Atop Heap Corruption Vulnerability Leading to Denial-of-Service

A heap corruption vulnerability has been identified in Atop, a system and process monitoring tool for Linux, in versions through 2.11.0. This vulnerability allows local users to cause a denial-of-service by creating certain unprivileged processes that interfere with Atop's operation. The issue arises because Atop attempts to connect to a TCP port used by an optional GPU monitoring daemon, 'atopgpud', during its initialization. If another program is listening on that port, Atop can be tricked into processing unexpected data, leading to parsing errors, heap corruption, and application crashes. This vulnerability has been present since Atop version 2.4.0, when the 'atopgpud' feature was introduced.

Impact

Exploitation of this vulnerability causes Atop to crash after a heap corruption, but such a crash can be leveraged to create a more serious issue, as demonstrated by a user on Hacker News. Additionally, according to the same source, this vulnerability could potentially be exploited to escalate privileges.

Reproduction

The vulnerability can be reproduced by running a local program that listens on the TCP port 59123, which is normally used by the 'atopgpud' daemon. Once this program is running, Atop can be started with the '-k' flag, which enables it to connect to the TCP port. The custom-developed test program that causes the heap corruption can be used to demonstrate the vulnerability.

Remediation

Users can upgrade to Atop version 2.11.1 or later, where this vulnerability has been fixed. For Debian 11 bullseye, the patched version is 2.6.0-2+deb11u1.