Stack Clash bug could give root privileges to attackers on Unix, Linux systems

Qualys researchers have unearthed a serious privilege escalation bug affecting a wide variety of Unix and Unix-based operating systems, and has been working with vendors to develop patches since May.

Stack Clash

As the patches have been pushed out, Qualys went public with the information, and urged users to implement them as soon as possible.

The vulnerability (CVE-2017-1000364)

The vulnerability has been dubbed Stack Clash, because it is triggered when the attackers forces an application’s stack to clash with another memory region.

“Each program running on a computer uses a special memory region called the stack. This memory region is special because it grows automatically when the program needs more stack memory. But if it grows too much and gets too close to another memory region, the program may confuse the stack with the other memory region. An attacker can exploit this confusion to overwrite the stack with the other memory region, or the other way around,” Qualys researchers explained.

There have been examples in the past when other researchers uncovered ways to clash the stack, but the fixes introduced to protect these type of exploits apparently do not work as intended.

Qualys researchers found several other secondary vulnerabilities directly related to the first one, and some can be exploited independently from one another. Still, all allow just privilege escalation, so they have to be exploited with other vulnerabilities in order for attackers to gain access to the system before they can escalate their privileges to root.

The exploits

They have also created a number of proof-of-concept exploits that can be leveraged against various applications on different Linux distributions (e.g. Exim on i386 Debian, Sudo on i386 Debian, Ubuntu, CentOS, etc.), but haven’t released them to the public.

But the good news is that all of the exploits are local.

“Our research has mainly focused on local exploitation: as of this writing on June 19, 2017, we do not know of any remotely exploitable application,” the researchers noted.

“However, remote exploitation of the Stack Clash is not excluded; although local exploitation will always be easier, and remote exploitation will be very application-specific. The one remote application that we did investigate (the Exim mail server) turned out to be unexploitable by sheer luck.”

Protection and risk mitigation

Qualys says that affected vendors have pushed out patches before they went public with their finding, so Linux, OpenBSD, NetBSD, FreeBSD, Solaris, Red Hat, SuSE, Debian, and Ubuntu users would do well to look for them and implement them.

Those users that can’t or don’t want to update or reboot their system can implement the following temporary workaround: set the hard RLIMIT_STACK and RLIMIT_AS of your local users and remote services to some reasonably low values.

“Use this workaround at your own risk, however: most likely your limits will not be low enough to resist all attacks (for example, in some cases our Sudo stack-clash exploit allocates merely 137MB of heap memory, and almost no stack memory); or your limits will be too low and will break legitimate applications,” the researchers added.