Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multiple OOB reads #43

Closed
seeutonight opened this issue Aug 8, 2018 · 8 comments
Closed

Multiple OOB reads #43

seeutonight opened this issue Aug 8, 2018 · 8 comments
Assignees

Comments

@seeutonight
Copy link

1.the libesedb_page_read_values function in libesedb_page.c in libesedb allow remote attackers to cause a denial of service(invalid memory read and application crash) via a crafted esedb file.

esedbexport -m all libesedb_page_read_values
==9809==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d000008450 at pc 0x0000005fc2e3 bp 0x7ffcdcf21330 sp 0x7ffcdcf21328
READ of size 1 at 0x62d000008450 thread T0
    #0 0x5fc2e2 in libesedb_page_read_values /home/xxx/Desktop/afl-of-things/libesedb/libesedb/libesedb_page.c:1248:29
    #1 0x5fa6b3 in libesedb_page_read /home/xxx/Desktop/afl-of-things/libesedb/libesedb/libesedb_page.c:779:7
    #2 0x5ee496 in libesedb_io_handle_read_page /home/xxx/Desktop/afl-of-things/libesedb/libesedb/libesedb_io_handle.c:264:6
    #3 0x650539 in libfdata_vector_get_element_value_by_index /home/xxx/Desktop/afl-of-things/libesedb/libfdata/libfdata_vector.c:1613:7
    #4 0x650eaa in libfdata_vector_get_element_value_at_offset /home/xxx/Desktop/afl-of-things/libesedb/libfdata/libfdata_vector.c:1749:6

0x62d000008450 is located 80 bytes to the right of 32768-byte region [0x62d000000400,0x62d000008400)
allocated by thread T0 here:
    #0 0x4f0a68 in malloc (/home/xxx/Desktop/afl-of-things/libesedb/esedbtools/esedbexport+0x4f0a68)
    #1 0x5f9730 in libesedb_page_read /home/xxx/Desktop/afl-of-things/libesedb/libesedb/libesedb_page.c:373:27
    #2 0x5ee496 in libesedb_io_handle_read_page /home/xxx/Desktop/afl-of-things/libesedb/libesedb/libesedb_io_handle.c:264:6
    #3 0x650539 in libfdata_vector_get_element_value_by_index /home/xxx/Desktop/afl-of-things/libesedb/libfdata/libfdata_vector.c:1613:7
    #4 0x650eaa in libfdata_vector_get_element_value_at_offset /home/xxx/Desktop/afl-of-things/libesedb/libfdata/libfdata_vector.c:1749:6

POC:libesedb_page_read_values
This vulnerability has been assigned as CVE-2018-15158.

2.the libesedb_page_read_tags function in libesedb_page.c in libesedb allow remote attackers to cause a denial of service(invalid memory read and application crash) via a crafted esedb file.

esedbexport -m all libesedb_page_read_tags
==9812==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d0000003ff at pc 0x0000005fb33c bp 0x7ffd89f8c8d0 sp 0x7ffd89f8c8c8
READ of size 1 at 0x62d0000003ff thread T0
    #0 0x5fb33b in libesedb_page_read_tags /home/xxx/Desktop/afl-of-things/libesedb/libesedb/libesedb_page.c:948:3
    #1 0x5fa63d in libesedb_page_read /home/xxx/Desktop/afl-of-things/libesedb/libesedb/libesedb_page.c:760:7
    #2 0x5ee496 in libesedb_io_handle_read_page /home/xxx/Desktop/afl-of-things/libesedb/libesedb/libesedb_io_handle.c:264:6
    #3 0x650539 in libfdata_vector_get_element_value_by_index /home/xxx/Desktop/afl-of-things/libesedb/libfdata/libfdata_vector.c:1613:7
    #4 0x650eaa in libfdata_vector_get_element_value_at_offset /home/xxx/Desktop/afl-of-things/libesedb/libfdata/libfdata_vector.c:1749:6

0x62d0000003ff is located 1 bytes to the left of 32768-byte region [0x62d000000400,0x62d000008400)
allocated by thread T0 here:
    #0 0x4f0a68 in malloc (/home/xxx/Desktop/afl-of-things/libesedb/esedbtools/esedbexport+0x4f0a68)
    #1 0x5f9730 in libesedb_page_read /home/xxx/Desktop/afl-of-things/libesedb/libesedb/libesedb_page.c:373:27
    #2 0x5ee496 in libesedb_io_handle_read_page /home/xxx/Desktop/afl-of-things/libesedb/libesedb/libesedb_io_handle.c:264:6
    #3 0x650539 in libfdata_vector_get_element_value_by_index /home/xxx/Desktop/afl-of-things/libesedb/libfdata/libfdata_vector.c:1613:7

POC:libesedb_page_read_tags
This vulnerability has been assigned as CVE-2018-15159.

3.the libesedb_catalog_definition_read function in libesedb_catalog_definition.c in libesedb allow remote attackers to cause a denial of service(invalid memory read and application crash) via a crafted esedb file.

esedbexport -m all libesedb_catalog_definition_read
==9815==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d000012400 at pc 0x0000004ef8ed bp 0x7ffc8d44a8c0 sp 0x7ffc8d44a070
READ of size 32512 at 0x62d000012400 thread T0
    #0 0x4ef8ec in __asan_memcpy (/home/xxx/Desktop/afl-of-things/libesedb/esedbtools/esedbexport+0x4ef8ec)
    #1 0x66b011 in libesedb_catalog_definition_read /home/xxx/Desktop/afl-of-things/libesedb/libesedb/libesedb_catalog_definition.c
    #2 0x66900a in libesedb_catalog_read /home/xxx/Desktop/afl-of-things/libesedb/libesedb/libesedb_catalog.c:1037:7
    #3 0x5e7ff8 in libesedb_file_open_read /home/xxx/Desktop/afl-of-things/libesedb/libesedb/libesedb_file.c:1331:7
    #4 0x5e62ae in libesedb_file_open_file_io_handle /home/xxx/Desktop/afl-of-things/libesedb/libesedb/libesedb_file.c:633:6

0x62d000012400 is located 0 bytes to the right of 32768-byte region [0x62d00000a400,0x62d000012400)
allocated by thread T0 here:
    #0 0x4f0a68 in malloc (/home/xxx/Desktop/afl-of-things/libesedb/esedbtools/esedbexport+0x4f0a68)
    #1 0x5f9730 in libesedb_page_read /home/xxx/Desktop/afl-of-things/libesedb/libesedb/libesedb_page.c:373:27
    #2 0x5ee496 in libesedb_io_handle_read_page /home/xxx/Desktop/afl-of-things/libesedb/libesedb/libesedb_io_handle.c:264:6
    #3 0x650539 in libfdata_vector_get_element_value_by_index /home/xxx/Desktop/afl-of-things/libesedb/libfdata/libfdata_vector.c:1613:7
    #4 0x650eaa in libfdata_vector_get_element_value_at_offset /home/xxx/Desktop/afl-of-things/libesedb/libfdata/libfdata_vector.c:1749:6

POC:libesedb_catalog_definition_read
This vulnerability has been assigned as CVE-2018-15160.

4.the libesedb_key_append_data function in libesedb_key.c in libesedb allow remote attackers to cause a denial of service(invalid memory read and application crash) via a crafted esedb file.

esedbexport -m all libesedb_key_append_data
==9818==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d000008400 at pc 0x0000004ef8ed bp 0x7ffcdb636260 sp 0x7ffcdb635a10
READ of size 8191 at 0x62d000008400 thread T0
    #0 0x4ef8ec in __asan_memcpy (/home/xxx/Desktop/afl-of-things/libesedb/esedbtools/esedbexport+0x4ef8ec)
    #1 0x5ef039 in libesedb_key_append_data /home/xxx/Desktop/afl-of-things/libesedb/libesedb/libesedb_key.c:307:7
    #2 0x5ff086 in libesedb_page_tree_read_page /home/xxx/Desktop/afl-of-things/libesedb/libesedb/libesedb_page_tree.c:1439:7
    #3 0x5ffe4d in libesedb_page_tree_read_node /home/xxx/Desktop/afl-of-things/libesedb/libesedb/libesedb_page_tree.c:1722:6
    #4 0x62c855 in libfdata_btree_read_node /home/xxx/Desktop/afl-of-things/libesedb/libfdata/libfdata_btree.c:1287:7

0x62d000008400 is located 0 bytes to the right of 32768-byte region [0x62d000000400,0x62d000008400)
allocated by thread T0 here:
    #0 0x4f0a68 in malloc (/home/xxx/Desktop/afl-of-things/libesedb/esedbtools/esedbexport+0x4f0a68)
    #1 0x5f9730 in libesedb_page_read /home/xxx/Desktop/afl-of-things/libesedb/libesedb/libesedb_page.c:373:27
    #2 0x5ee496 in libesedb_io_handle_read_page /home/xxx/Desktop/afl-of-things/libesedb/libesedb/libesedb_io_handle.c:264:6
    #3 0x650539 in libfdata_vector_get_element_value_by_index /home/xxx/Desktop/afl-of-things/libesedb/libfdata/libfdata_vector.c:1613:7
    #4 0x650eaa in libfdata_vector_get_element_value_at_offset /home/xxx/Desktop/afl-of-things/libesedb/libfdata/libfdata_vector.c:1749:6

POC:libesedb_key_append_data
This vulnerability has been assigned as CVE-2018-15161.

pocs.zip

@joachimmetz
Copy link
Member

Thx for the report but know this project is pre-alpha status

@joachimmetz
Copy link
Member

Also this project does not support any network communication so your impact assessment needs some adjustments.

@joachimmetz
Copy link
Member

Regarding filing cves for this, read libyal/libevt#5. And make sure your report is accurate otherwise it's a waste of people's time and resources..

@joachimmetz
Copy link
Member

joachimmetz commented Aug 8, 2018

allow remote attackers to cause a denial of service(invalid memory read and
application crash) via a crafted esedb file.

BTW could you send me actual proof of these claims about actual crashes such as core files, which compiler / platform the binary was built.

@joachimmetz
Copy link
Member

joachimmetz commented Aug 8, 2018

None of your POC files crash, they are not even accepted as valid input

esedbtools/esedbinfo ../input/esedb/corrupt/libesedb_page_read_values
esedbinfo 20180807

Unable to open: ../input/esedb/corrupt/libesedb_page_read_values

And the same for the other poc files:

Unable to open: ../input/esedb/corrupt/libesedb_key_append_data
Unable to open: ../input/esedb/corrupt/libesedb_page_read_tags 
Unable to open: ../input/esedb/corrupt/libesedb_catalog_definition_read 

So this would not lead to any hypothetical denial of service since your file would not be accepted as valid input in the first place.

@joachimmetz
Copy link
Member

@seeutonight friendly ping are you going to provide proof to back your claims of your impact assessment?

@joachimmetz
Copy link
Member

joachimmetz commented Aug 15, 2018

Marking as:

A software vulnerability, ..., is a mistake in software that can be directly used by a hacker to gain access to a system or network. 
  • bug, for the OOB reads

@joachimmetz
Copy link
Member

No updates from reporter closing issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants