CVE-2017-1000372
published 2017-06-19CVE-2017-1000372: A flaw exists in OpenBSD's implementation of the stack guard page that allows attackers to bypass it resulting in arbitrary code execution using setuid…
PriorityP261critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.96%
89.1th percentile
A flaw exists in OpenBSD's implementation of the stack guard page that allows attackers to bypass it resulting in arbitrary code execution using setuid binaries such as /usr/bin/at. This affects OpenBSD 6.1 and possibly earlier versions.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openbsd | openbsd | <= 6.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit abuses the setuid binary /usr/bin/at to perform a Stack Clash local privilege escalation; monitor for unexpected privilege escalation via at(1) invocations by non-root users. ↗
- →The exploit injects a malicious shared library that hooks readdir() via dlsym(RTLD_NEXT, "readdir"); monitor for unexpected LD_PRELOAD or dlsym usage in processes spawned by setuid binaries. ↗
- →The exploit uses a slowsort routine with a tuned STACK_FRAME_SIZE of 176 bytes and SET_KEYS of 4 to deliberately exhaust stack space and clash with the guard page; anomalous deep recursion in sort-like call stacks under at(1) is suspicious. ↗
- ·The exploit targets OpenBSD 6.1 and possibly earlier versions only; the stack guard page bypass is specific to OpenBSD's mmap/stack layout. ↗
- ·The NUMJOBS and STACK_FRAME_SIZE constants (176 bytes per frame) are tuned for a specific OpenBSD kernel/libc build; these values may need adjustment for other builds or patch levels. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/99172https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/008_exec_subr.patch.sighttps://www.qualys.com/2017/06/19/stack-clash/stack-clash.txthttp://www.securityfocus.com/bid/99172https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/008_exec_subr.patch.sighttps://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
2017-06-19
Published