Qualys revealed dangerous vulnerability (cve-2023-6246 ) in the standard Glibc SIBC, which allows through manipulations with the launch of SUID applications to achieve its code with increased privileges. Researchers were able to develop a working exploit that allows you to obtain Root rights through manipulation with command line arguments when starting the SUU utility.
Vulnerability is caused by the overwhelming of the buffer in the functions __vsyslog_internal () used to call the Syslog () and VsySlog () functions. The problem arises due to an error when trying to withdraw through the Syslog_header a too long application of the application. When trying to expand the buffer, taking into account the long name, a failure arises, after which the data is recorded in the old buffer of the original smaller size.
When organizing an attack through the SU utility, the attacker can change the process of the process when starting the application through the replacement of the ARGV [0] value, which is used to obtain information about the program name when output into the log, and achieve a controlled data rewriting outside the selected buffer. Further, the overflow can be used to rewrite the NSS_MODULE structure in the NSS library to create a separated library and its downloads with Root rights.
The problem is manifested starting with the release of Glibc 2.37, published in August 2022 and including Change , processing the situation with an attempt to record too large messages. Vulnerability introducing correction was back-ported into the GLIBC 2.36 branch and distribution packages with older versions of Glibc, as the noted correction eliminated the vulnerability of CVE-2022-39046, leading to the leakage of data from a heap. It so happened that the correction of non -gas vulnerability led to the emergence of a critical problem. It is noteworthy that about the similar vulnerability in the vsyslog () function from the library LIBC 5.4.3 reported back in 1997.
The presence of vulnerability is confirmed in Debian 12/13, Ubuntu 23.04/23.10 and
Fedora 37-39. The work of an exploit for obtaining an unvil user of Root rights is demonstrated in a fully updated environment of Fedora 38 with all the default mechanisms included in the default configuration. Vulnerability can be operated only locally, as it requires a transfer of more than 1024 bytes through the Argv [0] or IDent argument in the Openlog () function.
Correction of vulnerability included a few hours ago in the code base Glibc and howls and howl DET The GLIBC 2.39 update has a composition of tomorrow’s update, along with the correction of two vulnerabilities ( cve-2023-6779