case I I I I said here we have environment variables that we're going to use and if you change the size of the value inside

those environment variables they going to take more space so that's going to change the hip L out I say as I said before there cows and order so you want to change you want to play a little bit with all those things in order to obtain a a valid H lout and now we are ready to to see the exploitation so what is it well it was uh as I said at the beginning it was discovered by qualis they did am amazing job again and and yeah it's a he based buffer flow it was discovered it was discovered at the beginning of this year and it was made uh by some programmers as always but they trying to they were

trying to solve a a vulnerability and they made a new one even worse so they published uh a paper which is really good I recommend you to read it and they included a lot of information uh they also included a proof of concept but of course this is not the exploitation this this is just to check if your system is has the vulnerability or not this is just an ex command to uh run so binary with uh with a lot of one characters and redirect the stand that input to that uh if you have the segmentation P that's theability perfect okay I have some I have summarized this this information this report into five uh points the first thing is that the

vulnerability is in the v's log internal function inside GC uh this is the function that it's being used by the operating system to lck information about what's going on for example you try to input a wrong wrong username password that information is going to be H written into the C law fair enough uh the binary chosen uh it's sh binary which has sh idb we're going to need it for the uh privilege escalation of course uh the the input uh of the vul of the Hep overflow is the argument V to zero which is the program name so we're going to play with it to make the this hip overflow uh they also said that you can uh play

you can make some fanry with the local environment variables but uh it's not that useful we're going to see that they also said that it's better to use the argument minus W from the sub binary this argument is the wh list option when you use this wh list you define a a list of environment variables that are going to be used by the next uh cell and uh for the exploitation you are going to we're going to use a sudo Baron sameit technique we're going to try to overwrite information inside inside the module inside the the module class or attribute I think uh from the sub binary okay so this is the flow the the

the program flow hope you can see it if not I'm going to zoom in a a little bit more the first part as I said uh tries to uh load the the minus minus W option from the Sue when you run Sue minus W with some arguments it's going to check if they exist if they're not and it's going to perform some maloc and free operation that's what we're going to use for the F then H when it's done it asks for the password it doesn't matter if you well you have to uh input a wrong password and then it's going to check uh this function uh in a s lookup function and then module load the module load is one

function inside sub Banner that H it's used to H load some share libraries that are by default inside one one folder from NSS switch.com and you don't really need to play with it because they they are protected you need elevated privileges to change that so uh unless you have the possibility like we are going to see uh to change that uh you're you're not going to be able to do anything with it but here uh we're going to see what we can do okay so let's go uh I I use udb paa with paa hip I'm so oldfashioned I know and I set a rapper in order to change the program name he is the rapper I use uh I Define the

buffer length and then you can set the wrapper into the gdv and run it whatever you want and I set the environment variables you can set them and then I set some breakpoints in the most important functions which are BC Lo internal function uh the environment wi list from string and as lookup function and modu load okay so here we are the GDB in the in the in the v log internal function here you can see uh the authentication failure error this is what I what I meant before when you enter a wrong password uh this is what you get that's the information that it's going to be printed inside the the the journal CTL Journal uh CTL yeah so this

is the information uh that it's going to be printed and uh this merge also the information from from the program name if you go to journal CTL you're going to we're going to see that later that the the message is going to say uh soe or sudu or any vinary uh the name of the program and then authentication failure or any message it wants to say uh this is the module this is of our Target buffer we want to specifically overwrite the name in the name field inside the module and yeah uh let's start with the faser I perform some faster I I develop some faster strategy this is the first one this is not the

the very good one actually this is probably the worst I did it with python of course and I defined all those uh variables I wanted to fast at the beginning I was only fasing uh sizes different sizes I defined a couple environment variables one that existed another one that did not and then I tried with different combinations of uh you know uh different combination of amount of characters inside the program name and yeah I also use uh some something to to store the crashes whenever the program crash and I then check if if the if this crash was unique or not yeah just like any other uh fer fer okay so at the end my my the best

fer I get I guess I Define a longer list of environment variables I Define some Rand some random values but it wasn't that necessary I then change the the the amount of times I I play a little bit more I realize also that you have to use the environment variable language this is quite important otherwise you're not going to be able to go anywhere you have to Define it with a valid Val language and yeah I changed something here let me see if it's here I also used uh some uh file descriptors and this is this was also quite important because at the at the beginning I was trying so many times with uh without fail scriptors

redirecting the the standard input from Dev null that's what they said qual said in the in the report but that wasn't helping it wasn't that wasn't working at all so I tried different strategy and I tried to use enter basically and I check that I could go farther in the in the exploitation with just entering the any value so that's the reason I use file descriptors to send the input and then wa what what was happening and those are the errors you can see a lot of malog password malog invalid size segmentation fault that makes sense and eventually I read these two errors and here I was so happy because he said finally I was able to overwrite

the module this is the module that is over written that's our Target buffer that's good with with 41 characters uh and then I tried to increase the amount of characters I I said okay this is the I I was able to do it with I don't remember I think it was 9,000 uh a program name of 9,000 characters and this was the the the amount of environment variables say comma 2,500 so I move and and executed with a little bit more of uh characters into the progr name and then a new error happened the the the second one the the one below uh here I was overwriting the ni structure I didn't know what was it

but I was overwriting it I don't I didn't know why but it was happening so I tried to look a little bit closer and research what was happening and realized this is the this was the situation uh my Buffet overflow was happening uh at the beginning H if I keep writing I over eventually I will I will overwrite module pointer that's the first error but if I keep writing I will overwrite the ni structure the problem was that my my target the the module data was uh after the ni structure and the program was breaking so I had two different possibilities I could keep trying different uh fasing So eventually I I guess I would find something good

with something without uh those things in the middle but at the end I tried to think a little bit and understand what was happening and and why again the hip is chaotic but you can understand what is happening with the F Tre I realize when we when I started overwriting I know you w't be able to see anything but don't worry so I started overwriting a lot of a characters because I that's what I Define in the Wess option so for each character for each environment variable it Malo one uh chunk of 20 bytes the minimum size but that there was a pattern behind it I checked that between uh two chunks there was a space

which was getting bigger at the beginning it was 40 bytes the later it was 50 60 70 and that's something normal when you play with the hip and when I I haven't talk about beans fast beans whatever I don't mind all those terms but in this case I realized there were some uh gaps some gaps with a pattern and what was happening is it was that those gaps uh are the places where the module pointer and the na structure were were placed uh this is what was happening the buffer flow at the beginning the environment variables and between those gaps module pointer and N structure okay so I thought maybe I could Define more environment variables with the size of

those blocks so if I Define another environment variable called B with I think it was 60 bytes the space module pointer was taken and another one for the environment variable C I could take those places because remember the the environment variables are located into the hip at the very beginning so the when the program continues and assign the module pointer and the instructor it wouldn't be able to assign to those places it will need the he manager will need to place other other in other place so I thought maybe that that that might be so yeah I Tred this is the space where it's located the model pointer uh between uh those 20 by chunks and then I Define an F

environment variable and suddenly the those that that Gap was taken so I thought okay that's good let me see if that works I continue the execution and I realized the pointer was placed uh after the the the data that was good because now now I was able to repeat the same approach with the N structure I had to Define another another Gap because there was another Gap in the middle that was breaking things and I eventually I was able to read the name uh field inside the the the the program name so now we're ready for the liver injection now we have been able to over write them the the name so what can we

do same Pudo Baron same edit technique uh this was avability discovered in 2021 and they were able to use a heap overflow uh qual as well uh was able to H make this vulner to exploit this vulnerability the overwriting the modu the modu structure more specifically specifically the name field and here uh in the module load there there's a function inside the this uh this structure module load and if it says basically that if you have uh one U ER name that it's not predefined in the into the things that are supposed to be there it's going to load it basically which is pretty neat because that's what we needed so uh it that's what we want

to do okay so now the problem is that you need to use one name with a slash with an slash so here they say a SLB a slash C uh when the name it reach the module load it's going to accomplish this requirement and then that's going to be loaded into the program and executed so the problem was that the our heap of a flow H is the program name that's the input we have so we cannot include the slashes into the the the program name what can we do okay at the end of the hip of flow do you remember at the beginning I said this is the VIS L function it merch the

the program name with the error with the error in this case authentication failure log name uid 1000 uid TT sl/ pts1 so we have the requirement and yeah that's how we were able to accomplish this requirement and here we have the the lip NSS uh underscore a my program name uh with the error all together and at the end you can see uh root h s O2 that's the share library that it's going to be loaded so with all of this information I prepare pass script where to take the automatically the uid the TTY because upon different executions you might have different things so and create the the folder structure because remember the the slashes are treated like a like

folders so you need to define a authentication failure log name uid whatever and uid TTY is SL that's a folder de that's another folder and PTs that's another folder and the remaining part is going to be the the name of the sh Library I created a sh a Shell Code uh very basic to obtain to to recover the the SB and that's the share Library this is the exploit I made this is the calculations I I I made to to define the mement variables these are these are the the specific sizes I needed to overwrite the module and the ni structure the the P and Y are the are both necessary to overwrite the ni

structure uh and yeah the the is to full the the hip uh and finally with all all those calculations program name 30,000 times I created the PC here we have let's see if I can WR it I have a test user it cannot uh run two authentication failure and then I run I I didn't put anything and I was root it was [Applause] good thanks thanks some extra things what about other binaries I said at the beginning this this is yipc this is not related to the binary itself if your binary is using it is using this function This is Love function you you have this vulnerability for example I also try with passwd I

obtain same mistake cementation fall D in this case I cannot exploit the same way because I don't have the minus W option the minus W option is what you need for to perform the fu but if you look into the the in into the pass WD uh binary and find some way to perform some f some f fre techniques you might be able to exploit it same way and you also have the the same uh situation like a module uh load uh so what about other operat systems say thing same thing I also try with uh Fedora in in in server Edition and I also obtain the the same the same error but you have to take into account

that even in different in different operating systems the the Hep might change so you need to perform all those calculations again you need to try to uh adapt the the the the faster or maybe well you need to I guess the best approach in those cases is to try to uh to to use a faster technique a faster strategy because in those cases that where the the he might change upon different executions it's going to be easier for you to have one faster and try to find the correct layout uh but it might take more more time actually that's what uh qualis said on the on the report they didn't publish any exploit of course they just published uh the

things more or less that I said but they didn't include as many information I have as I have and and they also they they only said that they made it with a faster strategy they it took I don't know what they say 9,000 attempts to to reach the the the the the the right layout they only BR Force the layout inside the hip until they reach the correct layout so to finish a lot of people say this sometimes Heap overflows are like aligning the stats and yeah that's how I felt when I was exploiting this because it took a lot of time to reach the proper the exact uh and and a lot of calculations to reach the EXA the exact

thing I needed to reach what I needed uh okay where are the the protection the operating system protections I don't want to say anything but eslr was activated there wasn't there wasn't anything uh to stop me from running I was overwriting uh a name and nothing stopped me here again the SLR is not going to be useful because I'm not overwriting anything inside the stack that's another technique but in this case I I'm not overwriting or redirecting the flow inside the program I'm just injecting a library so aslr not useful uh the the operating systems and limited the scenarios uh that's also something that it's important to note you need to maybe it's a a faster

technique might be more effective in in those scenarios because it might change even in this case this exploit works for Fedora basic Fedora installation but it might change in different H scenarios for example if you try to to to execute it I don't know from remote through SSH that simple thing that you're running it from SSH it's going to make different uh different paths inside the Su binary or any other binary that you are using and that's going to change also the the hip layout you have to be aware of that things so yeah in those cases maybe fasing is a better approach and yeah that was it any [Applause] question pep thank you do we have any

questions at this time for Pepe anybody nothing at this moment but uh people can approach you during the course of the day yep and again all the information will be available at some stage now we are uh ahead of ourselves but the next speaker isn't until 10:15 so break we can start the break early but please do return in time for the next uh presentation at 10:15 thank you [Applause]