Stack Clash - A New Vulnerability to Gain Illegal Root Access

Global security giant Qualys, had recently released a study which states that Linux and UNIX systems are riddled with holes which can be easily exploited by cyber criminals to gain root access.

It has been found that, a miscreant can effortlessly pull off a ‘ ’ Stack Clash’ ’ &ndash the name given for the attack since it can jump between adjacent stacks to infiltrate computers. Stack Clash is a vulnerability which targets the memory management of several operating systems which includes Linux, OpenBSD, NetBSD, FreeBSD and Solaris, on i386 and amd64. Other operating systems may also be vulnerable to the attack, but they are yet to be tested. The attackers can corrupt memory and execute arbitrary code.

Qualys explains about the outbreak of the vulnerability as follows: An application’ s stack which holds short term data in memory sneaks into the memory of another area termed as heap, which holds a large amount of information. If you manipulate the content available on heap, by feeding carefully crafted data to the program, you can easily overwrite parts of the stack and hijack the flow of execution within the application. Alternatively, you can extend the stack down into the heap, and tamper with important data structures.

Qualys further states that, if the program has root privileges during the attack, a cyber-criminal can take control of the whole system as an administrator via the trusted app. All these effects of Stack-Attack have been brought to light by Qualys only a month ago. It is interesting to note that the issue was first noted by a security researcher in 2005, and resurfaced again in 2010 on Xorg server which runs on Linux. Although team Linux has addressed and tried to rectify these issues at both the stages, products based on the OS are still riddled with security holes ripe for exploit. While addressing about the issue, Jimmy Graham, director of product management at Qualys said, “ The concept isn' t new, but this specific exploit is definitely new.”

Qualys and Red Hat have already issued an advisory to mitigate the attack in their respective pages. Red Hat has said that while mitigation is possible in the meantime by setting the hard RLIMIT STACK and RLIMIT_AS of local users and remote services to a low value, this may cause performance issues as it creates overlapping values in /proc/meminfo. However, this is unlikely to impact normal operations and a patch to resolve these problems may be released at a later date.

Tag : Operating System Linux
FAQ
Q
How can I protect my system from the Stack Clash?
A
The easiest and safest way to protect your system is to update it: we have been working with the affected vendors since the beginning of May, and by the time you read this, their patches and updates will be available.
Q
What are the risks posed by the Stack Clash?
A
The exploits and proofs of concept that we developed in the course of our research are all Local Privilege Escalations: an attacker who has any kind of access to an affected system can exploit the Stack Clash vulnerability and obtain full root privileges.
Q
Why is it called the Stack Clash?
A
The first step in exploiting this vulnerability is to collide, or clash, the stack with another memory region. Hence the name: the Stack Clash.
Q
What is the Stack Clash vulnerability, precisely?
A
Each program running on a computer uses a special memory region called the stack. This memory region is special because it grows automatically when the program needs more stack memory. But if it grows too much and gets too close to another memory region, the program may confuse the stack with the other memory region. An attacker can exploit this confusion to overwrite the stack with the other memory region or the other way around.
Q
How do I run and install clash using the stack?
A
The following commands should not be run in a directory containing a stack.yaml file:
You can globally install clash using stack by:
$ stack setup --resolver=lts-8.12
$ stack install --resolver=lts-8.12 clash-ghc-0.7.1
Run from outside a project, using implicit global project config
...
Copied executables to /Users/baaijcpr/.local/bin:
- clash