How To Patch and Protect Linux Kernel Stack Clash Vulnerability CVE-2017-1000364

A very serious security problem has been found in the Linux kernel called “The Stack Clash.”

The Qualys Research Labs discovered various problems in the dynamic linker of the GNU C Library (CVE-2017-1000366) which allow local privilege escalation by clashing the stack including Linux kernel. This bug affects Linux, OpenBSD, NetBSD, FreeBSD and Solaris, on i386 and amd64. It can be exploited by attackers to corrupt memory and execute arbitrary code.

An attacker could leverage this with another vulnerability to execute arbitrary code and gain administrative/root account privileges.




  1. Tomi Engdahl says:

    Stack Clash flaws blow local root holes in loads of top Linux programs

    We knew about this in 2005. And 2010. And people are still building without -fstack-check

    Essentially, it’s possible to pull off a “Stack Clash” attack in various tools and applications to hijack the whole system, a situation that should have been prevented long ago.

  2. Tomi Engdahl says:

    Serious privilege escalation bug in Unix OSes imperils servers everywhere
    “Stack Clash” poses threat to Linux, FreeBSD, OpenBSD, and other OSes.

    Not closed after all
    Stack Clash vulnerabilities have slowly gained widespread awareness, first in 2005 with the findings of security researcher Gaël Delalleau and five years later with the release of a Linux vulnerability by researcher Rafal Wojtczuk. Linux developers introduced a protection that was intended to prevent stack clashes, but today’s research demonstrates that it’s relatively easy for attackers to bypass that measure.
    The primary proof-of-concept attack developed by Qualys exploits a vulnerability indexed as CVE-2017-1000364. Qualys researchers also developed attacks that use Stack Clash to exploit separate vulnerabilities, including CVE-2017-1000365 and CVE-2017-1000367. For example, when combined with CVE-2017-1000367, a recently fixed flaw in Sudo also discovered by Qualys, local users can exploit Sudo to obtain full root privileges on a much wider range of OSes. Qualys has so far been unable to make the exploits remotely execute code.

  3. Tomi Engdahl says:

    The Stack Clash

    What is the Stack Clash?

    The Stack Clash is a vulnerability in the memory management of several operating systems. It affects Linux, OpenBSD, NetBSD, FreeBSD and Solaris, on i386 and amd64. It can be exploited by attackers to corrupt memory and execute arbitrary code.

    Qualys researchers discovered this vulnerability and developed seven exploits and seven proofs of concept for this weakness, then worked closely with vendors to develop patches. As a result we are releasing this advisory today as a coordinated effort, and patches for all distributions are available June 19, 2017. We strongly recommend that users place a high priority on patching these vulnerabilities immediately.

    Is it a new vulnerability?

    The idea of clashing the stack with another memory region is not new: it was exploited a first time in 2005 and a second time in 2010. After the 2010 exploit, Linux introduced a protection against such exploits: the so-called stack guard-page. Today, we show that stack clashes are widespread and exploitable despite the stack guard-page protection.

    Am I affected by the Stack Clash?

    If you are using Linux, OpenBSD, NetBSD, FreeBSD, or Solaris, on i386 or amd64, you are affected. Other operating systems and architectures may be vulnerable too, but we have not researched any of them yet: please refer to your vendor’s official statement about the Stack Clash for more information.

    What are the risks posed by the Stack Clash?

    The exploits and proofs of concept that we developed in the course of our research are all Local Privilege Escalations: an attacker who has any kind of access to an affected system can exploit the Stack Clash vulnerability and obtain full root privileges.
    Is it exploitable remotely?

    Our research has mainly focused on local exploitation: as of this writing on June 19, 2017, we do not know of any remotely exploitable application. However, remote exploitation of the Stack Clash is not excluded; although local exploitation will always be easier, and remote exploitation will be very application-specific. The one remote application that we did investigate (the Exim mail server) turned out to be unexploitable by sheer luck.

  4. Tomi Engdahl says:

    Lucian Constantin / The New Stack:
    “Stack Clash” memory management flaw found in Linux, BSD, Solaris, allows privilege escalation to root; patches are available

    Linux Servers at Risk of Compromise from ‘Stack Clash’ Memory Corruption Flaw

    An important memory corruption defense in Linux, OpenBSD, NetBSD, FreeBSD and Solaris can be bypassed by attackers to obtain root privileges and take complete control of affected systems.

    The issue was discovered by researchers from security vendor Qualys and has been dubbed “Stack Clash” because it involves “clashing” the stack with another memory region, such as the heap. It was publicly disclosed Monday, in coordination with operating system maintainers who released patches for the vulnerability.

    The security implications of overrunning the stack into another memory region have been known for at least 12 years. Security researcher Gaël Delalleau described the problem in a presentation at the CanSecWest security conference in 2005

    In response to these previous exploits, the Linux kernel developers added a protection mechanism called the stack guard page. This is a 4KB-large memory page that’s mapped below the stack — the stack grows down and the heap grows up — and writing to it during sequential overwrites should trigger a segmentation fault.

    “The problem with this approach, as Qualys discovered, is that in cases where stack memory allocation can be controlled in certain non-sequential manners, it is possible to jump the stack guard page and manipulate adjacent memory regions,” said via email Carsten Eiram, the chief research officer at vulnerability intelligence firm Risk Based Security.

    The Qualys researchers wrote seven proof-of-concept exploits that take advantage of the vulnerability through user-space applications to obtain full root privileges.

    “The one remote application that we did investigate (the Exim mail server) turned out to be unexploitable by sheer luck,”

    Qualys’ Stack Clash vulnerability is tracked as CVE-2017-1000364, but the company’s researchers also found some related vulnerabilities: CVE-2017-1000365 and CVE-2017-1000367.

    The Qualys researchers and Risk Based Security advise system administrators to deploy patches for the Stack Clash vulnerability as soon as possible, as the risk of local privilege escalation to root is high.

    The Stack Clash


Leave a Comment

Your email address will not be published. Required fields are marked *