Twenty Year Anniversary

vcftools 0.1.15 Out-Of-Bounds Read / Denial Of Service / Buffer Overflow

vcftools 0.1.15 Out-Of-Bounds Read / Denial Of Service / Buffer Overflow
Posted May 16, 2018
Authored by Webin Security Lab

vcftools version 0.1.15 suffers from out-of-bounds read, denial of service, buffer overflow, and use-after-free vulnerabilities.

tags | advisory, denial of service, overflow, vulnerability
advisories | CVE-2018-11099, CVE-2018-11129, CVE-2018-11130
MD5 | 2651784ca5ca6bc6e1c40cc6eaf3dd7e

vcftools 0.1.15 Out-Of-Bounds Read / Denial Of Service / Buffer Overflow

Change Mirror Download
vcftools multiple vulnerabilities
================
Author : Webin security lab - dbapp security Ltd
===============


Introduction:
=============
A set of tools written in Perl and C++ for working with VCF files, such as those generated by the 1000 Genomes Project.
Project website: https://vcftools.github.io/

Affected version:
=====
0.1.15

Vulnerability Description:
==========================
1. the header::add_INFO_descriptor function in header.cpp in vcftools 0.1.15 allow remote attackers to cause a information disclosure(heap-buffer-overflow OOB read) via a crafted vcf file.


./vcftools --vcf heap-buffer-overflow.vcf

==15884==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000368 at pc 0x0000005dd54f bp 0x7ffed30cd750 sp 0x7ffed30cd748
READ of size 8 at 0x603000000368 thread T0
#0 0x5dd54e in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::size() const /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/basic_string.h:716:16
#1 0x5dd54e in header::str2int(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int) /home/xxx/vcftools/src/cpp/header.cpp:490
#2 0x5dd54e in header::add_INFO_descriptor(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int) /home/xxx/vcftools/src/cpp/header.cpp:128
#3 0x5d6746 in header::parse_meta(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned int&) /home/xxx/vcftools/src/cpp/header.cpp:30:17
#4 0x841afe in vcf_file::read_header() /home/xxx/vcftools/src/cpp/vcf_file.cpp:62:15
#5 0x840db3 in vcf_file::vcf_file(parameters const&, bool) /home/xxx/vcftools/src/cpp/vcf_file.cpp:42:2
#6 0x84c112 in main /home/xxx/vcftools/src/cpp/vcftools.cpp:31:12
#7 0x7f462144282f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#8 0x41ec18 in _start (/home/xxx/vcftools/afl-fuzz/vcftools+0x41ec18)

0x603000000368 is located 8 bytes to the right of 32-byte region [0x603000000340,0x603000000360)
allocated by thread T0 here:
#0 0x4e2e48 in __interceptor_malloc (/home/xxx/vcftools/afl-fuzz/vcftools+0x4e2e48)
#1 0x7f46223c1e77 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x8de77)
#2 0x5ee39c in std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >::push_back(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/stl_vector.h:923:4
#3 0x5ee39c in header::tokenize(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, char, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /home/xxx/vcftools/src/cpp/header.cpp:453
#4 0x5d986c in header::add_INFO_descriptor(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int) /home/xxx/vcftools/src/cpp/header.cpp:120:3
#5 0x5d6746 in header::parse_meta(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned int&) /home/xxx/vcftools/src/cpp/header.cpp:30:17
#6 0x841afe in vcf_file::read_header() /home/xxx/vcftools/src/cpp/vcf_file.cpp:62:15
#7 0x840db3 in vcf_file::vcf_file(parameters const&, bool) /home/xxx/vcftools/src/cpp/vcf_file.cpp:42:2
#8 0x84c112 in main /home/xxx/vcftools/src/cpp/vcftools.cpp:31:12
#9 0x7f462144282f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291


Reproducer:
heap-buffer-overflow.vcf
CVE:
CVE-2018-11099


2.
The header::add_INFO_descriptor function in header.cpp in VCFtools 0.1.15 allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted vcf file.

./vcftools --vcf uaf.vcf

==15368==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000001ff0 at pc 0x000000447851 bp 0x7ffe55a71430 sp 0x7ffe55a70be0
READ of size 17 at 0x603000001ff0 thread T0
#4 0x5da1b2 in header::add_INFO_descriptor(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int) /home/xxx/vcftools/src/cpp/header.cpp:145
#5 0x5d6746 in header::parse_meta(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned int&) /home/xxx/vcftools/src/cpp/header.cpp:30:17
#6 0x841afe in vcf_file::read_header() /home/xxx/vcftools/src/cpp/vcf_file.cpp:62:15
#7 0x840db3 in vcf_file::vcf_file(parameters const&, bool) /home/xxx/vcftools/src/cpp/vcf_file.cpp:42:2
#8 0x84c112 in main /home/xxx/vcftools/src/cpp/vcftools.cpp:31:12
#9 0x7fd92c51482f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#10 0x41ec18 in _start (/home/xxx/vcftools/afl-fuzz/vcftools+0x41ec18)

0x603000001ff0 is located 0 bytes inside of 18-byte region [0x603000001ff0,0x603000002002)
freed by thread T0 here:
#12 0x5edf6c in header::tokenize(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, char, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /home/xxx/vcftools/src/cpp/header.cpp:448
#13 0x5d986c in header::add_INFO_descriptor(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int) /home/xxx/vcftools/src/cpp/header.cpp:120:3
#14 0x5d6746 in header::parse_meta(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned int&) /home/xxx/vcftools/src/cpp/header.cpp:30:17
#15 0x841afe in vcf_file::read_header() /home/xxx/vcftools/src/cpp/vcf_file.cpp:62:15
#16 0x840db3 in vcf_file::vcf_file(parameters const&, bool) /home/xxx/vcftools/src/cpp/vcf_file.cpp:42:2
#17 0x84c112 in main /home/xxx/vcftools/src/cpp/vcftools.cpp:31:12
#18 0x7fd92c51482f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

previously allocated by thread T0 here:
#0 0x4e2e48 in __interceptor_malloc (/home/xxx/vcftools/afl-fuzz/vcftools+0x4e2e48)
#1 0x7fd92d493e77 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x8de77)
#2 0x5d986c in header::add_INFO_descriptor(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int) /home/xxx/vcftools/src/cpp/header.cpp:120:3
#3 0x5d6746 in header::parse_meta(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned int&) /home/xxx/vcftools/src/cpp/header.cpp:30:17
#4 0x841afe in vcf_file::read_header() /home/xxx/vcftools/src/cpp/vcf_file.cpp:62:15
#5 0x840db3 in vcf_file::vcf_file(parameters const&, bool) /home/xxx/vcftools/src/cpp/vcf_file.cpp:42:2
#6 0x84c112 in main /home/xxx/vcftools/src/cpp/vcftools.cpp:31:12
#7 0x7fd92c51482f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

Reproducer:
uaf.vcf
CVE:
CVE-2018-11129

3. The header::add_FORMAT_descriptor function in header.cpp in vcftools allow remote attackers to cause a remote code execution(heap-use-after-free) via a crafted vcf file.

./vcftools --vcf uaf1.vcf

==15444==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000000560 at pc 0x0000004b983c bp 0x7ffc678f42e0 sp 0x7ffc678f3a90
READ of size 2 at 0x606000000560 thread T0
#3 0x5e40ca in header::add_FORMAT_descriptor(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int) /home/xxx/vcftools/src/cpp/header.cpp:216
#4 0x5d7409 in header::parse_meta(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned int&) /home/xxx/vcftools/src/cpp/header.cpp:38:17
#5 0x841afe in vcf_file::read_header() /home/xxx/vcftools/src/cpp/vcf_file.cpp:62:15
#6 0x840db3 in vcf_file::vcf_file(parameters const&, bool) /home/xxx/vcftools/src/cpp/vcf_file.cpp:42:2
#7 0x84c112 in main /home/xxx/vcftools/src/cpp/vcftools.cpp:31:12
#8 0x7efe8ad9782f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#9 0x41ec18 in _start (/home/xxx/vcftools/afl-fuzz/vcftools+0x41ec18)

0x606000000560 is located 0 bytes inside of 49-byte region [0x606000000560,0x606000000591)
freed by thread T0 here:
#12 0x5edf6c in header::tokenize(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, char, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /home/xxx/vcftools/src/cpp/header.cpp:448
#13 0x5e408b in header::add_FORMAT_descriptor(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int) /home/xxx/vcftools/src/cpp/header.cpp:215:3
#14 0x5d7409 in header::parse_meta(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned int&) /home/xxx/vcftools/src/cpp/header.cpp:38:17
#15 0x841afe in vcf_file::read_header() /home/xxx/vcftools/src/cpp/vcf_file.cpp:62:15
#16 0x840db3 in vcf_file::vcf_file(parameters const&, bool) /home/xxx/vcftools/src/cpp/vcf_file.cpp:42:2
#17 0x84c112 in main /home/xxx/vcftools/src/cpp/vcftools.cpp:31:12
#18 0x7efe8ad9782f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

previously allocated by thread T0 here:
#0 0x4e2e48 in __interceptor_malloc (/home/xxx/vcftools/afl-fuzz/vcftools+0x4e2e48)
#1 0x7efe8bd16e77 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x8de77)
#2 0x5e408b in header::add_FORMAT_descriptor(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int) /home/xxx/vcftools/src/cpp/header.cpp:215:3
#3 0x5d7409 in header::parse_meta(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned int&) /home/xxx/vcftools/src/cpp/header.cpp:38:17
#4 0x841afe in vcf_file::read_header() /home/xxx/vcftools/src/cpp/vcf_file.cpp:62:15
#5 0x840db3 in vcf_file::vcf_file(parameters const&, bool) /home/xxx/vcftools/src/cpp/vcf_file.cpp:42:2
#6 0x84c112 in main /home/xxx/vcftools/src/cpp/vcftools.cpp:31:12
#7 0x7efe8ad9782f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

Reproducer:
uaf1.vcf
CVE:
CVE-2018-11130

===============================
Best,
Webin security lab - dbapp security Ltd




Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

May 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    15 Files
  • 2
    May 2nd
    17 Files
  • 3
    May 3rd
    30 Files
  • 4
    May 4th
    29 Files
  • 5
    May 5th
    2 Files
  • 6
    May 6th
    3 Files
  • 7
    May 7th
    13 Files
  • 8
    May 8th
    27 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    15 Files
  • 11
    May 11th
    8 Files
  • 12
    May 12th
    2 Files
  • 13
    May 13th
    8 Files
  • 14
    May 14th
    7 Files
  • 15
    May 15th
    43 Files
  • 16
    May 16th
    19 Files
  • 17
    May 17th
    16 Files
  • 18
    May 18th
    15 Files
  • 19
    May 19th
    3 Files
  • 20
    May 20th
    7 Files
  • 21
    May 21st
    15 Files
  • 22
    May 22nd
    40 Files
  • 23
    May 23rd
    64 Files
  • 24
    May 24th
    55 Files
  • 25
    May 25th
    16 Files
  • 26
    May 26th
    17 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close