Episode 170


Manage episode 335785232 series 2423058
Зроблено Alex Murray and Ubuntu Security Team і знайдено завдяки Player FM та нашій спільноті. Авторські права належать видавцю, а не Player FM, і аудіоматеріали транслюються безпосередньо з сервера видавця. Натисніть на кнопку Підписатися, щоб слідкувати за оновленнями в Player FM або скопіюйте і вставте посилання на канал до іншої програми для подкастів.


This week we’re diving down into the depths of binary exploitation and analysis, looking at a number of recent vulnerability and malware teardowns, plus we cover security updates for FreeType, PHP, ImageMagick, protobuf-c and more.

This week in Ubuntu Security Updates

22 unique CVEs addressed

[USN-5528-1] FreeType vulnerabilities [01:03]

[USN-5529-1] Linux kernel (OEM) vulnerabilities [01:22]

[USN-5530-1] PHP vulnerability [01:41]

  • 1 CVEs addressed in Jammy (22.04 LTS)
  • php-8.1 in 22.04 LTS - heap buffer overflow in finfo_buffer function - used to get info etc from a binary string - in the example in the upstream documentation shows using this function to get the MIME info of a $_POST parameter - so likely this is being used in a bunch of places on untrusted data - DoS/RCE

[USN-5532-1] Bottle vulnerability [02:34]

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS)
  • Python framework for building web-applications
  • Failed to handle errors properly - could allow a remote request to trigger an exception -> DoS

[USN-5533-1] Vim vulnerability [02:50]

  • 1 CVEs addressed in Xenial ESM (16.04 ESM)
  • Another OOB write in vim -> crash / RCE

[USN-5534-1] ImageMagick vulnerabilities [02:58]

  • 3 CVEs addressed in Xenial ESM (16.04 ESM)
  • Someone has been running ImageMagick via UBSAN - found a number of cases of possible UB - impact is not clear but could be possible to crash/RCE etc

[USN-5531-1] protobuf-c vulnerability [02:32]

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS)
  • Used to compile protobuf specification to C code along with a library which is then linked against that generated code to marshal/unmarshal protobuf’s
  • Invalid arithmetic shift - previous code would right shift signed values which is implementation defined - so depending on what compiler was used could have different behaviour - and thus result in code that would write outside of memory bounds etc - fixed by converting the code to cast to unsigned type before shifting so that the behaviour is known

Goings on in Linux Security Community

Introduction to x64 Linux Binary Exploitation by @ch0pin [04:24]

  • Great series of blog posts from earlier this year
  • Starts by creating a small program with a basic stack buffer overflow vulnerability
  • Then disables all the various hardening features which have been added to Ubuntu to then allow it to be easily exploited
  • Along the way explains memory layout, processor architecture etc to help understand the process of developing exploits
  • Further blog posts in the series then start to enable the various hardening features one-by-one and in the process walk through more detailed and complex techniques for defeating these
  • Great insight to the process - also includes good references along the way to other sources of documentation / information on related concepts

Part 1 - Basic Buffer Overflow

Part 2 - Return into libc

Part 3 - RoP gadgets and chain

Part 4 - Stack Canaries

Part 5 - ASLR overview and bypass technique

CVE-2022-20186 vulnerability + exploit walkthrough by Github [07:04]

  • https://github.blog/2022-07-27-corrupting-memory-without-memory-corruption/
  • Vulnerability in the ARM Mali GPU driver in the Android kernel
  • Walks through the code to give a good understanding of how memory pages are handled by the driver and then eventually how this can be exploited from userspace to overwrite arbitrary kernel memory due to an integer overflow bug
  • Even includes an exploit for Pixel 6 (patched with the June Pixel update from Google)
  • Interesting footnote about how the patch for the vuln was visible in the Android tree 2 weeks before the vulnerability was disclosed

A detailed technical teardown of Symbiote by @GeeksCyber [08:49]

The Utopic Tale of Ubuntu by the Linux User Space podcast [09:31]

  • https://www.linuxuserspace.show/302
  • Starts around 9:45 - covers every year of Ubuntu from 2004 through to now along with the major developments / highlights and some low-lights along the way
  • Great walk down memory lane / background for those new to Ubuntu
  • Not really security specific but is a great listen (beware goes for over 1.5 hours)

Get in contact

192 епізодів