Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap buffer overflow in chmd_read_headers() #27

Closed
JsHuang opened this issue Feb 18, 2019 · 3 comments

Comments

@JsHuang
Copy link

commented Feb 18, 2019

Description:

Function chmd_read_headers() in libmspack has a heap buffer overflow problem( Out of Bound Read).

Affected version:

libmspack 0.9.1 alpha

Details:

In function chmd_read_headers(), line 486,memcmp(&name[33], &content_name[33], 8L) will lead to out of bound read while extracting a crafted chm file.

chmd.c ,line 486~492:

      if (name[0] == ':' && name[1] == ':') {
        /* system file */
        if (memcmp(&name[2], &content_name[2], 31L) == 0) {
          if (memcmp(&name[33], &content_name[33], 8L) == 0) {
            chm->sec1.content = fi;
          }
          else if (memcmp(&name[33], &control_name[33], 11L) == 0) {
            chm->sec1.control = fi;
          }

Details with asan output:

./chmextract chmextract-overflow-chmd-486                      
chmextract-overflow-chmd-486
chmextract-overflow-chmd-486: invalid section number '89'.
chmextract-overflow-chmd-486: invalid section number '89'.
chmextract-overflow-chmd-486: invalid section number '89'.
chmextract-overflow-chmd-486: invalid section number '71'.
chmextract-overflow-chmd-486: invalid section number '266694953'.
chmextract-overflow-chmd-486: invalid section number '114'.
chmextract-overflow-chmd-486: invalid section number '84'.
chmextract-overflow-chmd-486: invalid section number '16259'.
chmextract-overflow-chmd-486: invalid section number '58'.
chmextract-overflow-chmd-486: invalid section number '67'.
chmextract-overflow-chmd-486: invalid section number '47'.
chmextract-overflow-chmd-486: invalid section number '48'.
chmextract-overflow-chmd-486: invalid section number '71'.
chmextract-overflow-chmd-486: invalid section number '266694953'.
chmextract-overflow-chmd-486: invalid section number '114'.
chmextract-overflow-chmd-486: invalid section number '84'.
chmextract-overflow-chmd-486: invalid section number '16259'.
chmextract-overflow-chmd-486: invalid section number '58'.
=================================================================
==9457==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000002500 at pc 0x0000004bf5bc bp 0x7ffebbdd6c60 sp 0x7ffebbdd6410
READ of size 31 at 0x621000002500 thread T0
    #0 0x4bf5bb in __interceptor_memcmp.part.78 /src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:827
    #1 0x7f1b498ccde1 in chmd_read_headers /src/libmspack/libmspack/mspack/chmd.c:486
    #2 0x7f1b498ccde1 in chmd_real_open /src/libmspack/libmspack/mspack/chmd.c:163
    #3 0x7f1b498ccde1 in chmd_open /src/libmspack/libmspack/mspack/chmd.c:126
    #4 0x529a23 in main /src/libmspack/libmspack/examples/chmextract.c:92:18
    #5 0x7f1b489c882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x41a888 in _start (/src/libmspack/libmspack/examples/.libs/chmextract+0x41a888)

0x621000002500 is located 0 bytes to the right of 4096-byte region [0x621000001500,0x621000002500)
allocated by thread T0 here:
    #0 0x4e95bf in __interceptor_malloc /src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146
    #1 0x7f1b498cbd57 in chmd_read_headers /src/libmspack/libmspack/mspack/chmd.c:418
    #2 0x7f1b498cbd57 in chmd_real_open /src/libmspack/libmspack/mspack/chmd.c:163
    #3 0x7f1b498cbd57 in chmd_open /src/libmspack/libmspack/mspack/chmd.c:126

SUMMARY: AddressSanitizer: heap-buffer-overflow /src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcmp.part.78
Shadow bytes around the buggy address:
  0x0c427fff8450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fff84a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff84b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff84c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff84d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff84e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff84f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==9457==ABORTING

poc file

https://github.com/JsHuang/pocs/blob/master/libmspack/chmextract-overflow-chmd-486

Credit: ADLab of Venustech

@kyz

This comment has been minimized.

Copy link
Owner

commented Feb 18, 2019

Thank you for reporting this, and the POC file.

The issue is that checking for specific system file names does not take name length into consideration. The memcmp() will read past the end of the freshly-allocated name buffer. It's not especially exploitable (overread... past a freshly allocated buffer, not attacker controlled), but nonetheless, it is a memory error and has been fixed in commit 2f08413.

@carnil

This comment has been minimized.

Copy link

commented Jul 15, 2019

This issue apparently got assigned the CVE-2019-1010305 CVE id.

@kyz

This comment has been minimized.

Copy link
Owner

commented Jul 16, 2019

Thanks for letting me know. I've added the CVE id to the existing entry on the list of libmspack security vulnerabilities

@kyz kyz closed this Jul 16, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.