Vigil@nce - glibc: buffer overflow via strcoll
September 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When an attacker can create strings which are transmitted to the
strcoll() function, he can generate an overflow, in order to
create a denial of service in the application linked to the glibc,
or to execute code.
Impacted products: Unix (platform)
Severity: 2/4
Creation date: 10/09/2012
DESCRIPTION OF THE VULNERABILITY
The strcoll() function of the glibc compares two strings using the
current locale:
int strcoll( const char * str1, const char * str2 );
This function allocates a memory area to store strings. However,
on a 32 bit processor, if the total size of strings is greater
than 800Mo, an integer overflow occurs, and data coming from the
strings corrupt the memory.
When an attacker can create strings which are transmitted to the
strcoll() function, he can therefore generate an overflow, in
order to create a denial of service in the application linked to
the glibc, or to execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/glibc-buffer-overflow-via-strcoll-11925