From 2151dff36540415a2e008a3ed509f8d5b6dc9d13 Mon Sep 17 00:00:00 2001
From: GwanYeong Kim <gy741.kim@gmail.com>
Date: Thu, 1 Feb 2024 19:32:38 +0900
Subject: [PATCH] Create CVE-2023-6246.yaml

A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program name (the basename of argv[0]) is bigger than 1024 bytes, resulting in an application crash or local privilege escalation. This issue affects glibc 2.36 and newer.

Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com>
---
 code/cves/2023/CVE-2023-6246.yaml | 35 +++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 code/cves/2023/CVE-2023-6246.yaml

diff --git a/code/cves/2023/CVE-2023-6246.yaml b/code/cves/2023/CVE-2023-6246.yaml
new file mode 100644
index 0000000000..5eeeef9bcd
--- /dev/null
+++ b/code/cves/2023/CVE-2023-6246.yaml
@@ -0,0 +1,35 @@
+id: CVE-2023-6246
+
+info:
+  name: glibc's syslog - Local Privilege Escalation
+  author: gy741
+  severity: high
+  description: |
+    A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program name (the basename of argv[0]) is bigger than 1024 bytes, resulting in an application crash or local privilege escalation. This issue affects glibc 2.36 and newer.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-6246
+    - https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txt
+  classification:
+    cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 7.8
+    cve-id: CVE-2023-6246
+    cwe-id: CWE-787
+    cpe: cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:*
+  metadata:
+    max-request: 1
+    vendor: glibc
+  tags: cve,cve2023,code,glibc,linux,privesc,local
+
+self-contained: true
+code:
+  - engine:
+      - sh
+      - bash
+    source: |
+      (exec -a "`printf '%0128000x' 1`" /usr/bin/su < /dev/null)
+      echo $?
+
+    matchers:
+      - type: word
+        words:
+          - "127"     # Segmentation Fault Exit Code