AzeriaSep 12, 2023

Time for an Arm-twist! CVE-2023-4039

Tom Hebb (Meta red team) and I discovered an 0day in GCC (for AArch64 targets) during my Arm exploitation training.

It renders stack canaries against overflows of dynamically-sized variables useless.

https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64

GCC Stack Protector Vulnerability AArch64

A potential security issue in the stack-protector feature in GCC when targeting AArch64. Arm has published fixes to the GCC open-source project.

Show threadAzeriaSep 12, 2023

CVE-2023-4039: “GCC's -fstack-protector fails to guard dynamic stack allocations on ARM64”

On AArch64 targets, GCC's stack smashing protection does not detect or defend against overflows of dynamically-sized local variables.

Affecting all versions of GCC for AArch64 targets.

Show threadAzeria

> GCC’s stack protection feature (aka canary) is an exploit mitigation to prevent buffer overflows from overwriting saved registers on the stack to take control over the program flow. It makes exploitation much harder. You often need an additional bug to bypass this mitigation.

The issue: When targeting AArch64, this mitigation didn’t protect saved registers from overflows in C99-style dynamically allocated local variables and alloca() objects.

Sep 12, 2023 at 4:42pmMastodon for iOS
Show threadAzeriaSep 12, 2023

Impact: Basically, any AArch64 software compiled with GCC & the stack protection feature (flag -fstack-protector) that is vulnerable to buffer overflows via dynamically-sized variables can be exploited without bypassing this exploit mitigation.

If you want to reproduce this bug with the PoC from the advisory on your x86/64 machine, here’s how:

Show threadpancake Sep 12, 2023
@Azeria variable sized stack vars shouldn't be allowed as they are unsafe by design. But i'm happy to know that those are more unsafe now :D
Show threadSam CollinsonSep 12, 2023
@Azeria friends don’t let friends use alloca