Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libeconf: A stack-buffer-overflow vulnerability in "econf_writeFile" function #178

Closed
yangjiageng opened this issue Mar 16, 2023 · 2 comments
Closed

libeconf: A stack-buffer-overflow vulnerability in "econf_writeFile" function #178

yangjiageng opened this issue Mar 16, 2023 · 2 comments

Comments

@yangjiageng
Copy link

yangjiageng commented Mar 16, 2023
edited

Discoverer: Zhao Jiapeng of Key Laboratory of Trustworthy Distributed Computing and Service (BUPT), Ministry of Education, Beijing University of Posts and Telecommunications

Description

A stack-buffer-overflow vulnerability exists in the econf_writeFile function. The vulnerability is triggered at libeconf/lib/libeconf.c line:546. The statement is: while ((line = strsep(&value_string, "\n")) != NULL) (line 546).

The corresponding statements as follows:

if (key_file->file_entry[i].comment_before_key && strlen(key_file->file_entry[i].comment_before_key) > 0) {
    char buf[BUFSIZ];
    char *line;
    char *value_string = buf;

    strncpy(buf, key_file->file_entry[i].comment_before_key, BUFSIZ-1);
    while ((line = strsep(&value_string, "\n")) != NULL) {
        fprintf(kf, "%c%s\n", key_file->comment, line);
    }
}

In this code, a buf buffer of 8192 bytes is defined and the contents of key_file->file_entry[i].comment_before_key are copied into the buf.

The strncpy function is used here, which ensures that the size of buf is not exceeded when copying, so the process does not result in a buffer overflow vulnerability.

Next, when using the strsep function, the value_string pointer is pointed to the beginning of the buf buffer.

The strsep function alone will not cause a buffer overflow vulnerability. However, in the strncpy function, if the length of key_file->file_entry[i].comment_before_key is greater than or equal to the size of buf, then it will not add the null character at the end of buf.

This may result in the strsep function not correctly identifying the end position of the string when splitting it, thus causing a buffer overflow.

Reproduction

Please reproduce this vulnerability using the following PoC.

This PoC is obtained by modifying the input data based on the test/tst-write-string-data.c testcase.

Use this PoC to replace the tst-write-string-data.c file in the libeconf/tests directory and configure the C compiler to use the -fsanitize=address flag, as follows:

CC=clang CXX=$CC CFLAGS="-O2 -g -fsanitize=address -L/root/  -shared-libasan" make -C build/ check -j8

The PoC file and the input file are here and here, respectively.

You must create a corpus subdirectory under the directory where you run the test target tst-write-string-data in order to run the test target correctly.

Using this command: cd /libeconfDir/build/tests && mkdir corpus and /libeconfDir/build/tests/tst-write-string-data econf_writeFile_546, you will get the following outputs:
image

This is the corresponding information of this overflow vulnerability from AddressSanitizer.
And attackers can use this bug to achieve a DoS attack even remote code execution attack.
Please reproduce and fix this vulnerability.
@schubi2
Copy link
Collaborator

schubi2 commented Mar 24, 2023

Thanks for your great work. I have released a new version 0.5.2

@schubi2 schubi2 closed this as completed Mar 24, 2023
@jsegitz
Copy link

jsegitz commented May 4, 2023

Please use CVE-2023-32181 for this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@schubi2 @jsegitz @yangjiageng