7

Does there exist any real source code that exploits a compiler vulnerability? I mean code that during compilation causes a buffer overflow in the compiler resulting in execution of arbitrary code.

When someone tries to compile that source code using a particular compiler version the compilation results in some exploit that infects the target machine.

I'm not searching for toy examples or just research papers, but actually for something documented that affected at least some machine with a real payload.

I know theoretically that this is possible, but I'm curious if this has ever been a real issue for someone.

mr.spuratic
  • 7,937
  • 25
  • 37
CoffeDeveloper
  • 516
  • 3
  • 12
  • 4
    Probably because it's a low-reward/high complexity attack,without a privilege boundary to cross (though it does cross a data-boundary). While it would almost certainly pass unnoticed on inspection, the same could be said about 85kloc `configure` scripts... (PHP, I'm looking at you) – mr.spuratic Oct 20 '15 at 12:48
  • 1
    I suspected something similiar. thanks :) also I think with all cloud based and online compiler services, it could actually become a high reward attack (think about all Continuos integration services) – CoffeDeveloper Oct 20 '15 at 14:24
  • 1
    Related: [In Visual Studio, what are the risks of simply opening an untrusted project? What are the mitigations?](http://security.stackexchange.com/q/41598/396) – makerofthings7 Oct 20 '15 at 16:43
  • 2
    Also related: [Modifications can and have been made to compilers](http://www.c2.com/cgi/wiki?TheKenThompsonHack) to compile in backdoors into the code they are compiling. Furthermore, if the compiler is (self-hosting)[https://en.wikipedia.org/wiki/Self-hosting], then the associated code in the compiler can be removed from its source and the binary can inject it every time it compiles itself. – ESultanik Mar 29 '16 at 18:14

1 Answers1

6

Yes, take a look at the change log of gcc, llvm, etc, although practical examples are rare. IIRC I have seen at least two practical PoC's; one was for java and the other a C compiler. If you extend the concept of a compilation to include JIT you can find many more examples in JavaScript, Ruby or the PHP engine to mention some.

There is also an issue of compilers introducing vulnerabilities into the compiled binary that may not exist in the source code through optimization. The first example that comes to mind is this Linux kernel exploit from a few years back where compiler optimization removed a check that would have prevented the vulnerability in the first place.

CERT cover some various examples of code that may get optimized into being insecure over here.

multithr3at3d
  • 12,355
  • 3
  • 29
  • 42
wireghoul
  • 5,745
  • 2
  • 17
  • 26