Questions tagged [glibc]
The GNU C Library (glibc) is the GNU Project's implementation of the C standard library.
34 questions
1
vote
0
answers
42
views
Are libc security vulnerabilities in a Python web application actually exploitable in a private cloud environment?
We use a Python web framework and gunicornlibrary on top of Docker to power a web application with a frontend in a private cloud that can be accessed by a private network. Our security tools report ...
- 63
12
votes
2
answers
4k
views
Why isn't LD_PRELOAD disabled by default in Linux?
The Linux dynamic linker includes a mechanism of dynamically loading arbitrary code into every process using the LD_PRELOAD environment variable and the /etc/ld.so/preload file. This sounds dangerous ...
- 137
0
votes
0
answers
158
views
Bash deletes null bytes in exploit input for ROP/returntolibc
I am trying to do a returntolibc exploit. The goal is to gain a shell with root privilege by calling setuid(0) and then system("/bin/sh"). I have been agonizing over trying to get this thing ...
- 1
2
votes
1
answer
197
views
Questions on GLIBC Heap Exploitation (House of Force)
This is with reference to Max Kamper's video on GLIBC heap exploitation and these articles I read
https://www.crow.rip/crows-nest/binexp/heap/house-of-force-i
https://www.crow.rip/crows-nest/binexp/...
- 209
2
votes
2
answers
304
views
Debian's security tracker says a CVE is fixed, while BlackDuck scanner detects it
I stumbled across a vulnerability considered a critical security risk (CVE-2023-25139) in one of container images I build.
Debian's security tracker states it's fixed: https://security-tracker.debian....
0
votes
0
answers
150
views
Where do stack pointer differences to stack base originate from on Linux?
Let's assume we have this simple program:
void main() {
int x;
printf("%p", &x);
}
Assuming the stack is mapped something like this:
0x007ffffffdd000 0x007ffffffff000 ...
- 101
0
votes
1
answer
144
views
Why GNU libc's salt alphabet for `crypt` is limited to ./0-9A-Za-z?
According to docs:
To hash a new passphrase for storage, set salt to a string consisting of [a prefix plus] a sequence of randomly chosen characters ...
and
In all cases, the random characters ...
- 103
2
votes
1
answer
2k
views
CTF setup for debugging heap exploits
I'm currently studying binary heap exploitation (mainly the glibc (ptmalloc2) implementation), for CTF competitions. The problem I'm facing is debugging challenges designed for a certain glibc version....
1
vote
0
answers
940
views
Could not load library libcutils.so while injecting shellcode
I am working on my school thesis.
I am trying to inject some shellcode into a shared library using Dirty Cow vulnerability on Android x86.
My shellcode is written in asembly and only calls ...
- 133
9
votes
1
answer
1k
views
Jump Oriented Programming segmentation fault issue
I found this interesting post on jop, and since I was not familiar with the concept I decided to play with it. I managed to call arbitrary functions defined in my binary with or without arguments, but ...
- 193
4
votes
1
answer
855
views
Return-to-libc Attack mystery
I'm studying the Return-to-libc Attack and I understand the concept. But one thing still does not make sense. In order to make the attack I need the memory address of system() and "/bin/sh", which is ...
- 243
6
votes
2
answers
44k
views
return to libc- finding libc's address and finding offsets
So I tried performing a return-to-libc according to https://sploitfun.wordpress.com/2015/05/08/bypassing-nx-bit-using-return-to-libc/ .
I found libc's address by using "ldd vuln", and found system's ...
- 73
1
vote
1
answer
687
views
How to increase gadget occurence in a program
I'm exercising with ROP. In a vulnerable program I control the RIP, use "ropeme" and search for gadgets I find many references to 32 bits long registers, but not a single extended register.
I need a ...
- 89
5
votes
1
answer
7k
views
How to bypass ASLR with ROP
I was reading this article by the InfoSec institute:
http://resources.infosecinstitute.com/an-introduction-to-returned-oriented-programming-linux/#gref
And was able to follow along until he did the ...
- 51
1
vote
1
answer
171
views
Where to get patches for recent CVEs announced for glibc?
My SoC vendor uses Yocto to create custom Embedded Linux distribution, that contains glibc 2.22.
As part of the distribution we have received patches till CVE-2016-4429. But, now there are some ...
- 225
7
votes
2
answers
9k
views
Is ASLR useless in preventing attacks such as return-to-libc in linux?
If i'm correct, due ASLR we load libc into some random address. And then in order to make that happen without allowing write permissions of text pages within memory we use plt/got. Now I can simply ...
- 179
10
votes
2
answers
8k
views
Why must a ret2libc attack follow the order "system(),exit(),command?
In a ret2libc attack, I understand that the return address can be overwritten with the address of the system command, which takes a command string as an argument. In this case, shouldn't the address ...
- 439
7
votes
1
answer
2k
views
How to restrict dlopen() from or to certain paths?
If I want to disable execution of programs on a filesystem, I can use the noexec mount option.
However, this doesn’t works with dynamic libraries loaded throughdlopen(). So what is the way to do it ...
- 1,492
3
votes
2
answers
478
views
How to confirm that my router is vulnerable to the glibc vulnerability (CVE-2015-7547)?
I have tried PoC from Google (https://github.com/fjserna/CVE-2015-7547) to test my host PC (first execute the server side PoC then execute client side PoC). It was vulnerable.
Now I want to check my ...
- 31
0
votes
1
answer
123
views
CVE-2015-7547 vulnerability, if the glibc used is below 2.23 , but does not uses getaddrinfo
CVE-2015-7547 vulnerability, its mentioned,version of glibc below 2.23 are vulnerable.
if the glibc used is below 2.23 , but application does not uses getaddrinfo() function, Is the application ...
- 103
9
votes
1
answer
403
views
In light of the glibc DNS vulnerability, why aren't Linux distros updating install images?
Doesn't that make the mere act of updating a newly installed Linux instance unsafe, since the initially installed package manager is vulnerable? Am I missing something?
For example, the current ...
- 193
2
votes
1
answer
166
views
Does the glibc getaddrinfo vulnerability affect mobile applications?
Recently Google discovered the "glibc getaddrinfo" vulnerability (CVE-2015-7547)
Is this a server side only issue, or can apps be affected by it as well? I'm developing both an iPhone and Android app,...
- 123
2
votes
2
answers
483
views
Does the glibc getaddrinfo vulnerability affect Windows systems?
Recently Google discovered the "glibc getaddrinfo" vulnerability (CVE-2015-7547).
Does this vulnerability affect Windows systems at all? I think it might because I'm not sure that glibc is a Linux-...
- 211
5
votes
1
answer
2k
views
strategy for dealing with glibc issues through all docker containers
CVE-2015-7547 affects glibc, which is present in pretty nearly all docker containers. There's an automated process underway which will update all official containers, but it's not immediately clear ...
- 501
0
votes
1
answer
570
views
Plaintext DNS traffic in a WPA2 session?
The question I have is, in WPA2 session between the AP and client are DNS requests sent plain text?
Trying to wrap my head around the latest glibc exploit.
Thank you
Ted
- 1
1
vote
0
answers
66
views
How to react to the glibc vulnerability as an OSX user? [duplicate]
Apologies if this question isn't really fit for this SE site. Wasn't sure whether to post it here, or on apple.SE.
What's the currently best way for a user of OSX to react to:
https://...
- 133
0
votes
1
answer
239
views
Can the latest glibc DNS vuln be tested on remote servers?
I recently heard of the critical DNS vulnerability in glibc that can lead to arbitrary code execution. I hadn't found much about the cases when the faulty function is called and ways to remotely ...
- 6,594
1
vote
2
answers
2k
views
glibc getaddrinfo (CVE-2015-7547) vulnerability: should I update glibc if I do not configure DNS?
Recently Googly discover glibc getaddrinfo (CVE-2015-7547) vulnerability:
https://googleonlinesecurity.blogspot.co.il/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
We run our application on ...
- 1,479
3
votes
1
answer
5k
views
return-to-libc attack
I was trying to attempt at return-to-libc buffer overflow attack for my Computer Software Security assignment. As far as my understanding goes, we can do these kind of attacks regardless of stack ...
- 35
-1
votes
1
answer
287
views
ROP: Use return value of function
Is it possible to call a function and store its return value in the next stack frame?
So:
call foo(); // int foo();
store return value of foo in next stack frame;
call bar(int);
- 39
1
vote
2
answers
237
views
Can an executable be scanned for calls to the vulnerable glibc ghost functions?
The ghost vulnerability has the potential to be vulnerable to many many pieces of software that call the gethostbyname() and gethostbyname2() functions. Is there an easy way to scan an executable to ...
- 21.6k
10
votes
1
answer
4k
views
Is Java vulnerable to glibc GHOST Vulnerability in Linux?
I see on our RedHat Linux platform that "java" process has dependency over glibc library:
[root@hpproliant1 ~]# ldd /usr/bin/java
linux-gate.so.1 => (0xffffe000)
libpthread.so.0 => /lib/...
- 201
10
votes
1
answer
8k
views
GHOST: which services are vulnerable, ssh, web server?
GHOST (CVE-2015-0235) just popped up.
GHOST bug: is there a simple way to test if my system is secure? deals with how to find out if your system is vulnerable.
exim is mentioned specifically.
...
- 1,841
61
votes
4
answers
21k
views
GHOST bug: is there a simple way to test if my system is secure?
GHOST (CVE-2015-0235) just popped up. How can I quickly check if a system of mine is secure? Ideally with a one line shell command.
According to the ZDNet article "you should then reboot the system". ...
- 1,841