Time for an Arm-twist! CVE-2023-4039 Tom Hebb (Meta red team) and I discovered an 0day in GCC (for AArch64 targets) during my Arm exploitation training. It renders stack canaries against overflows of dynamically-sized variables useless. developer.arm.com/Arm%20Securi... - ThreadSky

About ThreadSky

azeria-labs.com • 538 days ago

Time for an Arm-twist! CVE-2023-4039

Tom Hebb (Meta red team) and I discovered an 0day in GCC (for AArch64 targets) during my Arm exploitation training.

It renders stack canaries against overflows of dynamically-sized variables useless.

https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64

Comments

azeria-labs.com•538 days ago

CVE-2023-4039: “GCC's -fstack-protector fails to guard dynamic stack allocations on ARM64”

On AArch64 targets, GCC's stack smashing protection does not detect or defend against overflows of dynamically-sized local variables.

Affecting all versions of GCC for AArch64 targets.

azeria-labs.com•538 days ago

> GCC’s stack protection feature (aka canary) is an exploit mitigation to prevent buffer overflows from overwriting saved registers on the stack to take control over the program flow. It makes exploitation much harder. You often need an additional bug to bypass this mitigation.

azeria-labs.com•538 days ago

The issue: When targeting AArch64, this mitigation didn’t protect saved registers from overflows in C99-style dynamically allocated local variables and alloca() objects.

azeria-labs.com•538 days ago

Impact: Basically, any AArch64 software compiled with GCC & the stack protection feature (flag -fstack-protector) that is vulnerable to buffer overflows via dynamically-sized variables can be exploited without bypassing this exploit mitigation.

azeria-labs.com•538 days ago

If you want to reproduce this bug with the PoC from the advisory on your x86/64 machine, here’s how:

azeria-labs.com•538 days ago

Check out Tom’s great write-up for more details: https://rtx.meta.security/mitigation/2023/09/12/CVE-2023-4039.html

Posting Rules

Be respectful to others
No spam or self-promotion
Stay on topic
Follow Bluesky's terms of service

Comments

Posting Rules

Reply