Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SegmentFault in getNumberOfElements in src/mms/iso_mms/server/mms_access_result.c #197

Closed
sleicasper opened this issue Dec 24, 2019 · 2 comments

Comments

@sleicasper
Copy link

There is a out bound read vulnerability in getNumberOfElements because getNumberOfElements doesn't check bufPos, elementLength arguments. So bufPos and elementLength can be very large number.

Screen Shot 2019-12-24 at 4 45 03 PM

poc:
poc.zip

result in gdb:

gdb-peda$ r < fuzzout/crashes/id:000042,sig:06,src:000153,op:havoc,rep:16
Starting program: /home/casper/targets/struct/libiec61850/afl/fuzzrun/fuzzmmsdata < fuzzout/crashes/id:000042,sig:06,src:000153,op:havoc,rep:16
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x80000009 --> 0x0
RBX: 0x7fffffffe240 --> 0x0
RCX: 0x1ffffffff01f3127
RDX: 0x6000216f9 --> 0x0
RSI: 0x7fffffffe200 --> 0x7fffffff --> 0x0
RDI: 0xffffffff80f98939
RBP: 0x7fffffffe310 --> 0x4c27c0 (<__libc_csu_init>:	push   r15)
RSP: 0x7fffffffe1e0 --> 0x41b58ab3
RIP: 0x7ffff7913021 (<MmsValue_decodeMmsData+993>:	movzx  ecx,BYTE PTR [rcx+0x7fff8000])
R8 : 0xf98930 --> 0xff7f8600868908a1
R9 : 0xffffffffc40 --> 0x0
R10: 0x6
R11: 0x6
R12: 0x1
R13: 0x1
R14: 0xa ('\n')
R15: 0x9 ('\t')
EFLAGS: 0x10a06 (carry PARITY adjust zero sign trap INTERRUPT direction OVERFLOW)
[-------------------------------------code-------------------------------------]
   0x7ffff7913017 <MmsValue_decodeMmsData+983>:	add    rdi,r8
   0x7ffff791301a <MmsValue_decodeMmsData+986>:	mov    rcx,rdi
   0x7ffff791301d <MmsValue_decodeMmsData+989>:	shr    rcx,0x3
=> 0x7ffff7913021 <MmsValue_decodeMmsData+993>:	movzx  ecx,BYTE PTR [rcx+0x7fff8000]
   0x7ffff7913028 <MmsValue_decodeMmsData+1000>:	test   cl,cl
   0x7ffff791302a <MmsValue_decodeMmsData+1002>:	jne    0x7ffff791315d <MmsValue_decodeMmsData+1309>
   0x7ffff7913030 <MmsValue_decodeMmsData+1008>:	lea    rsp,[rsp-0x98]
   0x7ffff7913038 <MmsValue_decodeMmsData+1016>:	mov    QWORD PTR [rsp],rdx
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe1e0 --> 0x41b58ab3
0008| 0x7fffffffe1e8 --> 0x7ffff7b769cc ("3 32 4 24 elementLength.addr.i:152 48 4 14 dataLength:163 64 4 17 elementLength:187")
0016| 0x7fffffffe1f0 --> 0x7ffff7912c40 (<MmsValue_decodeMmsData>:	lea    rsp,[rsp-0x98])
0024| 0x7fffffffe1f8 --> 0x0
0032| 0x7fffffffe200 --> 0x7fffffff --> 0x0
0040| 0x7fffffffe208 --> 0x0
0048| 0x7fffffffe210 --> 0x8
0056| 0x7fffffffe218 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff7913021 in getNumberOfElements (buffer=0xf98930 <globalbuf> "\241\b\211\206", bufPos=0x80000009, elementLength=0x7fffffff) at /home/casper/targets/struct/libiec61850/afl/SRC/src/mms/iso_mms/server/mms_access_result.c:106
106	         uint8_t tag = buffer[bufPos++];
gdb-peda$ bt
#0  0x00007ffff7913021 in getNumberOfElements (buffer=0xf98930 <globalbuf> "\241\b\211\206", bufPos=0x80000009, elementLength=0x7fffffff) at /home/casper/targets/struct/libiec61850/afl/SRC/src/mms/iso_mms/server/mms_access_result.c:106
#1  MmsValue_decodeMmsData (buffer=<optimized out>, bufPos=0x216f9, bufferLength=<optimized out>, endBufPos=<optimized out>) at /home/casper/targets/struct/libiec61850/afl/SRC/src/mms/iso_mms/server/mms_access_result.c:176
#2  0x00000000004c2378 in main () at ../fuzzsrc/fuzzmmsdata.c:12
#3  0x00007ffff683fb97 in __libc_start_main (main=0x4c22e0 <main>, argc=0x1, argv=0x7fffffffe408, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe3f8) at ../csu/libc-start.c:310
#4  0x000000000041acfa in _start ()
@mzillgith
Copy link
Contributor

Thanks for the bug report! Should be fixed with 23e381f

@jonm01
Copy link

jonm01 commented Mar 3, 2020

CVE-2019-19957

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants