CVE-2020-6096 - Integer Underflow (Wrap or Wraparound)

Severity

81%

Complexity

22%

Confidentiality

98%

An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation) with a negative value for the 'num' parameter results in a signed comparison vulnerability. If an attacker underflows the 'num' parameter to memcpy(), this vulnerability could lead to undefined behavior such as writing to out-of-bounds memory and potentially remote code execution. Furthermore, this memcpy() implementation allows for program execution to continue in scenarios where a segmentation fault or crash should have occurred. The dangers occur in that subsequent execution and iterations of this code will be executed with this corrupted data.

An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation) with a negative value for the 'num' parameter results in a signed comparison vulnerability. If an attacker underflows the 'num' parameter to memcpy(), this vulnerability could lead to undefined behavior such as writing to out-of-bounds memory and potentially remote code execution. Furthermore, this memcpy() implementation allows for program execution to continue in scenarios where a segmentation fault or crash should have occurred. The dangers occur in that subsequent execution and iterations of this code will be executed with this corrupted data.

CVSS 3.1 Base Score 8.1. CVSS Attack Vector: network. CVSS Attack Complexity: high. CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

CVSS 2.0 Base Score 6.8. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P).

Demo Examples

Integer Underflow (Wrap or Wraparound)

CWE-191

The following example subtracts from a 32 bit signed integer.


               
}
return 0;

The example has an integer underflow. The value of i is already at the lowest negative value possible, so after subtracting 1, the new value of i is 2147483647.

Overview

First reported 4 years ago

2020-04-01 22:15:00

Last updated 4 years ago

2020-08-02 03:15:00

Affected Software

GNU glibc

References

https://sourceware.org/bugzilla/show_bug.cgi?id=25620

Issue Tracking, Third Party Advisory

https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1019

https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1019

Third Party Advisory

FEDORA-2020-d860479b2a

FEDORA-2020-4e92a61688

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.