🛡 [email protected]/:~# Apr 24, 2024

Buffer Overflow in GNU C Library Affects Older Versions

Date: April 17, 2024

CVE: CVE-2024-2961

Vulnerability Type: Out-of-bounds Write

CWE: [[CWE-787]]

Sources: SecurityVulnerability.io, NVD Mitigation blog

Issue Summary

A critical buffer overflow vulnerability has been identified in the GNU C Library's iconv function when converting charsets to certain Chinese Extended encodings. This flaw occurs when converting strings to the ISO-2022-CN-EXT character set in versions prior to 2.40, potentially leading to application crashes or memory corruption.

Technical Key Findings

The vulnerability stems from improper boundary checks during character set conversion, allowing up to 4 bytes of overflow. This could enable attackers to execute arbitrary code or disrupt program operation by manipulating memory locations adjacent to the buffer.

Vulnerable Products

All versions of GNU C Library older than 2.40 are susceptible. (That's potentially 24 years of a buffer overflow presence in the glibc!)

Impact Assessment

The vulnerability poses a high risk, potentially affecting the confidentiality, integrity, and availability of systems utilizing the affected library versions. There is no evidence of active exploitation yet, but the severity of potential impacts warrants prompt attention.

Patches or Workaround

The GNU C Library has released patches for this vulnerability. Users are advised to update to version 2.40 or later. If you are unable to (or it's not available on your OS yet), you can mitigate this issue by disabling the affected charsets in gconv.

Check if you are vulnerable

// The first line of the linker version info should include the version of glibc (either as GLIBC or GNU libc).

ldd --version

// Check if the vulnerable encodings are enabled in iconv:

iconv -l | grep -E 'CN-?EXT'

If they are, you will see an output like:

ISO-2022-CN-EXT//
ISO2022CNEXT//

Tags

#GNUCLibrary #CVE-2024-2961 #BufferOverflow #SecurityPatch #ISO2022CNEXT #CVE20242961 #iconv #iconvglibc

Buffer Overflow Vulnerability in GNU C Library's iconv() Function (CVE-2024-2961) | SecurityVulnerability.io

The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.

Efertone  Apr 24, 2024

Hah, interesting. So we have a glibc <=2.39 exploit that can be utilised against php applications (Apache, PHP-FPM) to escalate privileges. Very interesting.

Sadly we don't get more info until Charles Fol's OffensiveCon talk. I'm looking forward to it.

I really want to know and understand how a 24 years old buffer overflow bug in iconv surfaced now and how the buffer overflow (through 4 bytes of the ISO-2022-CN-EXT set) can be exploited to even get privilege escalation. Fascinating.

https://www.openwall.com/lists/oss-security/2024/04/18/4

#security #BufferOverflow #php #iconvglibc

oss-security - Re: The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence