Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
There is a out bound read vulnerability in getNumberOfElements because getNumberOfElements doesn't check bufPos, elementLength arguments. So bufPos and elementLength can be very large number.
getNumberOfElements
bufPos
elementLength
poc: poc.zip
result in gdb:
gdb-peda$ r < fuzzout/crashes/id:000042,sig:06,src:000153,op:havoc,rep:16 Starting program: /home/casper/targets/struct/libiec61850/afl/fuzzrun/fuzzmmsdata < fuzzout/crashes/id:000042,sig:06,src:000153,op:havoc,rep:16 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] RAX: 0x80000009 --> 0x0 RBX: 0x7fffffffe240 --> 0x0 RCX: 0x1ffffffff01f3127 RDX: 0x6000216f9 --> 0x0 RSI: 0x7fffffffe200 --> 0x7fffffff --> 0x0 RDI: 0xffffffff80f98939 RBP: 0x7fffffffe310 --> 0x4c27c0 (<__libc_csu_init>: push r15) RSP: 0x7fffffffe1e0 --> 0x41b58ab3 RIP: 0x7ffff7913021 (<MmsValue_decodeMmsData+993>: movzx ecx,BYTE PTR [rcx+0x7fff8000]) R8 : 0xf98930 --> 0xff7f8600868908a1 R9 : 0xffffffffc40 --> 0x0 R10: 0x6 R11: 0x6 R12: 0x1 R13: 0x1 R14: 0xa ('\n') R15: 0x9 ('\t') EFLAGS: 0x10a06 (carry PARITY adjust zero sign trap INTERRUPT direction OVERFLOW) [-------------------------------------code-------------------------------------] 0x7ffff7913017 <MmsValue_decodeMmsData+983>: add rdi,r8 0x7ffff791301a <MmsValue_decodeMmsData+986>: mov rcx,rdi 0x7ffff791301d <MmsValue_decodeMmsData+989>: shr rcx,0x3 => 0x7ffff7913021 <MmsValue_decodeMmsData+993>: movzx ecx,BYTE PTR [rcx+0x7fff8000] 0x7ffff7913028 <MmsValue_decodeMmsData+1000>: test cl,cl 0x7ffff791302a <MmsValue_decodeMmsData+1002>: jne 0x7ffff791315d <MmsValue_decodeMmsData+1309> 0x7ffff7913030 <MmsValue_decodeMmsData+1008>: lea rsp,[rsp-0x98] 0x7ffff7913038 <MmsValue_decodeMmsData+1016>: mov QWORD PTR [rsp],rdx [------------------------------------stack-------------------------------------] 0000| 0x7fffffffe1e0 --> 0x41b58ab3 0008| 0x7fffffffe1e8 --> 0x7ffff7b769cc ("3 32 4 24 elementLength.addr.i:152 48 4 14 dataLength:163 64 4 17 elementLength:187") 0016| 0x7fffffffe1f0 --> 0x7ffff7912c40 (<MmsValue_decodeMmsData>: lea rsp,[rsp-0x98]) 0024| 0x7fffffffe1f8 --> 0x0 0032| 0x7fffffffe200 --> 0x7fffffff --> 0x0 0040| 0x7fffffffe208 --> 0x0 0048| 0x7fffffffe210 --> 0x8 0056| 0x7fffffffe218 --> 0x0 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x00007ffff7913021 in getNumberOfElements (buffer=0xf98930 <globalbuf> "\241\b\211\206", bufPos=0x80000009, elementLength=0x7fffffff) at /home/casper/targets/struct/libiec61850/afl/SRC/src/mms/iso_mms/server/mms_access_result.c:106 106 uint8_t tag = buffer[bufPos++]; gdb-peda$ bt #0 0x00007ffff7913021 in getNumberOfElements (buffer=0xf98930 <globalbuf> "\241\b\211\206", bufPos=0x80000009, elementLength=0x7fffffff) at /home/casper/targets/struct/libiec61850/afl/SRC/src/mms/iso_mms/server/mms_access_result.c:106 #1 MmsValue_decodeMmsData (buffer=<optimized out>, bufPos=0x216f9, bufferLength=<optimized out>, endBufPos=<optimized out>) at /home/casper/targets/struct/libiec61850/afl/SRC/src/mms/iso_mms/server/mms_access_result.c:176 #2 0x00000000004c2378 in main () at ../fuzzsrc/fuzzmmsdata.c:12 #3 0x00007ffff683fb97 in __libc_start_main (main=0x4c22e0 <main>, argc=0x1, argv=0x7fffffffe408, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe3f8) at ../csu/libc-start.c:310 #4 0x000000000041acfa in _start ()
The text was updated successfully, but these errors were encountered:
Thanks for the bug report! Should be fixed with 23e381f
Sorry, something went wrong.
CVE-2019-19957
No branches or pull requests
There is a out bound read vulnerability in
getNumberOfElementsbecausegetNumberOfElementsdoesn't checkbufPos,elementLengtharguments. SobufPosandelementLengthcan be very large number.poc:
poc.zip
result in gdb:
The text was updated successfully, but these errors were encountered: