New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Possible insecure pointer conversion in yr_set_configuration() leading to global-buffer-overflow #1616
Comments
plusvic
added a commit
that referenced
this issue
Dec 17, 2021
|
@dandanxu96 please check this #1621 |
|
Thanks! |
plusvic
added a commit
that referenced
this issue
Dec 20, 2021
tarterp
pushed a commit
to mandiant/yara
that referenced
this issue
Mar 31, 2022
This is a more comprehensive fix than VirusTotal#1617, it adds new functions to the API for getting/setting uint32 and uint64 settings. Using these functions is preferable over calling `yr_(get|set)_configuration` directly.
maximelb
pushed a commit
to refractionPOINT/yara
that referenced
this issue
Nov 17, 2022
This is a more comprehensive fix than VirusTotal#1617, it adds new functions to the API for getting/setting uint32 and uint64 settings. Using these functions is preferable over calling `yr_(get|set)_configuration` directly.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
version: master (commit 822e532)
command: yara $FILE strings
PoC is a file that can contain any string, such as "hello". Here is the trace reported by ASAN:
Commit 605b2ed introduced a configuration case called
YR_CONFIG_MAX_PROCESS_MEMORY_CHUNK, which will treat thevoid *srcpointer as auint64_t*pointer (64bit). The dereferece operation after this will read 64bits from src.yara/libyara/libyara.c
Lines 381 to 403 in 605b2ed
Note that, in cli/yara.c, a pointer to the 32bit integer
max_process_memory_chunkis passed toyr_set_configuration. As a result,yr_cfgs[name].ui64 = *(uint64_t *) src;will read 64bits from a 32bit variable. This caused the ERROR reported by ASAN.yara/cli/yara.c
Line 166 in 605b2ed
yara/cli/yara.c
Lines 1371 to 1372 in 605b2ed
A potential damage of this is that an attacker who obtains control of
max_process_memory_chunk's next 4 bytes in the memory can further set the higher 32bits ofyr_cfgs[name].ui64to arbitrary values and launch exhaustive attacks.The text was updated successfully, but these errors were encountered: