Stack Clash vulnerabilities smash Linux defenses in the quest for root access

The serious chain of bugs can be used to compromise Linux, FreeBSD, OpenBSD, and Solaris.

(Image: Christopher Schirner)

Severe vulnerabilities have been discovered in popular Linux and Unix systems that can be used to blow apart barriers to root powers, researchers have discovered.

According to security firm Qualys, the "Stack Clash" is one major bug, linked to other less prominent flaws made dangerous in conjunction with the first, which can be used to corrupt the memory processes of Linux, OpenBSD, NetBSD, FreeBSD, and Solaris, on i386 and amd64, to execute arbitrary code.

The flaws occur due to a memory region in PC RAM called the stack. This dynamic area increases automatically as stack memory demands increase, but if it becomes too big and gets too close to another memory region, programs utilizing the stack may become confused.

An attacker is then able to take advantage of this confusion and exploit the system to overwrite the stack.

The vulnerabilities are not new. They were first discovered back in 2005 (.PDF) and then again in 2010 (.PDF), and despite the Linux development team issuing a fix through the introduction of guard pages, products based on the OS are still riddled with security holes ripe for exploit.

Qualys said that stack clashes "are widespread and exploitable despite the stack guard-page protection."

For Stack Clash to work, the first step is to utilize the primary vulnerability, CVE-2017-1000364, in order to force the stack to collide with another memory region, causing confusion and corruption.

The guard-page protection, which should kick in, was designed to stop sequential stack overflow attacks. However, the researchers have demonstrated ways to "jump" over the stack guard-page and into the memory region before "smashing" the stack into another memory process.

In total, Qualys has produced seven exploits and seven proof-of-concept (PoC) codes -- available after users have a chance to patch their systems -- to demonstrate how serious the security hole is.

Other vulnerabilities, such as CVE-2017-1000367 and CVE-2017-1000365, can be chained with the main bug or exploited independently through the Stack Clash exploit.

In addition, a Sudo security flaw patched on May 30, CVE-2017-1000367, can be linked with Stack Clash to gain full root privileges on Linux and not just SELinux. As the bug could be exploited independently of Stack Clash, this issue was disclosed beforehand.

The exploits can be used for local privilege escalation and then attackers are able to obtain full root privileges from this low-level application compromise.

However, this does not mean that you are safe from remote exploit, as the researchers believe that theoretically this could also be achieved through vulnerable applications.

"We do not know of any remotely exploitable application, however, remote exploitation of Stack Clash is not excluded," Qualys said. "The one remote application that we did investigate (the Exim mail server) turned out to be unexploitable by sheer luck."

Speaking to Ars Technica, Jimmy Graham, director of product management at Qualys, said: "The concept isn't new, but this specific exploit is definitely new."

Qualys' security advisory was released in tandem with the release of patches for Linux/Unix distributions on June 19. Linux, OpenBSD, NetBSD, FreeBSD, and Solaris, on i386 or amd64 are all affected, and other operating systems may also be vulnerable but are yet to be tested.

Red Hat has already issued an advisory for Stack Clash. The group said that while mitigation is possible in the meantime by setting the hard RLIMIT STACK and RLIMIT_AS of local users and remote services to a low value, this may cause performance issues as it creates overlapping values in /proc/meminfo. However, this is unlikely to impact normal operations and a patch to resolve these problems may be released at a later date.

Given the serious nature of the vulnerabilities, it is recommended that users and administrators update their systems immediately.