Discussion:
[uWSGI] [SECURITY] patch for potential stack bypassing
Roberto De Ioris
2018-02-06 17:22:01 UTC
Permalink
Hi everyone, the following patch (available for both 2.0 and 2.1) fixes
a potential security vulnerability reported yesterday:

https://github.com/unbit/uwsgi/commit/cb4636f7c0af2e97a4eef7a3cdcbd85a71247bfe

Any modern system should not be vulnerable thanks to out-of-the-box
protections like stack canary and friends. (basically if you pass a path
bigger than PATH_MAX, uWSGI will crash or will trigger a stack corruption
exception)

Albeit using it for some kind of useful attack seems very improbable, the
new approach is way more robust than the previous one as it checks for the
path size before calling realpath() too.
--
Roberto De Ioris
http://unbit.com
Etienne Robillard
2018-02-06 19:09:56 UTC
Permalink
Thanks Roberto. :-)

Will you disclose the exploit to check my own server?

Does the patch applies cleanly to 2.0.15 ?

Is this is a python 3 bug ?

Best regards,



Etienne
Post by Roberto De Ioris
Hi everyone, the following patch (available for both 2.0 and 2.1) fixes
https://github.com/unbit/uwsgi/commit/cb4636f7c0af2e97a4eef7a3cdcbd85a71247bfe
Any modern system should not be vulnerable thanks to out-of-the-box
protections like stack canary and friends. (basically if you pass a path
bigger than PATH_MAX, uWSGI will crash or will trigger a stack corruption
exception)
Albeit using it for some kind of useful attack seems very improbable, the
new approach is way more robust than the previous one as it checks for the
path size before calling realpath() too.
--
Etienne Robillard
***@yandex.com
https://www.isotopesoftware.ca/
Roberto De Ioris
2018-02-06 19:48:07 UTC
Permalink
Post by Etienne Robillard
Thanks Roberto. :-)
Will you disclose the exploit to check my own server?
Hi, just run

uwsgi --ini path

with path bigger than 1024 bytes.

you should get a crash.

No it is a uWSGI bug, it happens way before the python vm is started
Post by Etienne Robillard
Does the patch applies cleanly to 2.0.15 ?
Is this is a python 3 bug ?
Best regards,
Etienne
Post by Roberto De Ioris
Hi everyone, the following patch (available for both 2.0 and 2.1) fixes
https://github.com/unbit/uwsgi/commit/cb4636f7c0af2e97a4eef7a3cdcbd85a71247bfe
Any modern system should not be vulnerable thanks to out-of-the-box
protections like stack canary and friends. (basically if you pass a path
bigger than PATH_MAX, uWSGI will crash or will trigger a stack corruption
exception)
Albeit using it for some kind of useful attack seems very improbable, the
new approach is way more robust than the previous one as it checks for the
path size before calling realpath() too.
--
Etienne Robillard
https://www.isotopesoftware.ca/
--
Roberto De Ioris
http://unbit.com
Continue reading on narkive:
Loading...