04-21-2024, 09:58 PM
This is a 24 year old exploit that was only recently found.
Well shit. Please note, you actually have to have a php application that uses the exploitable functions to be at risk.
For an actual write up on how it operates, refer to this
Quote:... a flaw in the GNU C Library’s (glibc) iconv function (CVE-2024-2961) carries severe implications for web applications built on PHP. ...
Well shit. Please note, you actually have to have a php application that uses the exploitable functions to be at risk.
Quote:... The vulnerability, cataloged under CVE-2024-2961 and rated 8.8 on the CVSS scale, resides in the ISO-2022-CN-EXT plugin of the glibc’s iconv library. This critical flaw occurs during the charset conversion process from UCS4, where specific escape characters are required to signify changes in the charset to the library. However, due to insufficient boundary checks on internal buffers, an out-of-bounds write can occur, allowing up to three bytes to be written outside the intended memory area. ...
Quote:...
> The iconv() function in the GNU C Library versions 2.39 and older may
> overflow the output buffer passed to it by up to 4 bytes when converting
> strings to the ISO-2022-CN-EXT character set, which may be used to
> crash an application or overwrite a neighbouring variable.
>
> ISO-2022-CN-EXT uses escape sequences to indicate character set changes
> (as specified by RFC 1922). While the SOdesignation has the expected
> bounds checks, neither SS2designation nor SS3designation have its;
> allowing a write overflow of 1, 2, or 3 bytes with fixed values:
> '$+I', '$+J', '$+K', '$+L', '$+M', or '$*H'.
...
For an actual write up on how it operates, refer to this
source Spoiler
Buffer Overlord
Deploying Precision in Every Line.
PGP Fingerprint: C1F5 5935 4992 A77B 69E1 B626 7556 1F6B 453C B36F
https://pastebin.com/raw/6k1RJQie
Deploying Precision in Every Line.
PGP Fingerprint: C1F5 5935 4992 A77B 69E1 B626 7556 1F6B 453C B36F
https://pastebin.com/raw/6k1RJQie
