You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Discoverer: Ji Tiantian of Key Laboratory of Trustworthy Distributed Computing and Service (BUPT), Ministry of Education, Beijing University of Posts and Telecommunications
Description:
A stack-buffer-overflow vulnerability exists in the read_file function. The the vulnerability is triggered at libeconf/lib/getfilecontents.c line:503.
The statement is: if (*(p + 1) != '\0' *(p + 1) = '\0'; (line 503).
The pointer variable p points to a location in the memory buffer buf.
The statements are that : name = buf; ... ... p = strchr(name, comment[i]);.
However, when the strchr function is used to search for characters in the string name, it does not check whether the pointer p is outside the bounds of the name array.
Finally, at line 503, *(p + 1) = '\0', this assignment creates a stack overflow vulnerability if the location pointed to by p is outside the bounds of the buffer.
Reproduction:
Please reproduce this vulnerability using the following PoC.
This PoC is obtained by modifying the input data based on the test/tst-logindefs1.c testcase .
Use this PoC to replace the tst-logindefs1.c file in the libeconf/tests directory and configure the C compiler to use the -fsanitize=address flag, as follows:
The PoC file and the input file are here and here, respectively.
Using this command : /libeconfDir/build/tests/tst-logindefs1 read_file_503, you will get the following outputs:
This is the corresponding information of this overflow vulnerability from AddressSanitizer.
And attackers can use this bug to achieve a DoS attack even remote code execution attack.
Please reproduce and fix this vulnerability.
The text was updated successfully, but these errors were encountered:
Discoverer: Ji Tiantian of Key Laboratory of Trustworthy Distributed Computing and Service (BUPT), Ministry of Education, Beijing University of Posts and Telecommunications
Description:
A stack-buffer-overflow vulnerability exists in the
read_file
function. The the vulnerability is triggered atlibeconf/lib/getfilecontents.c
line:503.The statement is:
if (*(p + 1) != '\0' *(p + 1) = '\0';
(line 503).The pointer variable
p
points to a location in the memory bufferbuf
.The statements are that :
name = buf; ... ... p = strchr(name, comment[i]);
.However, when the
strchr
function is used to search for characters in the stringname
, it does not check whether the pointerp
is outside the bounds of thename
array.Finally, at line 503,
*(p + 1) = '\0'
, this assignment creates a stack overflow vulnerability if the location pointed to byp
is outside the bounds of the buffer.Reproduction:
Please reproduce this vulnerability using the following PoC.
This PoC is obtained by modifying the input data based on the
test/tst-logindefs1.c
testcase .Use this PoC to replace the
tst-logindefs1.c
file in thelibeconf/tests
directory and configure the C compiler to use the-fsanitize=address
flag, as follows:The PoC file and the input file are here and here, respectively.
Using this command :
/libeconfDir/build/tests/tst-logindefs1 read_file_503
, you will get the following outputs:This is the corresponding information of this overflow vulnerability from AddressSanitizer.
And attackers can use this bug to achieve a DoS attack even remote code execution attack.
Please reproduce and fix this vulnerability.
The text was updated successfully, but these errors were encountered: