FreeBSD Security Advisories
2018-Sep-12 05:43 UTC
[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-18:12.elf
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================FreeBSD-SA-18:12.elf Security Advisory The FreeBSD Project Topic: Improper ELF header parsing Category: core Module: kernel Announced: 2018-09-12 Credits: Thomas Barabosch, Fraunhofer FKIE; Mark Johnston Affects: All supported versions of FreeBSD. Corrected: 2018-09-12 05:02:11 UTC (stable/11, 11.1-STABLE) 2018-09-12 05:07:35 UTC (releng/11.2, 11.2-RELEASE-p3) 2018-09-12 05:07:35 UTC (releng/11.1, 11.1-RELEASE-p14) 2018-09-12 05:03:30 UTC (stable/10, 10.4-STABLE) 2018-09-12 05:07:35 UTC (releng/10.4, 10.4-RELEASE-p12) CVE Name: CVE-2018-6924 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background To execute a binary the kernel must parse the ELF header to determine the entry point address, the program interpreter, and other parameters. II. Problem Description Insufficient validation was performed in the ELF header parser, and malformed or otherwise invalid ELF binaries were not rejected as they should be. III. Impact Execution of a malicious ELF binary may result in a kernel crash or may disclose kernel memory. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +30 "Rebooting for security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-18:12/elf.patch # fetch https://security.FreeBSD.org/patches/SA-18:12/elf.patch.asc # gpg --verify elf.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/10/ r338605 releng/10.4/ r338606 stable/11/ r338604 releng/11.1/ r338606 releng/11.2/ r338606 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> VII. References <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6924> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:12.elf.asc> -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAluYoK9fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cKA+BAApeUtPHpy5mEHC8ftJ+3NZpfI8gcfuPE0dlJi6CpXq8/ruXN5Yt5X0E0l hlbNGqEMckfe3F81rCXLbtu0zeAnSBfAFcm9xSBa6aSRfP4GAZtKDKwilPqqT9F8 sOrPR/mAfxWmWcfDt8ggAx6akr2Tt48t7TiBP/kA14+CzVmp/pMU/ceFDLk8JYjY PQzVM4fHC5xeBWtA2JjMNHnhR6XMeiDOLkgeRiRW1LhB/OwWwcb0uzVixxR34mCT vFm1eJteAitoVclgnI//GkzZZ6b7SZkqyqODWKVLWXaYgb8/Z6SaKAQm2TWuHPEh nzIpPGhnXZc+36Nn9/HYDKVn3skD1sYAnTMgPcUYZH3KfkohvFdHlnoGqkcnMwTy mSKkQx9ojuLfwot7tyJCbgU/6e82ed1g9EiFZXwW8x4ePClaAvrDozz0QGwlXgyY 1jBbFp/gYznhxTetVRHo5ug5SHZgD2Ye46TCoglHX0CprhkWwpKenoCEyfyjlHXH uI+RPd46TlQfuK4bqURRpWvNWprXGqQ0ypFVW2JJgqLPBX0QS79gzqO++C8tRqQv e16mqzBGNIre/8FOCBpV/Z61NgxqeYo2ndHxc9VTMiFXK/2v3TDK9AvYZ1/xEvwC IRpC+qo870B5XT/ihC/KpYI4jgM2/pK/Mdez6Q4s5M6eeCBHAgw=J/a5 -----END PGP SIGNATURE-----
Lena at lena.kiev.ua
2018-Oct-06 17:35 UTC
[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-18:12.elf
> Insufficient validation was performed in the ELF header parser, and malformed > or otherwise invalid ELF binaries were not rejected as they should be.What is invalid in the /usr/local/share/google-earth/googleearth-bin binary of the port google-earth-7.1.5.1557,3 ? FreeBSD 11.2-RELEASE-p4 Sep 27 GENERIC i386, the binary: https://drive.google.com/file/d/1SgHk8ijSp2F9UcQGlx44psT832TdIEL0/view ~ $ googleearth Invalid PT_INTERP exec: ./googleearth-bin: Exec format error ~ $ readelf --program-headers /usr/local/share/google-earth/googleearth-bin Elf file type is EXEC (Executable file) Entry point 0x8048650 There are 8 program headers, starting at offset 52 Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align PHDR 0x000034 0x08048034 0x08048034 0x00100 0x00100 R E 0x4 INTERP 0x000134 0x08048134 0x08048134 0x00011 0x00011 R 0x1 [Requesting program interpreter: /lib/ld-linux.so.2] LOAD 0x000000 0x08048000 0x08048000 0x007f4 0x007f4 R E 0x1000 LOAD 0x000e74 0x08049e74 0x08049e74 0x001a0 0x001a8 RW 0x1000 DYNAMIC 0x000e88 0x08049e88 0x08049e88 0x00168 0x00168 RW 0x4 NOTE 0x000148 0x08048148 0x08048148 0x00044 0x00044 R 0x4 GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x4 GNU_RELRO 0x000e74 0x08049e74 0x08049e74 0x0018c 0x0018c R 0x1 Section to Segment mapping: Segment Sections... 00 01 .interp 02 .interp .note.ABI-tag .note.gnu.build-id .hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.dyn .rel.plt .init .plt .text .fini .rodata .eh_frame 03 .ctors .dtors .jcr .dynamic .got .got.plt .data .bss 04 .dynamic 05 .note.ABI-tag .note.gnu.build-id 06 07 .ctors .dtors .jcr .dynamic .got ~ $ ls -l /usr/local/share/google-earth/googleearth-bin -r-xr-xr-x 1 root wheel 5452 Sep 10 2016 /usr/local/share/google-earth/googleearth-bin ~ $ hd /usr/local/share/google-earth/googleearth-bin | less 00000000 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 |.ELF............| 00000010 02 00 03 00 01 00 00 00 50 86 04 08 34 00 00 00 |........P?..4...| 00000020 14 11 00 00 00 00 00 00 34 00 20 00 08 00 28 00 |........4. ...(.| 00000030 1b 00 1a 00 06 00 00 00 34 00 00 00 34 80 04 08 |........4...4?..| 00000040 34 80 04 08 00 01 00 00 00 01 00 00 05 00 00 00 |4?..............| 00000050 04 00 00 00 03 00 00 00 34 01 00 00 34 81 04 08 |........4...4?..| 00000060 34 81 04 08 11 00 00 00 11 00 00 00 04 00 00 00 |4?..............| 00000070 01 00 00 00 01 00 00 00 00 00 00 00 00 80 04 08 |.............?..| 00000080 00 80 04 08 f4 07 00 00 f4 07 00 00 05 00 00 00 |.?..?...?.......| 00000090 00 10 00 00 01 00 00 00 74 0e 00 00 74 9e 04 08 |........t...t?..| 000000a0 74 9e 04 08 a0 01 00 00 a8 01 00 00 06 00 00 00 |t?..?...?.......| 000000b0 00 10 00 00 02 00 00 00 88 0e 00 00 88 9e 04 08 |........?...??..| 000000c0 88 9e 04 08 68 01 00 00 68 01 00 00 06 00 00 00 |??..h...h.......| 000000d0 04 00 00 00 04 00 00 00 48 01 00 00 48 81 04 08 |........H...H?..| 000000e0 48 81 04 08 44 00 00 00 44 00 00 00 04 00 00 00 |H?..D...D.......| 000000f0 04 00 00 00 51 e5 74 64 00 00 00 00 00 00 00 00 |....Q?td........| 00000100 00 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 |................| 00000110 04 00 00 00 52 e5 74 64 74 0e 00 00 74 9e 04 08 |....R?tdt...t?..| 00000120 74 9e 04 08 8c 01 00 00 8c 01 00 00 04 00 00 00 |t?..?...?.......| 00000130 01 00 00 00 2f 6c 69 62 2f 6c 64 2d 6c 69 6e 75 |..../lib/ld-linu| 00000140 78 2e 73 6f 2e 32 00 00 04 00 00 00 10 00 00 00 |x.so.2..........| 00000150 01 00 00 00 47 4e 55 00 00 00 00 00 02 00 00 00 |....GNU.........| 00000160 06 00 00 00 0f 00 00 00 04 00 00 00 14 00 00 00 |................| 00000170 03 00 00 00 47 4e 55 00 ec f1 2d c9 13 9e 39 77 |....GNU.??-?.?9w| 00000180 54 45 91 3d e6 c5 0b ae 90 8a 6d 1a 03 00 00 00 |TE?=??.???m.....| 00000190 0b 00 00 00 09 00 00 00 04 00 00 00 0a 00 00 00 |................| 000001a0 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 |................| 000001b0 02 00 00 00 00 00 00 00 05 00 00 00 06 00 00 00 |................| 000001c0 07 00 00 00 08 00 00 00 03 00 00 00 00 00 00 00 |................| The commit: https://lists.freebsd.org/pipermail/svn-src-all/2018-September/170051.html case PT_INTERP: /* Path to interpreter */ - if (phdr[i].p_filesz > MAXPATHLEN) { + if (phdr[i].p_filesz < 2 || + phdr[i].p_filesz > MAXPATHLEN) { uprintf("Invalid PT_INTERP\n"); error = ENOEXEC; interp = __DECONST(char *, imgp->image_header) + phdr[i].p_offset; + if (interp[interp_name_len - 1] != '\0') { + uprintf("Invalid PT_INTERP\n"); + error = ENOEXEC;