Vigil@nce: glibc, memory corruption via fnmatch
March 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
When an attacker can transmit a value to the fnmatch() function of
the glibc, he can corrupt the memory of the application.
– Severity: 1/4
– Creation date: 28/02/2011
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The fnmatch() function of the glibc checks if a string matches a
pattern:
fnmatch(pattern, string, flags);
For example:
if (fnmatch("*.txt", "file.txt", 0)) ...
This function calls alloca() in order to allocate a memory area in
the stack to store the string. However, if the size of the string
(multiplied by four) is superior to the stack size, an integer
overflows, and data overwrites the stack content.
When an attacker can transmit a value to the fnmatch() function of
the glibc, he can therefore corrupt the memory of the application.
The attacker can then stop this application or execute code with
its privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/glibc-memory-corruption-via-fnmatch-10403