Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[bug] sngrep stack buffer overflow #430

Closed
randomssr opened this issue Mar 1, 2023 · 1 comment
Closed

[bug] sngrep stack buffer overflow #430

randomssr opened this issue Mar 1, 2023 · 1 comment
Assignees
Labels
Milestone

Comments

@randomssr
Copy link

I found a stack buffer overflow in sngrep.
Please confirm.
Thanks!

Test Environment
Ubuntu 20.04, 64 bit sngrep (version: v1.6.0 ;5089514)

How to trigger
Compile the program with AddressSanitizer
Run command $ ./sngrep -N -R -I $PoC
Details
ASAN report
$./sngrep -N -R -I $PoC

Dialog count: 0=================================================================
==974123==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fda5fffe9a0 at pc 0x00000049b787 bp 0x7fda5fff98d0 sp 0x7fda5fff9098
READ of size 57344 at 0x7fda5fffe9a0 thread T1
    #0 0x49b786 in __asan_memcpy (/home/root/randomFuzz/sngrep/sngrep/sngrep_N_R_I/sngrep+0x49b786)
    #1 0x4dc7f1 in packet_set_payload /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/packet.c:147:9
    #2 0x4d1697 in parse_packet /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/capture.c:430:9
    #3 0x7fda61bad466  (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x23466)
    #4 0x7fda61b9bf67 in pcap_loop (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x11f67)
    #5 0x4cf5c9 in capture_thread /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/capture.c:1042:5
    #6 0x7fda61b6d608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
    #7 0x7fda61918132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Address 0x7fda5fffe9a0 is located in stack of thread T1 at offset 20512 in frame
    #0 0x4d067f in parse_packet /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/capture.c:321

  This frame has 3 object(s):
    [32, 20512) 'data' (line 333)
    [20768, 20772) 'size_capture' (line 337) <== Memory access at offset 20512 partially underflows this variable
    [20784, 20788) 'size_payload' (line 339) <== Memory access at offset 20512 partially underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
Thread T1 created by T0 here:
    #0 0x486a8c in pthread_create (/home/root/randomFuzz/sngrep/sngrep/sngrep_N_R_I/sngrep+0x486a8c)
    #1 0x4d712c in capture_launch_thread /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/capture.c:1027:13
    #2 0x4efb9e in main /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/main.c:433:9
    #3 0x7fda6181d082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/root/randomFuzz/sngrep/sngrep/sngrep_N_R_I/sngrep+0x49b786) in __asan_memcpy
Shadow bytes around the buggy address:
  0x0ffbcbff7ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffbcbff7cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffbcbff7d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffbcbff7d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffbcbff7d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ffbcbff7d30: 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
  0x0ffbcbff7d40: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
  0x0ffbcbff7d50: f2 f2 f2 f2 04 f2 04 f3 00 00 00 00 00 00 00 00
  0x0ffbcbff7d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffbcbff7d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffbcbff7d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==974123==ABORTING

The URL of PoC is PoC

@Kaian
Copy link
Member

Kaian commented Mar 1, 2023

Hi!

I can confirm this issue. Above commit should get rid of it.

Thanks for the bugreport!

@Kaian Kaian self-assigned this Mar 1, 2023
@Kaian Kaian added the bug label Mar 1, 2023
@Kaian Kaian added this to the 1.7.0 milestone Mar 1, 2023
@Kaian Kaian closed this as completed Mar 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

2 participants