Stack Clash vulnerability gives root access on Unix systems

Spread the love

Security firm Qualys warns of a vulnerability in several systems, including Linux, OpenBSD, NetBSD, FreeBSD and Solaris. A leak in the memory management makes it possible to gain root access if access to the system already exists.

Qualys reports that it has focused on the local application of exploits for the vulnerability and therefore cannot say whether it can also be used remotely. However, the company cannot rule this out completely, as remote use depends on different applications. For example, remote use in the Exim mail server was not possible, but Qualys attributes that to coincidence. The privilege escalation vulnerability, attribute CVE-2017-1000364, works on both i386 and amd64 systems. The company has worked with various parties to develop solutions.

The method behind the vulnerability, which Qualys has named Stack Clash, is not new. In 2005, researcher Gaël Delleau already presented an attack that used Stack Clash. The method uses the fact that memory, in the form of the stack, grows ‘down’ as a process needs more memory. As a result, for example, a conflict can arise with the so-called heap, which in turn grows ‘up’.

By exploiting this conflict it is possible to overwrite a certain memory range. The Qualys study shows that this method still works, despite the protection introduced through a guard page. The Qualys method actually makes it possible to ‘jump’ over the guard page.

The security company has developed several pocs. As mentioned before, it did this for the Exim mail server, but also for sudo and ld.so. Qualys doesn’t make the exploits and pocs public, it won’t do that until enough time has passed. It has been working with the affected companies since May and writes that patches are now available. It is therefore recommended to perform an update. Red Hat, among others, has published an advisory.

You might also like