Stack Clash vulnerability tears a hole in Linux and Unix OSes

Stack Clash vulnerability tears a hole in Linux and Unix OSes

SECURITY FIRM QUALYS HAS GIVEN us something else to worry about, a vulnerability called Stack Clash that can jump from stack to stack and put itself in control of your computer and into your nightmares.

“The Stack Clash is a vulnerability in the memory management of several operating systems. It affects Linux, OpenBSD, NetBSD, FreeBSD and Solaris, on i386 and amd64. It can be exploited by attackers to corrupt memory and execute arbitrary code,” explained Qualys.

“Qualys researchers discovered this vulnerability and developed seven exploits and seven proofs of concept for this weakness, then worked closely with vendors to develop patches. As a result, we are releasing this advisory today as a coordinated effort, and patches for all distributions are available June 19, 2017. We strongly recommend that users place a high priority on patching these vulnerabilities immediately.”

Sounds like a good idea to us. The vulnerability exploits a feature in stacks where the OS CAN be manipulated so that one stack can take code from another.

“Each program running on a computer uses a special memory region called the stack. This memory region is special because it grows automatically when the program needs more stack memory. But if it grows too much and gets too close to another memory region, the program may confuse the stack with the other memory region. An attacker can exploit this confusion to overwrite the stack with the other memory region, or the other way around,” added the firm.

“The first step in exploiting this vulnerability is to collide, or clash, the stack with another memory region. Hence the name: the Stack Clash.”

According to Qualys researchers, the issue affects a smorgasbord of NIX systems, including  Linux, OpenBSD, NetBSD, FreeBSD, and Solaris. However, perhaps it isn’t as bad as it seems.

“Our research has mainly focused on local exploitation: as of this writing on June 19, 2017, we do not know of any remotely exploitable application,” said Qualys.

“However, remote exploitation of the Stack Clash is not excluded; although local exploitation will always be easier, and remote exploitation will be very application-specific. The one remote application that we did investigate (the Exim mail server) turned out to be unexploitable by sheer luck.

“The easiest and safest way to protect your system is to update it: we have been working with the affected vendors since the beginning of May, and by the time you read this, their patches and updates will be available”. µ