| ▲ | alanfranz 5 hours ago |
| Is this really exploitable? Is stack smashing really still a thing on any modern platform? |
|
| ▲ | alanfranz 5 hours ago | parent | next [-] |
| I’ll answer to myself: an RCE is very unlikely on any modern platform. DoS is possible. “ Impact summary: A stack buffer overflow may lead to a crash, causing Denial
of Service, or potentially remote code execution.” From: https://openssl-library.org/news/secadv/20260127.txt |
| |
| ▲ | b1temy 5 hours ago | parent | next [-] | | The link in the HN submission contains the same text and excerpt from your link. Additionally they note: - "While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk." IMO, probably in of itself, this alone is not able to do much besides maybe a crash / Denial of Service on modern systems. But it might be able to be used as part of a more advanced exploit chain, alongside other vulnerabilities, to potentially reach remote code execution, though this would be a much more sophisticated exploit and is maybe a bit of a reach. Still, I hesitate to call it impossible on modern systems due to the creativity of exploit developers. | | |
| ▲ | JohnLeitch 4 hours ago | parent | next [-] | | > though this would be a much more sophisticated exploit and is maybe a bit of a reach. Not necessarily. I have successfully exploited stack buffer overflows in major products despite stack canaries, ASLR, and DEP. It largely depends on context; if the vector is something that can be hit repeatedly, such a webform that that takes a cert or whatever, that simplifies things a lot versus something like a file format exploit, where you probably only get one chance. While I haven't analyzed this vulnerability, I would absolutely assume exploitability even if I couldn't see a way myself. | |
| ▲ | alanfranz 5 hours ago | parent | prev [-] | | You are right. I linked a differently formatted article with the same content. I don’t know why I didn’t initially notice such text. |
| |
| ▲ | woodruffw 5 hours ago | parent | prev [-] | | "Modern platform" is doing a lot of lifting; CMS and PKCS#7 rear their heads in all kinds of random places, like encryption/signing of OTA updates for routers. Those platforms are often (unreasonably) 10-20 years behind the norm for compile-time mitigations. |
|
|
| ▲ | chc4 5 hours ago | parent | prev | next [-] |
| OpenSSL is used by approximately everything under the sun. Some of those users will be vendors that use default compiler flags without stack cookies. A lot of IoT devices for example still don't have stack cookies for any of their software. |
|
| ▲ | MajesticHobo2 4 hours ago | parent | prev | next [-] |
| Yes, but it would likely have to be chained with other bugs - at minimum, something that gives you an info leak. |
|
| ▲ | JohnLeitch 4 hours ago | parent | prev | next [-] |
| It depends on what mitigations are in place and the arrangement of the stack. Even with stack canaries, having an unfortunate value on the stack e.g. a function pointer can still be quite dangerous if it can be overwritten without hitting any of the stack canaries. |
|
| ▲ | buckle8017 5 hours ago | parent | prev [-] |
| That depends on how aggressively the service is restarted. |
