Exploit for unpatched CVE reported in wild.

Bug #1031301 reported by David Ambrose-Griffith on 2012-07-31
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
eglibc (Ubuntu)
Undecided
Unassigned
glibc (Ubuntu)
Undecided
Unassigned

Bug Description

CVEs are as follows:

CVE-2012-3404
CVE-2012-3405
CVE-2012-3406

lsb_release -rd
Description: Ubuntu 10.04.3 LTS
Release: 10.04

Package: libc6 (2.11.1-0ubuntu7.10)

Details of the bugs are here upstream:

http://www.openwall.com/lists/oss-security/2012/07/11/17

We received reports from a colleague at another University that they have suffered a root compromise as a result of one of these CVEs, which I notice do not appear to be fixed yet in Ubuntu. They are running Scientific Linux 6 rather than Ubuntu, so can't be directly compared

Debian appear to have fixes out for 2 of the 3 CVEs
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681473

They considered the security risk low, but I have reports of exploits in the wild.

The details I have so far from my colleague are as follows:

09:49 < DaveAG> Was it RHSA-2012:1098-1 you reckon bit you?
09:49 < colleague> erm, one of CVE-2012-3404, CVE-2012-3405, CVE-2012-3406
09:49 < colleague> I don't have an RHSA number to hand since this is SL
09:50 < DaveAG> Yeah, that RHSA lists those 3 CVEs
09:51 < colleague> Announced on the 18th July, we got done on 26th, that's scarily quick
09:52 < colleague> There must be an exploit specifically related to use of /bin/mount
09:53 < colleague> Lovely that with auditd running we immediately were able to spot which suid had been used to get root
09:53 < colleague> and the lack of command line arguments to the command meant it had to be done using the environment to change the way the output was formatted
09:57 < colleague> oh, and blocking the loading of kernel modules helped a lot
09:57 < colleague> It forced the attacker into trying something much more difficult which crashed the kernel.

security vulnerability: yes → no
visibility: private → public
Changed in eglibc (Ubuntu):
status: New → Confirmed
Changed in glibc (Ubuntu):
status: New → Confirmed
Thomas Ward (teward) wrote :

Apologies for setting this back as a security bug, i didnt see Marc set it as a non-vulnerability (aka "Public" only bug). I've rectified my mistake.

security vulnerability: no → yes
security vulnerability: yes → no
Marc Deslauriers (mdeslaur) wrote :

Oh, I made a mistake when setting it public, this is definitely a security vulnerability.

security vulnerability: no → yes

Has there been any developments on this? Do we know if the debian patches are safe to simply roll into ubuntu?

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package eglibc - 2.11.1-0ubuntu7.11

---------------
eglibc (2.11.1-0ubuntu7.11) lucid-security; urgency=low

  * SECURITY UPDATE: buffer overflow in vfprintf handling
    - debian/patches/any/CVE-2012-3404.patch: Fix allocation when
      handling positional parameters in printf.
    - CVE-2012-3404
  * SECURITY UPDATE: buffer overflow in vfprintf handling
    - debian/patches/any/CVE-2012-3405.patch: fix extension of array
    - CVE-2012-3405
  * SECURITY UPDATE: stack buffer overflow in vfprintf handling
    (LP: #1031301)
    - debian/patches/any/CVE-2012-3406.patch: switch to malloc when
      array grows too large to handle via alloca extension
    - CVE-2012-3406
  * SECURITY UPDATE: stdlib strtod integer/buffer overflows
    - debian/patches/any/CVE-2012-3480.patch: rearrange calculations
      and modify types to void integer overflows
    - CVE-2012-3480
  * debian/patches/any/strtod_overflow_bug7066.patch: Fix array
    overflow in floating point parser triggered by applying patch for
    CVE-2012-3480
  * debian/testsuite-checking/expected-results-x86_64-linux-gnu-libc,
    debian/testsuite-checking/expected-results-i486-linux-gnu-libc,
    debian/testsuite-checking/expected-results-i686-linux-gnu-i386,
    debian/testsuite-checking/expected-results-i686-linux-gnu-i686,
    debian/testsuite-checking/expected-results-i686-linux-gnu-xen,
    debian/testsuite-checking/expected-results-sparc64-linux-gnu-sparc64:
    update for pre-existing testsuite failures that prevents FTBFS
    when the testsuite is enabled.
 -- Steve Beattie <email address hidden> Fri, 28 Sep 2012 23:48:21 -0700

Changed in eglibc (Ubuntu):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package glibc - 2.7-10ubuntu8.2

---------------
glibc (2.7-10ubuntu8.2) hardy-security; urgency=low

  * SECURITY UPDATE: buffer overflow in vfprintf handling
    - debian/patches/any/CVE-2012-3404.patch: Fix allocation when
      handling positional parameters in printf.
    - CVE-2012-3404
  * SECURITY UPDATE: buffer overflow in vfprintf handling
    - debian/patches/any/CVE-2012-3405.patch: fix extension of array
    - CVE-2012-3405
  * SECURITY UPDATE: stack buffer overflow in vfprintf handling
    (LP: #1031301)
    - debian/patches/any/CVE-2012-3406.patch: switch to malloc when
      array grows too large to handle via alloca extension
    - CVE-2012-3406
  * SECURITY UPDATE: stdlib strtod integer/buffer overflows
    - debian/patches/any/CVE-2012-3480.patch: rearrange calculations
      and modify types to void integer overflows
    - CVE-2012-3480
  * debian/expected_test_summary: update expected results to prevent FTBFS
 -- Steve Beattie <email address hidden> Fri, 28 Sep 2012 08:21:34 -0700

Changed in glibc (Ubuntu):
status: Confirmed → Fix Released
Steve Beattie (sbeattie) wrote :

CVE-2012-3406 still needs to be addressed in quantal, reopening for that. Attached is a debdiff to do so.

Changed in eglibc (Ubuntu):
status: Fix Released → In Progress

The attachment "eglibc_2.15-0ubuntu19.debdiff" of this bug report has been identified as being a patch in the form of a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Adam Conrad (adconrad) on 2012-10-04
Changed in eglibc (Ubuntu):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package eglibc - 2.15-0ubuntu20

---------------
eglibc (2.15-0ubuntu20) quantal; urgency=low

  * Backport fixes for dbl-64 and ldbl-128 issues (LP: #1000498)
  * Backport another FMA support patch from glibc master branch.

eglibc (2.15-0ubuntu19) quantal-proposed; urgency=low

  * SECURITY UPDATE: stack buffer overflow in vfprintf handling
    (LP: #1031301)
    - debian/patches/any/CVE-2012-3406.patch: switch to malloc when
      array grows too large to handle via alloca extension
    - CVE-2012-3406
  * SECURITY UPDATE: stdlib strtod integer/buffer overflows
    - debian/patches/any/CVE-2012-3480.patch: rearrange calculations
      and modify types to void integer overflows
    - CVE-2012-3480
 -- Adam Conrad <email address hidden> Wed, 03 Oct 2012 15:58:02 -0600

Changed in eglibc (Ubuntu):
status: Fix Committed → Fix Released
Adam Conrad (adconrad) on 2012-10-07
tags: added: verification-done

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers