Skip to main content
Source Code

Stack Clash critical vulnerability for *NIX OS

Some days ago a new vulnerability related to Stack Clash was discovered for *NIX OS (Linux, OpenBSD, FreeBSD and Solaris). This kind of vulnerability was already know on 2005 and 2010 and it was patched and gone for a while. The vulnerability was discovered by security researches from Qualys and they released an article explaining it.

How it works

If you have some knowledge about operating systems you would know that programs runs on memory. On that memory there is an area called Call Stack, which is a data structure that stores information about the active subroutines of a specific computer program. This area is also known with different names as program stack, control stack, run-time stack, etc. so we will call it just the stack. This area doesn’t have a specific size, it growths if the program needs more stack memory. The problem is when the memory growths so much that it became closer to another memory region so the program may confuse which area is the stack area it is using during the runtime.

If this happens an attacked can take advantage of the situation and overwrite the stack memory region with other memory region. There is a really good explanation about it here: What is Stack Clash and what can I do about it? Also you can read about it on a really long and good report by Qualys.

What the risk are

Someone can use this exploit in order to obtain full root privileges within the operating server, meaning he/she will have full authorization within the system. The researches done until now were focused on local exploitation meaning that you should have access to the operating system with a user in order to perform the exploit. Despite of this it is still not certain if this exploit can be use remotely via HTTP request or Javascript code for example. Please keep in mind that there are some ongoing investigations yet and someone could demonstrate the remotely execution of the exploit in the future.

What the vulnerabilities are

Qualys released a CVE related to the primary vulnerability: CVE-2017-1000364.You should be aware that there are more vulnerabilities related to the first one: CVE-2017-1000365 and CVE-2017-1000367.

How to fix it

The solution is quite simple: Update your system as soon as possible. You should apply the latest patches released by the your OS Company for this vulnerabilty. For example, Novell released new kernels versions  for this vulnerabilities. As far as I know other software manufacturers are doing the same.

If you cannot restart or update your system you can set the hard RLIMIT_STACK and RLIMIT_AS for local users as a temporary workaround. Please keep in mind that this is not supported by some software manufacturers and you should do it by your own risks.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.