xorl %eax, %eax

x86_64 UID/GIDs Truncation Bug

leave a comment »

A friend of mine send me a couple of days ago this link. Credits of course goes to Aurélien Jarno who discovered this nifty vulnerability. In GNU C Library (glibc) the data types for UID and GID are defined as:

typedef unsigned int gid_t;
typedef unsigned int uid_t;

As you might already know, on LP64 as well as LLP64 integer is 32 bits long. On the other hand, long on LP64 and LLP64 is 64 bits long. However, GLibC in some cases uses strtoul(3) to manipulate GID/UID variables. As you can see at its man page:

SYNOPSIS
       #include <stdlib.h>

       unsigned long int
       strtoul(const char *nptr, char **endptr, int base);

The function returns an unsigned long integer! This means that if an attacker is able to provide a UID or GID larger than 32 bits (which is allowed since strtoul() uses long) when the result will be stored to the uid_t or gid_t variables it will be truncated to fit to 32 bit boundary. If the attacker is able to give an ID of: 0xffffffff + 1 then the truncation will result in 0!!! Because the largest 32bit value is 0xffffffff so it will wrap around zero. Here is a dummy demonstration of this:

#include <stdio.h>
#include <sys/types.h>

int
main(void)
{
         uid_t uid = 0xffffffff + 1;
         printf("UID: %u\n", uid);
         return 0;
}

sh-3.2$ gcc uid.c -o uid
sh-3.2$ ./uid
UID: 0
sh-3.2$

The guy that reported this bug also demonstrated it by creating a user with UID of 2^32 (that is 4294967296 or if you like 0xFFFFFFFF) which acts exactly as the above sample code and leads to wrap around zero. This is not a critical vulnerability since unprivileged users in most cases cannot change their IDs. However, it is a nice idea for discovering similar truncation vulnerabilities for 64bit architectures.

Written by xorl

January 11, 2009 at 02:07

Posted in bugs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s