Skip to content
Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
README.md
poc.py

README.md

CVE-2014-0749

Experiment Environment

Ubuntu 14.04LTS

INSTALL & Configuration

wget https://github.com/mudongliang/source-packages/raw/master/CVE-2014-0749/torque-2.5.13.gz
tar -xvf torque-2.5.13.gz
cd torque-2.5.13
./configure
make

Problems in Installation & Configuration

How to trigger vulnerability

Server:

sudo ./src/server/pbs_server -D -t create

Client:

python poc.py

PoCs

TORQUE Resource Manager 2.5.x < 2.5.13 - Stack Buffer Overflow Stub

TORQUE CVE-2014-0749 Stack Buffer Overflow Vulnerability

Vulnerability Details & Patch

Root Cause

The vulnerability exists because the file disrsi_.c fails to ensure that the length of count (which is read from the request packet) is less than dis_umaxd prior to being used in a later memcpy(). As a result a specially crafted request can smuggle through a count value which is later decremented and becomes the ct value in a memcpy() made from within tcp_gets():

memcpy((char *)str, tp->tdis_leadp, ct);

This failure to validate count allows control over the size of the memcpy() to be leveraged and as a result control over the amount of data read from the remainder of the packet. If this value is large the memcpy() will overwrite the stack and so can be leveraged in order to gain control over the execution of the program.

Stack Trace

Patch

References

You can’t perform that action at this time.