-
Notifications
You must be signed in to change notification settings - Fork 41
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improper boundary checks in decompileSETTARGET() in decompile.c #189
Comments
Since the issue was not received any reply or assigned a cve id for a long time, we further analyzed the cause of the vulnerability. Due to busyness and our limited capability, it may not be accurate, but I hope to provide more detailed references for identifying and fixing the vulnerability. We found that improper boundary checking in In our POC, the parameters are:
According to the size of "union SWF_ACTION" 0x50, we divide the actions in The program then checks each action as follows until one of them meets the while(action_cnt+n<maxn)
{
if (OpCode(actions, n+1+action_cnt, maxn)==SWFACTION_SETTARGET || ... || ...)
{
break;
}
action_cnt++;
}
decompileActions(action_cnt,&actions[n+1],gIndent+1); We consider the boundary checking of the above code to be problematic. When What's worse, it doesn't crash here, but calls The data at this position is read from the input file, which means that a fake action can be constructed directly in the input. In the POC we provide, the low byte of the position Faking other types of actions, such as which calling |
There are several memory leaks in decompile.c as follows:
They seems to be similar with issue #119(CVE-2018-7869), but I found there also exists a crash. Member pointers can be controlled by crafted input.
Set breakpoint before calling
println()
.decompileGETURL()
received a structure pointer parameterSWF_ACTION *act
. However, the heap chunk was overflowed by input. So the member pointers can be controlled by crafted input data:As the pointers are then dereferenced in
println("getUrl('%s',%s);"...
, it may result in an Information Disclosure and potentially Code Execution.This problem exists in the released 0.4.8 and the latest commit
5009802
.POC: libming_decompile_memleak.zip
usage:
./swftophp libming_decompile_memleak
Found by bjchan9an@gmail.com
The text was updated successfully, but these errors were encountered: