For our 199th episode Andrei looks at Fuzzing Configurations of Program Options
plus we discuss Google’s findings on the io_uring kernel subsystem and we look
at vulnerability fixes for Netatalk, Jupyter Core, Vim, SSSD, GNU binutils, GLib
and more.
Implementation of the Apple Filing Protocol - allows a Ubuntu server to share
files with macOS clients - similar to Samba for Windows
Lots of different buffer overflows - some / most disclosed via ZDI
Almost all due to missing length checks on the input data - some OOB write,
others OOB read - sadly there is no AppArmor profile for netatalk but it would
be interesting to try and create one
Failed to sanitise certificate attributes before issuing an LDAP search -
ie. a certificate may contain parenthesis in say the Subject DN field - this
would then be used directly in the query and would be interpreted as
parameters in the LDAP query - could then allow a malicious client to provide
a crafted certificate which performs arbitrary LDAP queries etc - such that
when used in conjunction with FreeIPA they could elevate their privileges
Buffer overflow when handling a crafted HTTP packet that specifies an IPv6
address longer than the maximum possible - since parses it into a fixed size
buffer
Open redirect - allows an attacker to craft a URL to a site that when visited
will redirect the user to a different arbitrary site - can then be used to
phish the user
Heap based buffer overflow when reading certain debugging information - could
then possibly get code execution - requires the user to run objdump or similar
on an attacker controlled binary - in general binutils is expected to only be
run on trusted inputs - so if you are using objdump etc for reverse
engineering arbitrary binaries, should do this in an isolated environment - VM
Latest .NET point releases from Microsoft for .NET 6 and 7 fixing various
issues in the language runtime (not a lot of details provided by MS on these)
library for async DNS lookups - used by apt-cacher-ng, frr, wireshark, sssd
and more
Buffer underflow when looking up crafted IPv6 addresses - appears to be able
to be tricked into writing infront of an allocated buffer - memory corruption
-> DoS / RCE
DoS via an attacker forging a zero length UDP packet in response to a query -
then cause the resolver to shutdown the “connection” as it sees a 0 byte
read - however that code path assumes the transport protocol is TCP - this is
not a valid assumption for UDP as UDP is connectionless
Various issues in the handling of GVariants - looks like someone has been
fuzzing glib - GVariant used for on-the-wire encoding of parameters in DBus
etc - similar to protobuf’s etc
Google runs kCTF as part of the vuln rewards program, offering a bug-bounty /
monetary rewards for researchers who find exploitable bugs in Google
Kubernetes Engine (GKE) or the underlying Linux kernel
Has paid out $1.8m USD - 60% of submissions exploited io_uring - with around
$1m USD rewarded for io_uring submissions alone - and io_uring was used in all
submissions which bypassed their mitigations
followed by net and then fs subsystems
clearly is a target rich environment
As such, disabled io_uring in ChromeOS (was originally enabled back in
November 2022 to increase performance of their arcvm which is used to run
Android apps on ChromeOS) but then now disabled 4 months later in Feb this
year
Use seccomp-bpf to block access to io_uring to Android applications and in the
future will also use SELinux to restrict access even further to only select
system processes
Will likely disable it also on GKE AutoPilot - where Google manages the config
of your GKE Kubernetes cluster
And have disabled io_uring on their production servers
Essentially due to the newness of io_uring and ongoing development of features
for it, it presents too much of a risk for use by untrusted applications etc
Andrei discusses Fuzzing Configurations of Program Options (15:06)