Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OOB read of 1 in liblnk_location_information.c#L1090 causes ASAN warning #40

Closed
c0d3xpl0it opened this issue Oct 7, 2019 · 8 comments
Closed
Assignees

Comments

@c0d3xpl0it
Copy link

c0d3xpl0it commented Oct 7, 2019

We found Heap Buffer Overflow an issue in lnkinfo binary and lnkinfo is complied with clang enabling ASAN.

Machine Setup
Machine : Ubuntu 16.04.3 LTS
gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.11)
Commit : c962bb7
lnkinfo : 20191006
Command : lnkinfo -v POC
POC : POC.zip

ASAN Output

fuzzer@fuzzer:~/victim/liblnk/lnktools$ ./lnkinfo -v POC
lnkinfo 20191006

=================================================================
==27633==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000de7f at pc 0x0000005a4184 bp 0x7ffc6a441c30 sp 0x7ffc6a441c28
READ of size 1 at 0x60400000de7f thread T0
    #0 0x5a4183 in liblnk_location_information_read_data /home/fuzzer/victim/liblnk/liblnk/liblnk_location_information.c:1090:4
    #1 0x5a45d7 in liblnk_location_information_read /home/fuzzer/victim/liblnk/liblnk/liblnk_location_information.c:1915:6
    #2 0x58e4b8 in liblnk_file_open_read /home/fuzzer/victim/liblnk/liblnk/liblnk_file.c:1282:16
    #3 0x58d718 in liblnk_file_open_file_io_handle /home/fuzzer/victim/liblnk/liblnk/liblnk_file.c:628:6
    #4 0x58d0de in liblnk_file_open /home/fuzzer/victim/liblnk/liblnk/liblnk_file.c:346:6
    #5 0x4eb095 in info_handle_open_input /home/fuzzer/victim/liblnk/lnktools/info_handle.c:415:6
    #6 0x4f1728 in main /home/fuzzer/victim/liblnk/lnktools/lnkinfo.c:265:6
    #7 0x7f4b3516682f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
    #8 0x418c68 in _start (/home/fuzzer/victim/liblnk/lnktools/lnkinfo+0x418c68)

0x60400000de7f is located 0 bytes to the right of 47-byte region [0x60400000de50,0x60400000de7f)
allocated by thread T0 here:
    #0 0x4b8d98 in malloc (/home/fuzzer/victim/liblnk/lnktools/lnkinfo+0x4b8d98)
    #1 0x5a454b in liblnk_location_information_read /home/fuzzer/victim/liblnk/liblnk/liblnk_location_information.c:1884:42
    #2 0x58e4b8 in liblnk_file_open_read /home/fuzzer/victim/liblnk/liblnk/liblnk_file.c:1282:16
    #3 0x58d718 in liblnk_file_open_file_io_handle /home/fuzzer/victim/liblnk/liblnk/liblnk_file.c:628:6

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzzer/victim/liblnk/liblnk/liblnk_location_information.c:1090:4 in liblnk_location_information_read_data
Shadow bytes around the buggy address:
  0x0c087fff9b70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9b90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c087fff9bc0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00[07]
  0x0c087fff9bd0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
  0x0c087fff9be0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x0c087fff9bf0: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa
  0x0c087fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==27633==ABORTING
fuzzer@fuzzer:~/victim/liblnk/lnktools$
@joachimmetz
Copy link
Member

joachimmetz commented Oct 8, 2019

I'll have a closer look when time permits but this looks like an OOB read of 1, flagged by ASAN because it is strict by nature.

This is definitely no Heap Buffer overflow since nothing is written.

We found Heap Buffer Overflow in lnkinfo binary and lnkinfo is complied with clang enabling ASAN.

@c0d3xpl0it can you spend a bit more time in analyzing the fuzzer results before making claims next time, thank in advance.

@joachimmetz joachimmetz changed the title Heap Buffer Overflow in lnkinfo possible OOB read of 1 in liblnk_location_information.c:1884 Oct 8, 2019
@joachimmetz joachimmetz changed the title possible OOB read of 1 in liblnk_location_information.c:1884 possible allocation of 0 in liblnk_location_information.c:1884 Oct 8, 2019
@joachimmetz joachimmetz changed the title possible allocation of 0 in liblnk_location_information.c:1884 possible OOB read of 1 in liblnk_location_information.c#L1090 Oct 8, 2019
@nluedtke
Copy link

Appears to have been assigned CVE-2019-17401.

@joachimmetz
Copy link
Member

joachimmetz commented Oct 10, 2019

@nluedtke thanks for the info but per #33 CVE numbers and NVD evaluations are essentially useless security advice.

@joachimmetz
Copy link
Member

joachimmetz commented Oct 10, 2019

POC is not considered a valid file and hits another safe guard.

liblnk_location_information_read_data: network share name offset exceeds network share information data.
liblnk_location_information_read: unable to read location information.
liblnk_file_open_read: unable to read location information.
liblnk_file_open_file_io_handle: unable to read from file IO handle.
liblnk_file_open: unable to open file: issue40-1.lnk.
info_handle_open_input: unable to open input file.

Yet another example of Mitre CVE failing to do due diligence.

Worst case for the POC is OOB read of 8 but the data read does not appear to be used further since error path is triggered. So this is mainly an issue with little/no impact.

@c0d3xpl0it
Copy link
Author

@joachimmetz

Below is output with attached POC with old commit : c962bb7 lnkinfo 20191006 (On which I reported issue)

fuzzer@thickfuzzer:~/victim/liblnk/lnktools$ ./lnkinfo -v POC
lnkinfo 20191006

=================================================================
==28265==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000ddff at pc 0x0000005a4184 bp 0x7ffe2b2b9610 sp 0x7ffe2b2b9608
READ of size 1 at 0x60400000ddff thread T0
    #0 0x5a4183 in liblnk_location_information_read_data /home/fuzzer/victim/liblnk/liblnk/liblnk_location_information.c:1090:4
    #1 0x5a45d7 in liblnk_location_information_read /home/fuzzer/victim/liblnk/liblnk/liblnk_location_information.c:1915:6
    #2 0x58e4b8 in liblnk_file_open_read /home/fuzzer/victim/liblnk/liblnk/liblnk_file.c:1282:16
    #3 0x58d718 in liblnk_file_open_file_io_handle /home/fuzzer/victim/liblnk/liblnk/liblnk_file.c:628:6
    #4 0x58d0de in liblnk_file_open /home/fuzzer/victim/liblnk/liblnk/liblnk_file.c:346:6
    #5 0x4eb095 in info_handle_open_input /home/fuzzer/victim/liblnk/lnktools/info_handle.c:415:6
    #6 0x4f1728 in main /home/fuzzer/victim/liblnk/lnktools/lnkinfo.c:265:6
    #7 0x7f7c3fbbc82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
    #8 0x418c68 in _start (/home/fuzzer/victim/liblnk/lnktools/lnkinfo+0x418c68)

0x60400000ddff is located 0 bytes to the right of 47-byte region [0x60400000ddd0,0x60400000ddff)
allocated by thread T0 here:
    #0 0x4b8d98 in malloc (/home/fuzzer/victim/liblnk/lnktools/lnkinfo+0x4b8d98)
    #1 0x5a454b in liblnk_location_information_read /home/fuzzer/victim/liblnk/liblnk/liblnk_location_information.c:1884:42
    #2 0x58e4b8 in liblnk_file_open_read /home/fuzzer/victim/liblnk/liblnk/liblnk_file.c:1282:16
    #3 0x58d718 in liblnk_file_open_file_io_handle /home/fuzzer/victim/liblnk/liblnk/liblnk_file.c:628:6
    #4 0x7f7c3fbd5785 in getenv /build/glibc-LK5gWL/glibc-2.23/stdlib/getenv.c:35

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzzer/victim/liblnk/liblnk/liblnk_location_information.c:1090:4 in liblnk_location_information_read_data
Shadow bytes around the buggy address:
  0x0c087fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9b70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9b90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c087fff9bb0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00[07]
  0x0c087fff9bc0: fa fa 00 00 00 00 00 02 fa fa fd fd fd fd fd fd
  0x0c087fff9bd0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
  0x0c087fff9be0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x0c087fff9bf0: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa
  0x0c087fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==28265==ABORTING

Below is output with attached POC with latest commit : 6a5ee82 lnkinfo 20191010

fuzzer@thickfuzzer:~/victim/test/liblnk/lnktools$ ./lnkinfo -v /home/fuzzer/victim/liblnk/lnktools/POC
lnkinfo 20191010

liblnk_location_information_read_data: location information value size value out of bounds.
liblnk_location_information_read: unable to read location information.
liblnk_file_open_read: unable to read location information.
liblnk_file_open_file_io_handle: unable to read from file IO handle.
liblnk_file_open: unable to open file: /home/fuzzer/victim/liblnk/lnktools/POC.
info_handle_open_input: unable to open input file.

@joachimmetz
Copy link
Member

joachimmetz commented Oct 10, 2019

@c0d3xpl0it yes I know what are you trying to tell me? that adding an additional safeguard prevents ASAN from raising the issue?

BTW if you run c962bb7 without ASAN you'll get:

liblnk_location_information_read_data: network share name offset exceeds network share information data.
liblnk_location_information_read: unable to read location information.
liblnk_file_open_read: unable to read location information.
liblnk_file_open_file_io_handle: unable to read from file IO handle.
liblnk_file_open: unable to open file: issue40-1.lnk.
info_handle_open_input: unable to open input file.

@joachimmetz
Copy link
Member

joachimmetz commented Oct 10, 2019

For completeness, since I did not get around to this yet. Added an additional safeguard to prevent ASAN detecting an OOB read in 6a5ee82

Closing issue

@joachimmetz joachimmetz changed the title possible OOB read of 1 in liblnk_location_information.c#L1090 possible OOB read of 1 in liblnk_location_information.c#L1090 causes ASAN warning Oct 11, 2019
@joachimmetz joachimmetz changed the title possible OOB read of 1 in liblnk_location_information.c#L1090 causes ASAN warning OOB read of 1 in liblnk_location_information.c#L1090 causes ASAN warning Oct 11, 2019
@joachimmetz
Copy link
Member

joachimmetz commented Oct 12, 2019

And again NVD showing their incompetence as usual https://nvd.nist.gov/vuln/detail/CVE-2019-17401:

CVSS v2.0 Severity and Metrics:
Base Score: 2.1 LOW
Vector: (AV:L/AC:L/Au:N/C:N/I:N/A:P) (V2 legend)
Impact Subscore: 2.9
Exploitability Subscore: 3.9

Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (AU): None
Confidentiality (C): None
Integrity (I): None
Availability (A): Partial
Additional Information:
Allows disruption of service

"Allows disruption of service" WTF?

  • the file is not considered valid to start with, so there is no proof of a disruption
  • liblnk does not provide "a service"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants