Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in function getString(util/decompile.c:346) #111

Closed
fantasy7082 opened this issue Mar 7, 2018 · 1 comment
Closed

Comments

@fantasy7082
Copy link

Hi, i found a heap-buffer-overflow bug in the libming 0.4.8, the details are below(ASAN):

./swftocxx 003-heap-over-swf /dev/null 
....
....
==30550==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ec7a at pc 0x7fd29030c9f5 bp 0x7ffd968473e0 sp 0x7ffd96846b70
WRITE of size 11 at 0x60200000ec7a thread T0
    #0 0x7fd29030c9f4 in __interceptor_vsprintf (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x619f4)
    #1 0x7fd29030ccc9 in __interceptor_sprintf (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x61cc9)
    #2 0x410ef9 in getString /root/libming-asan/util/decompile.c:346
    #3 0x4127f1 in newVar_N /root/libming-asan/util/decompile.c:661
    #4 0x41d3ae in decompileCALLMETHOD /root/libming-asan/util/decompile.c:2865
    #5 0x41e7ea in decompileAction /root/libming-asan/util/decompile.c:3285
    #6 0x41eba0 in decompileActions /root/libming-asan/util/decompile.c:3419
    #7 0x41eccd in decompile5Action /root/libming-asan/util/decompile.c:3441
    #8 0x4066c6 in outputSWF_DEFINEBUTTON2 /root/libming-asan/util/outputscript.c:931
    #9 0x40e331 in outputBlock /root/libming-asan/util/outputscript.c:2083
    #10 0x40f3d9 in readMovie /root/libming-asan/util/main.c:286
    #11 0x40fb0e in main /root/libming-asan/util/main.c:359
    #12 0x7fd28f6d882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x401b58 in _start (/usr/local/libming-asan/bin/swftocxx+0x401b58)

0x60200000ec7a is located 0 bytes to the right of 10-byte region [0x60200000ec70,0x60200000ec7a)
allocated by thread T0 here:
    #0 0x7fd290343602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x410eb0 in getString /root/libming-asan/util/decompile.c:345
    #2 0x4127f1 in newVar_N /root/libming-asan/util/decompile.c:661
    #3 0x41d3ae in decompileCALLMETHOD /root/libming-asan/util/decompile.c:2865
    #4 0x41e7ea in decompileAction /root/libming-asan/util/decompile.c:3285
    #5 0x41eba0 in decompileActions /root/libming-asan/util/decompile.c:3419
    #6 0x41eccd in decompile5Action /root/libming-asan/util/decompile.c:3441
    #7 0x4066c6 in outputSWF_DEFINEBUTTON2 /root/libming-asan/util/outputscript.c:931
    #8 0x40e331 in outputBlock /root/libming-asan/util/outputscript.c:2083
    #9 0x40f3d9 in readMovie /root/libming-asan/util/main.c:286
    #10 0x40fb0e in main /root/libming-asan/util/main.c:359
    #11 0x7fd28f6d882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __interceptor_vsprintf
Shadow bytes around the buggy address:
  0x0c047fff9d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00[02]
  0x0c047fff9d90: fa fa 00 06 fa fa 00 07 fa fa 00 fa fa fa 00 07
  0x0c047fff9da0: fa fa fd fd fa fa 00 07 fa fa 01 fa fa fa 00 07
  0x0c047fff9db0: fa fa 03 fa fa fa 00 07 fa fa 00 00 fa fa 00 07
  0x0c047fff9dc0: fa fa 00 04 fa fa 01 fa fa fa 00 07 fa fa 04 fa
  0x0c047fff9dd0: fa fa 01 fa fa fa 01 fa fa fa 01 fa fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==30550==ABORTING

POC FILE:https://github.com/fantasy7082/image_test/blob/master/003-heap-over-swf

@hlef
Copy link
Contributor

hlef commented May 15, 2018

We are printing a 32 bit integer to a 10 char buffer, but the number itself has 10 digits so there's an overflow. Similar to #116, same fix.

diff --git a/util/decompile.c b/util/decompile.c
index e9341356..c15f30d7 100644
--- a/util/decompile.c
+++ b/util/decompile.c
@@ -358,9 +358,19 @@ getString(struct SWF_ACTIONPUSHPARAM *act)
                return t;
        }
        case PUSH_INT: /* INTEGER */
-               t=malloc(10); /* 32-bit decimal */
-               sprintf(t,"%ld", act->p.Integer );
+       {
+               char length_finder[1];
+               int needed_length = snprintf(length_finder, 1, "%ld", act->p.Integer) + 1;
+               if (needed_length <= 0)
+               {
+                       SWF_warn("WARNING: could not evaluate size of buffer (memory issue ?).\n");
+                       break;
+               }
+
+               t = malloc(needed_length);
+               sprintf(t, "%ld", act->p.Integer );
                return t;
+       }
        case PUSH_CONSTANT: /* CONSTANT8 */
                if (act->p.Constant8 > poolcounter)
                {

hlef added a commit to hlef/libming that referenced this issue May 26, 2018
getString prints a 32 bit integer to a 10 char buffer, but the number
itself has 10 digits so there's an overflow.

Similar to libming#116, same fix.

Fixes libming#111, CVE-2018-7873.
@strk strk closed this as completed in efc75c2 Jul 12, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants