Techly NewsGet the app

Get the latest tech news

Iconv, set the charset to RCE: Exploiting the glibc to hack the PHP engine


A few months ago, I stumbled upon a 24 years old buffer overflow in the glibc, the base library for linux programs. Despite being reachable in multiple well-known libraries or executables, it proved rarely exploitable — while it didn't provide much leeway, it required hard-to-achieve preconditions. Looking for targets lead mainly to disappointment. On PHP however, the bug shone, and proved useful in exploiting its engine in two different ways.

Despite being reachable in multiple well-known libraries or executables, it proved rarely exploitable — while it didn't provide much leeway, it required hard-to-achieve preconditions. Blindly grepping for iconv() calls in libraries and binaries, going through the open source ecosystem, looking for a triggerable instance of the bug, I was desperately looking for a crash. Since we have access to binaries using the file read, we could build fancy ROP chains, but we want something as generic as possible; I therefore set custom_heap._free to system, allowing us to run an arbitrary bash command, in a CTF fashion.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of RCE

RCE

Photo of php

php

Photo of Iconv

Iconv

Related news:

News photo

Running PHP fast at the edge with WebAssembly

News photo

QNAP QTS zero-day in Share feature gets public RCE exploit

News photo

PoC exploit released for RCE zero-day in D-Link EXO AX4800 routers

« Donald Trump makes pledge to exonerate Ross Ulbricht
Social media bosses are ‘the largest dictators’, says Nobel peace prize winner »