Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CVE-2021-46141] .hostText memory is not properly duped/freed in uriNormalizeSyntax*, uriMakeOwner*, uriFreeUriMembers* for some URIs #121

Closed
autofuzzoss opened this issue Sep 29, 2021 · 11 comments · Fixed by #124
Assignees
Labels
bug Something isn't working security
Milestone

Comments

@autofuzzoss
Copy link

autofuzzoss commented Sep 29, 2021

A bug was found within the uriparser. Though it might not be an intended use of the relevant API, the bug can still produce critical issues within a program using uriparser. It would be best if the affected logic is checked beforehand.
The bug was found with a fuzzer based on the test-code"TestNormalizeSyntaxMaskRequired"

_crash log

==2151==ERROR: AddressSanitizer: SEGV on unknown address 0x0000004d9be0 (pc 0x00000041ca94 bp 0x000000000000 sp 0x7fff34437d00 T0)
==2151==The signal is caused by a WRITE memory access.
    #0 0x41ca94 in __asan::Allocator::Deallocate(void*, unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType)
    #1 0x493d41 in free 
    #2 0x4c6892 in (anonymous namespace)::countingFree(UriMemoryManagerStruct*, void*)
    #3 0x7fca1c05a4b2 in uriNormalizeSyntaxExMmA_ 

Steps to reproduce:

  1. git clone https://github.com/uriparser/uriparser.git
  2. cd uriparser & mkdir build & cd build
  3. Build
    cmake -DCMAKE_BUILD_TYPE=Release -DURIPARSER_BUILD_DOCS:BOOL=OFF -DBUILD_SHARED_LIBS:BOOL=ON ..
    make -j8
  4. Download the attached file(1.cpp)
  5. Build TEST CODE (1.cpp)
    clang++ -g -fsanitize=address,fuzzer-no-link -o 1 1.cpp -I uriparser/include/ -Luriparser/build -luriparser
  6. Run
    LD_LIBRARY_PATH=uriparser/build/ ./1

OS:ubuntu 18.04
uriparser_poc1.tar.gz

@autofuzzoss autofuzzoss changed the title input format check and memory manager issue input format check and memory manager issue1 Sep 29, 2021
@hartwork
Copy link
Member

@afosscontact thanks for the detailed report, I will have a closer look.

hartwork added a commit that referenced this issue Oct 15, 2021
Commit is viewed best with "git show --ignore-all-space <sha1>"
@hartwork hartwork changed the title input format check and memory manager issue1 .hostText memory is not properly duped/freed in uriNormalizeSyntax*, uriMakeOwner*, uriFreeUriMembers* Oct 15, 2021
@hartwork hartwork added the bug Something isn't working label Oct 15, 2021
@hartwork hartwork added this to the 0.9.6 milestone Oct 15, 2021
@hartwork
Copy link
Member

@afosscontact confirming as a bug, fixed by pull request #124 (along with issue #122). Thanks for the report again! 🙏

@autofuzzoss
Copy link
Author

Thank you for the fix
Is it possible to issue CVE ID?
If you are not possible, should you ask MITRE?

@hartwork
Copy link
Member

Related: #122 (comment)

hartwork added a commit that referenced this issue Oct 21, 2021
Fix memory handling of uriNormalizeSyntax*, uriMakeOwner* and uriNormalizeSyntax* (fixes #121, fixes #122)
@hartwork
Copy link
Member

hartwork commented Dec 17, 2021

@junsik-kim0 I'm in the process of making a new release (see #128 and #129). Regarding the two issues you reported, my best knowledge so far is that they can be can cause denial of service. Are you aware of any other potential impact? Also, have you decided if you want to share your name with me and/or Mitre for the CVE finding credits? A soon reply would be great, and I would then request two CVEs, ideally before making the release. Thanks in advance! 🙏

@autofuzzoss
Copy link
Author

Hello, I agree to share a name
My name is "Autofuzz"
Because I am getting CVE in the name AutoFuzz.
If the CVE number is issued, please let me know.
If you have any information you need, please let me know.
Thanks in advance! :)

@hartwork
Copy link
Member

hartwork commented Dec 20, 2021

Hello, I agree to share a name My name is "Autofuzz" Because I am getting CVE in the name AutoFuzz.

I had a real name in mind, but okay, I can put "Autofuzz" in the Mitre form for discovery credits.

If the CVE number is issued, please let me know. If you have any information you need, please let me know. Thanks in advance! :)

I'm still in the dark about the worst that could be done with an exploit on #121 and #122. Anything beyond a crash-caused denial-of-service? Are you aware of anything more? CWE-590: Free of Memory not on the Heap mentions "potential for arbitrary code execution" (emphasis mine) but I'm unsure if that's realistic for our case here. There is mention of "undefined behavior" elsewhere.

@autofuzzoss
Copy link
Author

I can not be sure that this remort exploit(potential for arbitrary code execution) is possible
But this is a potential danger that is a matter of memory logic, and many applications that use libraries can cause denial of service.
I can not know the Public API of Uriparser, I can not know how dangerous this is.
thank you

@hartwork hartwork changed the title .hostText memory is not properly duped/freed in uriNormalizeSyntax*, uriMakeOwner*, uriFreeUriMembers* .hostText memory is not properly duped/freed in uriNormalizeSyntax*, uriMakeOwner*, uriFreeUriMembers* for some URIs Jan 5, 2022
@autofuzzoss
Copy link
Author

Is CVE ID Issuance Are Is Isuable?
I would appreciate if you share your progress.

@hartwork
Copy link
Member

hartwork commented Jan 6, 2022

Hi @junsik-kim0, I requested two CVEs from Mitre about four hours ago today at https://cveform.mitre.org/ . With some luck I hear back tomorrow.

@hartwork hartwork changed the title .hostText memory is not properly duped/freed in uriNormalizeSyntax*, uriMakeOwner*, uriFreeUriMembers* for some URIs [CVE-2021-46141] .hostText memory is not properly duped/freed in uriNormalizeSyntax*, uriMakeOwner*, uriFreeUriMembers* for some URIs Jan 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working security
Projects
None yet
2 participants