Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Buffer overflow in 'void md2roff(const char *docname, const char *source)' #5

Open
Halcy0nic opened this issue Sep 19, 2022 · 0 comments

Comments

@Halcy0nic
Copy link

Hello @nereusx

I hope all is well on your end!

After pulling the most recent version of md2roff (Version 1.9 at the time of writing), I ran my fuzz tests again and discovered a buffer overflow in the 'void md2roff' function inside md2roff.c:

void md2roff(const char *docname, const char *source) {

This is similar to #4, just in a different place. I believe the same patch you used for #4 could also be applied here. I've attached a file for replicating the issue.

Replication

  1. Run the file with the buffer overrun and verify the stack was smashed:

crash

return_pointer_overwrite

origional_function

  1. Calculate the return address overwrite location:

calculate

  1. Use some technique such as ret2libc to escalate privileges if md2roff is compiled with elevated privileges.

fuzz.zip

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant