New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stack Based Buffer Overflow When Processing Markdown Files #4
Comments
|
True it is, md2roff is a utility that designed to have no such protection. Please explain to me how this can give root privileges since it is designed to run in userspace ? |
|
btw strcpy(pat, mdic[i].wrong); <-- this is wrong since it is copy form a static array |
|
104: strcpy(d, s); |
|
164: strcpy(buf, src); |
|
I added limit for the headers words and phrases (titles), but this is not the only unspecified sized string. |
|
Hi @nereusx, Sorry for the confusion. I am not suggesting that all of the referenced strcpy instances are vulnerable, rather that 'strcpy' has been superseded by 'strncpy'. In reference to privilege escalation, if the binary is compiled with sudo privileges or is run as a server/service by another user, the user taking advantage of this overflow will inherit their access privileges.
As long as the available buffer (on either the heap or stack) is large enough to contain the input string this problem will disappear. The risk here isn't super high, but I thought I would just give you a heads up |
|
Well, it is safe enough now. If you want to use it with |
Hi!
I'm a big fan of md2roff. It's been quite useful and has come in handy in so many situations!
Stack Based Buffer Overflow
I wanted to make you aware of a stack based buffer overflow vulnerability in the md2roff tool. A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold or when a program attempts to put data in a memory area past a buffer. At a minimum this will lead to a denial of service (if md2roff is run as a server/service) but can also lead to arbitrary code execution and privilege escalation as a result of the return pointer (on the stack) being overwritten.
Reproduction
To reproduce the vulnerability, execute the following commands in Linux once you have compiled the program (using the default Makefile).
Create a markdown file with a large number of integers:
Verify the markdown file contains our large buffer of '1's:
Execute md2roff using any preferred flags and confirm the segfault:
Using GDB we can see that we successfully redirected the execution of the program. We can se our '1's on the stack and the program attempting to return to 0x3131313131313131 (which is 1 repeated in hex).
Remediation
Replace all instances of strcpy with strncpy and ensure the content being read into the buffer is the same size or smaller than the available buffer space:
md2roff/md2roff.c
Line 104 in 2a350a1
md2roff/md2roff.c
Line 164 in 2a350a1
md2roff/md2roff.c
Line 230 in 2a350a1
md2roff/md2roff.c
Line 683 in 2a350a1
Useful References
https://owasp.org/www-community/vulnerabilities/Buffer_Overflow
https://cwe.mitre.org/data/definitions/121.html
https://man7.org/linux/man-pages/man3/strcpy.3.html -> Check the warning in the description
https://linux.die.net/man/3/strncpy -> Safer way to copy a buffer
The text was updated successfully, but these errors were encountered: