Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap Buffer Overflow when appending certain size string to URL file extension when compiled with ASAN. #17

Closed
ghost opened this issue May 17, 2019 · 4 comments

Comments

@ghost
Copy link

ghost commented May 17, 2019

Screen -S Server
./GoHTTP
CTRL-A, D

Screen -S Crash
curl 127.0.0.1:4000/hi.htmlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
CTRL-A, D

ASAN Details:
==9376==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efbb at pc 0x000000402e44 bp 0x7
ffd9e6f3a70 sp 0x7ffd9e6f3a60
WRITE of size 1 at 0x60200000efbb thread T0
#0 0x402e43 in GetExtension (/root/GoHttp/GoHTTP+0x402e43)
#1 0x40307f in handleHttpGET (/root/GoHttp/GoHTTP+0x40307f)
#2 0x4035b7 in receive (/root/GoHttp/GoHTTP+0x4035b7)
#3 0x4037da in handle (/root/GoHttp/GoHTTP+0x4037da)
#4 0x403881 in acceptConnection (/root/GoHttp/GoHTTP+0x403881)
#5 0x4038db in start (/root/GoHttp/GoHTTP+0x4038db)
#6 0x40406d in main (/root/GoHttp/GoHTTP+0x40406d)
#7 0x7f022305a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#8 0x401808 in _start (/root/GoHttp/GoHTTP+0x401808)

0x60200000efbb is located 1 bytes to the right of 10-byte region [0x60200000efb0,0x60200000efba)
allocated by thread T0 here:
#0 0x7f02241a9602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x402f2c in handleHttpGET (/root/GoHttp/GoHTTP+0x402f2c)
#2 0x4035b7 in receive (/root/GoHttp/GoHTTP+0x4035b7)
#3 0x4037da in handle (/root/GoHttp/GoHTTP+0x4037da)
#4 0x403881 in acceptConnection (/root/GoHttp/GoHTTP+0x403881)
#5 0x4038db in start (/root/GoHttp/GoHTTP+0x4038db)
#6 0x40406d in main (/root/GoHttp/GoHTTP+0x40406d)
#7 0x7f022305a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 GetExtension
Shadow bytes around the buggy address:
0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa 00[02]fa fa 05 fa fa fa 00 02
0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==9376==ABORTING

@fekberg
Copy link
Owner

fekberg commented May 20, 2019

FYI this project isn't maintained. I only wrote it as a part of a university course years ago.

Don't use the code for anything but playing around..

@ghost
Copy link
Author

ghost commented May 24, 2019

Closing.

@ghost ghost closed this as completed May 24, 2019
@NicoleG25
Copy link

@fekberg I suggest perhaps contacting mitre and rejecting the CVE-2019-12158 assigned.
Have a nice day :)

@fekberg
Copy link
Owner

fekberg commented Apr 22, 2020

@NicoleG25 This is just code from a course I took 10 years ago at university. I'm not maintaining it, or anything like that.

As clearly stated by the README.

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants