Overview
This week we’re diving down into the depths of binary exploitation and
analysis, looking at a number of recent vulnerability and malware
teardowns, plus we cover security updates for FreeType, PHP, ImageMagick,
protobuf-c and more.
This week in Ubuntu Security Updates
22 unique CVEs addressed
[USN-5528-1] FreeType vulnerabilities [01:03]
- 4 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
- Various heap buffer overflows - all which could be triggered from a
crafted font file
[USN-5529-1] Linux kernel (OEM) vulnerabilities [01:22]
- 11 CVEs addressed in Jammy (22.04 LTS)
- 5.17 22.04 LTS OEM
[USN-5530-1] PHP vulnerability [01:41]
- 1 CVEs addressed in Jammy (22.04 LTS)
- php-8.1 in 22.04 LTS - heap buffer overflow in
finfo_buffer
function -
used to get info etc from a binary string - in the example in the
upstream documentation shows using this function to get the MIME info of
a $_POST
parameter - so likely this is being used in a bunch of places on
untrusted data - DoS/RCE
[USN-5532-1] Bottle vulnerability [02:34]
- 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
- Python framework for building web-applications
- Failed to handle errors properly - could allow a remote request to
trigger an exception -> DoS
[USN-5533-1] Vim vulnerability [02:50]
- 1 CVEs addressed in Xenial ESM (16.04 ESM)
- Another OOB write in vim -> crash / RCE
[USN-5534-1] ImageMagick vulnerabilities [02:58]
- 3 CVEs addressed in Xenial ESM (16.04 ESM)
- Someone has been running ImageMagick via UBSAN - found a number of cases
of possible UB - impact is not clear but could be possible to crash/RCE
etc
[USN-5531-1] protobuf-c vulnerability [02:32]
- 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
- Used to compile protobuf specification to C code along with a library
which is then linked against that generated code to marshal/unmarshal
protobuf’s
- Invalid arithmetic shift - previous code would right shift signed values
which is implementation defined - so depending on what compiler was used
could have different behaviour - and thus result in code that would write
outside of memory bounds etc - fixed by converting the code to cast to
unsigned type before shifting so that the behaviour is known
Goings on in Linux Security Community
Introduction to x64 Linux Binary Exploitation by @ch0pin [04:24]
- Great series of blog posts from earlier this year
- Starts by creating a small program with a basic stack buffer overflow
vulnerability
- Then disables all the various hardening features which have been added to
Ubuntu to then allow it to be easily exploited
- Along the way explains memory layout, processor architecture etc to help
understand the process of developing exploits
- Further blog posts in the series then start to enable the various
hardening features one-by-one and in the process walk through more
detailed and complex techniques for defeating these
- Great insight to the process - also includes good references along the
way to other sources of documentation / information on related concepts
Part 1 - Basic Buffer Overflow
Part 2 - Return into libc
Part 3 - RoP gadgets and chain
Part 4 - Stack Canaries
Part 5 - ASLR overview and bypass technique
CVE-2022-20186 vulnerability + exploit walkthrough by Github [07:04]
- https://github.blog/2022-07-27-corrupting-memory-without-memory-corruption/
- Vulnerability in the ARM Mali GPU driver in the Android kernel
- Walks through the code to give a good understanding of how memory pages
are handled by the driver and then eventually how this can be exploited
from userspace to overwrite arbitrary kernel memory due to an integer
overflow bug
- Even includes an exploit for Pixel 6 (patched with the June Pixel update
from Google)
- Interesting footnote about how the patch for the vuln was visible in the
Android tree 2 weeks before the vulnerability was disclosed
A detailed technical teardown of Symbiote by @GeeksCyber [08:49]
The Utopic Tale of Ubuntu by the Linux User Space podcast [09:31]
- https://www.linuxuserspace.show/302
- Starts around 9:45 - covers every year of Ubuntu from 2004 through to now
along with the major developments / highlights and some low-lights along
the way
- Great walk down memory lane / background for those new to Ubuntu
- Not really security specific but is a great listen (beware goes for over
1.5 hours)
Get in contact