CVE-2022-23219 - How a Deprecated glibc Function Opened the Door to Buffer Overflows

The GNU C Library, better known as glibc, is a core part of almost every Linux system. It handles all sorts of important behind-the-scenes work—memory allocation, string manipulation, network communication, and more. But sometimes even this mature, widely used project has flaws. One such security bug, tracked as CVE-2022-23219, lurked in a rarely used (but still available) part of glibc: the SUNRPC module, specifically in an old compatibility function named clnt_create.

If you’re a developer or sysadmin responsible for security, you should know what this vulnerability is about, why it exists, and what it means for your systems. Let’s break down the details, look at some code, and see how an attacker might try to exploit it.

What is CVE-2022-23219?

CVE-2022-23219 is a buffer overflow bug in glibc’s sunrpc (Sun Remote Procedure Call) module—specifically in the clnt_create() function. This function is deprecated and was meant for backward compatibility. However, many old network applications might still call it.

The main problem: clnt_create copies its hostname argument onto the stack without validating its length. That means if you hand it a very long hostname (longer than it can hold), the function will happily copy the entire string onto the stack, overwriting adjacent memory locations.

That’s classic stack buffer overflow territory.

If you’re lucky, this will crash the application (Denial of Service). If you’re unlucky and the application was built without “stack protector” security options, it might allow an attacker to run arbitrary code.

The Problem in Code

Here’s a greatly simplified and illustrative snippet of what’s going on. The actual code is found in the glibc sources, file sunrpc/clnt_gen.c, but this gives you the gist:

CLIENT *
clnt_create(const char *hostname, ...)
{
    // Allocates a buffer of fixed size on the stack
    char hostbuf[256];

    // UNCHECKED copy from user-supplied hostname to stack buffer:
    strcpy(hostbuf, hostname);  // <- Vulnerable!

    // ...rest of function...
}

strcpy copies the string blindly into hostbuf. If the hostname string is longer than 255 characters, goodbye memory safety.

How Could an Attacker Exploit This?

If an application built with glibc up through 2.34 uses the sunrpc module and calls clnt_create(), and does not have stack protection enabled, an attacker could supply a carefully crafted, excessively long hostname argument. This would:

- Smash the stack: Overwriting local variables, saved frame pointers, and possibly control data (like the return address).
- Denial of Service: Most of the time, the application will crash, taking down the server or exposed process.
- Potential Code Execution: If security features (like stack canaries and ASLR) aren’t present or are bypassed, the attacker could gain code execution.

Actual exploitation would depend on the rest of the application’s build configuration and system mitigations.

If you wanted to demo a crash, you could write a small C program like this

#include <rpc/clnt.h>
#include <stdio.h>

// This will crash because the host buffer in clnt_create can't handle big hostnames.
int main() {
    char overlong_host[300];
    memset(overlong_host, 'A', sizeof(overlong_host)-1);
    overlong_host[sizeof(overlong_host)-1] = '\';

    // Should trigger the buffer overflow and (with luck) crash!
    CLIENT *cl = clnt_create(overlong_host, , , "tcp");
    if(!cl) {
        printf("clnt_create failed as expected\\n");
    }
    return ;
}

On a vulnerable system, this program would almost certainly crash when it tries to call clnt_create() with a long hostname.

Impact and Risk

- Older Linux distributions that package glibc 2.34 or earlier and have software using sunrpc/clnt_create are at risk.
- Default builds of modern applications are usually protected by _stack canaries_ or _fortify source options_, which reduce the risk of code execution but don’t guarantee it won’t crash.
- Embedded and legacy systems, where older builds of glibc and software compiled without modern protections are in use, are particularly at risk.

Fixes and Recommendations

- Upgrade glibc! The bug was fixed in glibc commit d2d4d75 on Jan 18, 2022 and released in later versions.
- Disable or avoid sunrpc/clnt_create: It’s deprecated for a reason. Use alternative RPC mechanisms or updated APIs when possible.
- Recompile applications with stack protection (-fstack-protector-strong, -D_FORTIFY_SOURCE=2, etc.) to inhibit classic stack smashing.
- Patch and update your packages. Vendors like Red Hat and Debian have issued security updates.

Reference Links

- NVD Entry: CVE-2022-23219
- Red Hat CVE page
- Debian Security Tracker
- Glibc Patch Commit

Bottom Line

CVE-2022-23219 is a textbook buffer overflow bug in glibc’s old sunrpc module. If your software (or any legacy services) uses clnt_create, audit your usage and update your libraries. Even old functions can bite back, especially when they handle user-controlled data carelessly.

Stay safe—always trust your compiler and libc, but verify anyway!

Timeline

Published on: 01/14/2022 07:15:00 UTC
Last modified on: 08/19/2022 10:56:00 UTC