Stack Clash flaws blow local root holes in loads of top Linux programs • The Register

Powerful programs run daily by users of Linux and other flavors of Unix are riddled with holes that can be exploited by logged-in miscreants to gain root privileges, researchers at Qualys have warned.

Essentially, it’s possible to pull off a “Stack Clash” attack in various tools and applications to hijack the whole system, a situation that should have been prevented long ago.

It’s pretty simple: an application’s stack – used to hold short-term data in memory – grows down into another memory area known as the heap – which is used to hold chunks of information, such as files being viewed or edited, and so on. If you can control what’s in the heap, by feeding carefully crafted data to the program, you can end up overwriting parts of the stack and hijack the flow of execution within the application. Alternatively, you can extend the stack down into the heap, and tamper with important data structures.

When that happens, and if the program has root privileges, an attacker can commandeer the trusted app to take over the whole system as an administrator. These security shortcomings were picked up last month by Qualys, which held off warning of the flaws until patches were in the works.

The issue was first noted by security researcher Gaël Delalleau in 2005, and the vulnerability resurfaced in 2010 when another researcher, Rafal Wojtczuk, noted similar issues while running an Xorg server running on Linux. Fixes were issued after both discoveries.

You may have thought that would be the end of it. Qualys noted on Monday: “The only public exploits are Gaël Delalleau’s and Rafal Wojtczuk’s, and they were written before Linux introduced a protection against stack-clashes (a ‘guard-page’ mapped below the stack).”

However, it now looks like stack clashes remain possible despite the added protections – mainly because developers weren’t…

Read the full article from the Source…

Leave a Reply

Your email address will not be published. Required fields are marked *