e2fsck is a fsck tool belonging to the e2fsprogs package which maintains a set of utilities for maintaining the ext2, ext3 and ext4 file systems. Because these are generally the default file systems on Linux distributions, the e2fsprogs package is commonly considered essential software.
e2fsck is in charge of searching and correcting inconsistencies in file systems on Linux. A vulnerability was recently found in this utility which It is already cataloged in CVE-2019-5188 and it was researcher Lilith, from Cisco Talos who discovered the code execution vulnerability.
This vulnerability found allows attacker to execute designed code for this while the e2fsck utility scans the file system It contains the specially crafted directories.
The CVE-2019-518 vulnerability8 confirmed in versions of e2fsprogs 1.43.3, 1.43.4, 1.43.5, 1.43.6, 1.43.7, 1.43.8, 1.43.9, 1.44.0, 1.44.1, 1.44.2, 1.44.3, 1.44.4, 1.44.5, 1.44.6, 1.45.0, 1.45.1, 1.45.2, 1.45.3, 1.45.4.
The vulnerability is caused by a bug in the function mutate_name() from the rehash.c file, Used when rebuilding directory-related hash tables that provide a directory mapping for all files it contains.
About vulnerability CVE-2019-5188
In the report by the investigator, it says that:
Within the directory implementation in ext2,3,4 are many data structures necessary to optimize the size of files on disk...
A code execution vulnerability exists in the directory change functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause out-of-bounds writing to the stack, resulting in code execution. An attacker can damage a partition to activate this vulnerability.
Damage to the directory-related structure hash_entry it can cause the attacker to write to an area outside the allocated buffer.
If multiple files with the same name are found in the hash table of a directory link, the e2fsck utility renames the duplicate files with ~ 0, ~ 1, etc. appended to the name. For temporary storage of a new name with a similar name change, a 256-byte buffer is allocated on the stack.
The size of the copied data is determined by the expression «entry-> name_len & 0xff », but the value entry-> name_len it is loaded from the structure on disk and is not calculated based on the actual size of the name.
If the size is zero, the array index takes the value -1 and conditions are created for overflow of integers through the lower limit of the buffer (integer overflow) and rewriting other data on the stack with the value "~ 0".
For 64-bit systems, exploiting the vulnerability is considered unlikely and does not require stack size restrictions (ulimit -s unlimited).
For 32-bit systems, the operation is considered possible, but the result depends largely on how the compiler executed the executable.
To carry out an attack, an attacker needs to corrupt the data on the system partition ext2, ext3, or ext4 files in a certain way.
Given that this operation requires superuser privileges, the vulnerability poses a threat when the e2fsck utility checks external drives or FS images received from the outside.
It is important to mention that this vulnerability cannot be exploited remotely, so it is only limited to being exploited locally since it isThe attacker must have authentication credentials and successfully authenticate to the system.
The discovery of the vulnerability was published on the first day of this year and the advisory was shared with the community. The researcher who discovered this vulnerability has not shared the technical details or an exploit publicly. So the vulnerability was fixed in e2fsck update 1.45.5.
At the moment in the following distributions (Debian, Ubuntu, Arch Linux, SUSE / openSUSE, RHEL) problem remains uncorrected despite the fact that the report was made more than a week ago.
If you want to know more about the vulnerability found, you can find out the information and details about it by contacting to the following link.