CVE-2013-4788 - Eglibc PTR MANGLE vulnerability Authors: Hector Marco Ismael Ripoll CVE: CVE-2013-4788 Dates: March 2013 - Discovered the vulnerability Description This vulnerability was discovered in March 2013 during the development of the RAF SSP technique. The glibc vulnerability allows the exploitation of common errors such as buffer overflows to redirect the execution flow and potentially execute arbitrary code. Impact Affects all statically linked applications compiled with glibc and eglibc, regardless of the operating system distribution. Not only requires patching eglibc, but also recompiling all static executables. Many routers, embedded systems, etc., which use static linked applications, are vulnerable. Vulnerability Caused by the non-initialization of the "pointer guard" by the glibc only when generating static compiled executables. Pointer guard is used to mangle the content of sensitive pointers. If the pointer guard value is zero, it is not effective. Functions like or use and macros, which are used to protect pointer values. An attacker can easily calculate the value of a target address and overwrite the "env" structure with a pre-computed address. Exploit The proof of concept redirects the execution flow to a function that prompts a shell. The exploit can be compiled for i386, x86_64, and ARM architectures. Fix Patching eglibc alone is not sufficient; all static executables must be recompiled. A non-official patch is provided for eglibc 2.17. Discussion The PTR Mangle encryption is ineffective. The goal of the protection technique is not achieved. The number of potentially affected systems could be huge.