CVE-2024-33602: nscd netgroup cache corruption exposes sensitive information in memory

The Common Vulnerabilities and Exposures (CVE) project has recently assigned the identifier CVE-2024-33602 to a critical security vulnerability discovered in the Name Service Cache Daemon's (nscd) netgroup cache. This post provides an in-depth analysis of the vulnerability, its exploit details, and original references. By understanding this vulnerability, system administrators, and developers can take appropriate steps to mitigate the risk.

Background

The Name Service Cache Daemon (nscd) is a Unix-like operating system daemon, that is used to improve the performance of the system's database lookups for various services, such as user and group management. The netgroup cache is a crucial aspect of nscd, which enables caching query results and quickly analyzing them.

However, it has been discovered that the nscd netgroup cache can corrupt memory when the Name Service Switch (NSS) callback does not store all strings in the provided buffer. This flaw was introduced in glibc 2.15 when the cache was added to nscd. It is important to note that the vulnerability is only present in the nscd binary.

Exploit Details

The vulnerability, detected as CVE-2024-33602, occurs when the nscd netgroup cache assumes that the NSS callback uses in-buffer strings. As a result, memory corruption may occur, leading to unintended exposure of sensitive information in the affected process's memory. This issue can be exploited by a local user to gain unauthorized read access to sensitive data or potentially elevate their permissions on the system.

The code snippet below demonstrates the issue

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define NETGROUP_BUF_SIZE 256

void nss_callback(char *buf, size_t bufsz) {
  static const char *dummy_str = "dummy";
  if (bufsz < (sizeof(char *) + 1)) {
    printf("Insufficient buffer size. Exiting...\n");
    exit(1);
  } else {
    memcpy(buf, &dummy_str, sizeof(char *));
    buf[sizeof(char *)] = '\';
  }
}

int main(int argc, char *argv[]) {
  char buf[NETGROUP_BUF_SIZE];
  nss_callback(buf, NETGROUP_BUF_SIZE);

  printf("Injected string: %s\n", *(char **)buf);

  return ;
}

Here, the nss_callback function is supposed to store all strings in the provided buffer buf, but it stores a pointer to a static string dummy_str instead. When the nscd netgroup cache accesses this static string, memory corruption can occur, exposing sensitive information or potentially allowing unauthorized access.

References

The full details of the vulnerability, its history, and patches can be found on the following websites:

1. The GNU C Library (glibc) Project: The official website of the glibc project, containing the latest source code, documentation, and software releases.
2. glibc 2.15 Release Announcement: The mailing list announcement for the release of glibc 2.15, introducing the cache to nscd.
3. CVE-2024-33602 in the National Vulnerability Database (NVD): The NVD entry detailing the vulnerability, its impacts, and associated Common Vulnerability Scoring System (CVSS) scores.

Conclusion

CVE-2024-33602 is a critical security vulnerability present in the netgroup cache of the nscd binary. It occurs due to the assumption that the NSS callback stores all strings in the provided buffer. This flaw is present since glibc 2.15 when the cache was added to nscd. A local user exploiting this vulnerability can unlawfully access sensitive information or potentially escalate their permissions.

To protect against this vulnerability, system administrators should ensure they are using a version of glibc that has the necessary security patches applied and regularly update their software. Additionally, developers using NSS callbacks should validate and sanitize all inputs to prevent exposing sensitive information through memory corruption.

Stay informed about security vulnerabilities by following trusted sources like the National Vulnerability Database (NVD) and the Common Vulnerabilities and Exposures (CVE) project. Act promptly to apply security patches and mitigate any risks associated with identified vulnerabilities.

Timeline

Published on: 05/06/2024 20:15:11 UTC
Last modified on: 07/22/2024 18:15:03 UTC