Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Out of Bounds read in ISO9660 #1576

Open
nicowaisman opened this issue Jul 22, 2019 · 1 comment
Open

Out of Bounds read in ISO9660 #1576

nicowaisman opened this issue Jul 22, 2019 · 1 comment

Comments

@nicowaisman
Copy link

Dear sleuthkit team,

I would like to report a security vulnerability in SleuthKit.

There is an out of bound read on iso9660 while parsing System Use Sharing Protocol data.

On the parse_susp function, while parsing an ER entry, it will try to read the different Extension strings.
However, there is no control of the size fields and they will read out of the buf size bound.

    else if ((head->sig[0] == 'E') && (head->sig[1] == 'R')) {
        iso9660_susp_er *er = (iso9660_susp_er *) buf;
        if (hFile) {
            char buf[258];
            fprintf(hFile, "ER Entry\n");

            memcpy(buf, er->ext_id, er->len_id);
            buf[er->len_id] = '\0';
            fprintf(hFile, "* Extension ID: %s\n", buf);

            memcpy(buf, er->ext_id + er->len_id, er->len_des);
            buf[er->len_des] = '\0';
            fprintf(hFile, "* Extension Descriptor: %s\n", buf);

            memcpy(buf, er->ext_id + er->len_id + er->len_des,
                er->len_src);
            buf[er->len_src] = '\0';
            fprintf(hFile, "* Extension Spec Source: %s\n", buf);

This could be trigger through the istat tool:

nico@genmaicha:~/Semmle/Projects/SleuthKit/sleuthkit/tools/fstools$ ./istat ~/Images/sample.iso 1Entry: 1
Type: Directory
Links: 1
Flags:
Name: DIR1
Size: 2048

Rock Ridge Extension Data
ER Entry

  • Extension ID: �
  • Extension Descriptor:
  • Extension Spec Source: ���������������������������4

Please let me know if you need my proof of concept ISO file since I can't attach it through github report System

The exact line could be found here:
https://lgtm.com/projects/g/sleuthkit/sleuthkit/snapshot/09ed6f84870b18aec51cbb9373e226d04264da8f/files/tsk/fs/iso9660.c?sort=name&dir=ASC&mode=heatmap#L215

Please let me know when you have fixed the vulnerability so that I can coordinate my disclosure with yours. For reference, here is a link to Semmle's vulnerability disclosure policy: https://lgtm.com/security#disclosure_policy

Thank you,

Nico Waisman
Semmle Security Research Team
istat_poc

@nluedtke
Copy link

nluedtke commented Aug 5, 2019

This was assigned CVE-2019-14531.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants