CVE-2017-1000375
published 2017-06-19CVE-2017-1000375: NetBSD maps the run-time link-editor ld.so directly below the stack region, even if ASLR is enabled, this allows attackers to more easily manipulate memory…
PriorityP268critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
18.92%
96.9th percentile
NetBSD maps the run-time link-editor ld.so directly below the stack region, even if ASLR is enabled, this allows attackers to more easily manipulate memory leading to arbitrary code execution. This affects NetBSD 7.1 and possibly earlier versions.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| netbsd | netbsd | <= 7.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →ld.so is mapped directly below the stack region on NetBSD even with ASLR enabled, enabling stack-clash style memory manipulation; monitor for processes where the ld.so mapping is contiguous with or immediately below the stack segment. ↗
- →PoC exploit triggers deep recursive stack growth via repeated 1024-byte stack buffer allocations (smash_no_jump) to clash the stack into the ld.so mapping; detect abnormally deep recursion or stack exhaustion events on NetBSD 7.1 systems. ↗
- →PoC disables core dumps via setrlimit(RLIMIT_CORE) before exploitation; monitor for processes that set RLIMIT_CORE to zero immediately prior to large stack allocation activity. ↗
- ·Vulnerability affects NetBSD 7.1 and possibly earlier versions; ASLR being enabled does NOT mitigate this issue on affected versions. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2017-06-19
Published