Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heap-buffer-overflow in snmplib/snmpv3.c:587 #732

Open
moshekaplan opened this issue Oct 16, 2023 · 2 comments
Open

heap-buffer-overflow in snmplib/snmpv3.c:587 #732

moshekaplan opened this issue Oct 16, 2023 · 2 comments

Comments

@moshekaplan
Copy link
Contributor

moshekaplan commented Oct 16, 2023
edited 

$ ./agent/snmpd -fd -C -r -c "fuzz_input.conf.txt" 127.0.0.1:12345
=================================================================
==239331==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200002b710 at pc 0x7f2aba5d2143 bp 0x7ffc96108ed0 sp 0x7ffc96108ec0
WRITE of size 4 at 0x60200002b710 thread T0
    #0 0x7f2aba5d2142 in setup_engineID /home/user/Desktop/net-snmp/snmplib/snmpv3.c:587
    #1 0x7f2aba5d462d in init_snmpv3_post_premib_config /home/user/Desktop/net-snmp/snmplib/snmpv3.c:1114
    #2 0x7f2aba5e486c in snmp_call_callbacks /home/user/Desktop/net-snmp/snmplib/callback.c:360
    #3 0x7f2aba5ac78a in read_premib_configs /home/user/Desktop/net-snmp/snmplib/read_config.c:1114
    #4 0x7f2aba51a6a4 in init_snmp /home/user/Desktop/net-snmp/snmplib/snmp_api.c:925
    #5 0x5583ed7faec1 in main /home/user/Desktop/net-snmp/agent/snmpd.c:909
    #6 0x7f2ab9a23a8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #7 0x7f2ab9a23b48 in __libc_start_main_impl ../csu/libc-start.c:360
    #8 0x5583ed7f7ee4 in _start (/home/user/Desktop/net-snmp/agent/.libs/snmpd+0x8ee4) (BuildId: 5a392703b0edb942f603e011c18761693f91fd48)

0x60200002b711 is located 0 bytes after 1-byte region [0x60200002b710,0x60200002b711)
allocated by thread T0 here:
    #0 0x7f2abc0de9a7 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
    #1 0x7f2aba5d2043 in setup_engineID /home/user/Desktop/net-snmp/snmplib/snmpv3.c:579
    #2 0x7f2aba5d462d in init_snmpv3_post_premib_config /home/user/Desktop/net-snmp/snmplib/snmpv3.c:1114
    #3 0x7f2aba5e486c in snmp_call_callbacks /home/user/Desktop/net-snmp/snmplib/callback.c:360
    #4 0x7f2aba5ac78a in read_premib_configs /home/user/Desktop/net-snmp/snmplib/read_config.c:1114
    #5 0x7f2aba51a6a4 in init_snmp /home/user/Desktop/net-snmp/snmplib/snmp_api.c:925
    #6 0x5583ed7faec1 in main /home/user/Desktop/net-snmp/agent/snmpd.c:909
    #7 0x7f2ab9a23a8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/user/Desktop/net-snmp/snmplib/snmpv3.c:587 in setup_engineID
Shadow bytes around the buggy address:
  0x60200002b480: fa fa 05 fa fa fa 07 fa fa fa 05 fa fa fa 07 fa
  0x60200002b500: fa fa 05 fa fa fa 07 fa fa fa 05 fa fa fa 07 fa
  0x60200002b580: fa fa 05 fa fa fa 07 fa fa fa 00 03 fa fa 07 fa
  0x60200002b600: fa fa 05 fa fa fa 05 fa fa fa 00 02 fa fa 06 fa
  0x60200002b680: fa fa 07 fa fa fa 04 fa fa fa 00 fa fa fa 04 fa
=>0x60200002b700: fa fa[01]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x60200002b780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x60200002b800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x60200002b880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x60200002b900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x60200002b980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==239331==ABORTING
@moshekaplan
Copy link
Contributor Author

moshekaplan commented Oct 17, 2023
edited

Triggering conf file
fuzz_input.zip

@moshekaplan moshekaplan changed the title heap-buffer-overflow in snmplib/snmpv3.c:702 heap-buffer-overflow in snmplib/snmpv3.c:587 Oct 17, 2023
@moshekaplan
Copy link
Contributor Author

moshekaplan commented Oct 17, 2023
edited

I did some triage on this one.

The engine ID type is detected as ENGINEID_TYPE_NETSNMP_RND, but no engineID is set. So the value of len is oldEngineID (which is 0):
https://github.com/net-snmp/net-snmp/blob/master/snmplib/snmpv3.c#L557-L561

    case ENGINEID_TYPE_NETSNMP_RND:        /* Net-SNMP specific encoding */
        if (engineID)           /* already setup, keep current value */
            return engineIDLength;
        if (oldEngineID) {
            len = oldEngineIDLength;

It then reaches: https://github.com/net-snmp/net-snmp/blob/master/snmplib/snmpv3.c#L579

if ((bufp = calloc(1, len)) == NULL) {

and so effectively calls calloc(1,0). The successive memcpy on line 587 then goes out of bounds:
memcpy(bufp, &netsnmpoid, sizeof(netsnmpoid)); /* XXX Must be 4 bytes! */

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@moshekaplan