Today in "this should not have been a #ShellScript": https://github.com/DrHyde/shellscripts/blob/master/check-encoding

The #shenanigans around the invocation of #iconv are for portability (some versions of it DIE if you silence STDOUT the normal way by redirecting it to /dev/null) and then once it was a three line script I thought "wouldn't it be nice if it took arguments, and had doco, and handled errors", and at no point was solving the next little problem enough to make me re-write it in a better language, and then ... 1/2

#Iconv, set the charset to #RCE: #Exploiting the #glibc to #hack the #PHP engine

https://www.ambionics.io/blog/iconv-cve-2024-2961-p1

https://www.ambionics.io/blog/iconv-cve-2024-2961-p2

Buffer Overflow in GNU C Library Affects Older Versions

Date: April 17, 2024

CVE: CVE-2024-2961

Vulnerability Type: Out-of-bounds Write

CWE: [[CWE-787]]

Sources: SecurityVulnerability.io, NVD Mitigation blog

Issue Summary

A critical buffer overflow vulnerability has been identified in the GNU C Library's iconv function when converting charsets to certain Chinese Extended encodings. This flaw occurs when converting strings to the ISO-2022-CN-EXT character set in versions prior to 2.40, potentially leading to application crashes or memory corruption.

Technical Key Findings

The vulnerability stems from improper boundary checks during character set conversion, allowing up to 4 bytes of overflow. This could enable attackers to execute arbitrary code or disrupt program operation by manipulating memory locations adjacent to the buffer.

Vulnerable Products

All versions of GNU C Library older than 2.40 are susceptible. (That's potentially 24 years of a buffer overflow presence in the glibc!)

Impact Assessment

The vulnerability poses a high risk, potentially affecting the confidentiality, integrity, and availability of systems utilizing the affected library versions. There is no evidence of active exploitation yet, but the severity of potential impacts warrants prompt attention.

Patches or Workaround

The GNU C Library has released patches for this vulnerability. Users are advised to update to version 2.40 or later. If you are unable to (or it's not available on your OS yet), you can mitigate this issue by disabling the affected charsets in gconv.

Check if you are vulnerable

// The first line of the linker version info should include the version of glibc (either as GLIBC or GNU libc).

// Check if the vulnerable encodings are enabled in iconv:

If they are, you will see an output like:

Tags

#GNUCLibrary #CVE-2024-2961 #BufferOverflow #SecurityPatch #ISO2022CNEXT #CVE20242961 #iconv #iconvglibc

tl;dr: upgrade glibc on your servers!

Summing it up, there's a vulnerability (CVE-2024-2961) on glibc that, apparently, can be used to get RCE on servers running PHP.
It's recommended that you update glibc to a patched version.

https://security-tracker.debian.org/tracker/CVE-2024-2961
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2024-2961

There's an upcoming talk on May 10 where the researcher will explain how it was used to hack PHP servers.

https://www.offensivecon.org/speakers/2024/charles-fol.html

#PHP #glibc #iconv