what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

libyal libfwsi Buffer Overread

libyal libfwsi Buffer Overread
Posted Oct 8, 2019
Authored by Dhiraj Mishra

In libyal libfwsi versions prior to 20191006, libfwsi_extension_block_copy_from_byte_stream in libfwsi_extension_block.c has a heap-based buffer over-read because rejection of an unsupported size only considers values less than 6, even though values of 6 and 7 are also unsupported.

tags | advisory
advisories | CVE-2019-17263
SHA-256 | 46e852d4c7c1971b5e6984b6483409bbb11e258031a5a6fb7803147f5c7a344d

libyal libfwsi Buffer Overread

Change Mirror Download
Exploit Title: libfwsi_extension_block minimum size should be 8 not 6
# Exploit Author: Dhiraj Mishra
# Vendor Homepage: https://github.com/libyal/libyal/wiki/Overview
# Software Link: https://github.com/libyal/libfwsi
# CVE: CVE-2019-17263
# References:
# https://nvd.nist.gov/vuln/detail/CVE-2019-17263
# https://github.com/libyal/libfwsi/issues/13

Summary:
In libyal libfwsi before 20191006,
libfwsi_extension_block_copy_from_byte_stream in libfwsi_extension_block.c
has a heap-based buffer over-read because rejection of an unsupported size
only considers values less than 6, even though values of 6 and 7 are also
unsupported.

ASAN:
==513==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6140000003f6 at pc 0x0000005204c3 bp 0x7ffeb5d945c0 sp 0x7ffeb5d945b8
READ of size 1 at 0x6140000003f6 thread T0
#0 0x5204c2 in libfwsi_extension_block_copy_from_byte_stream
/home/dhiraj/liblnk/libfwsi/libfwsi_extension_block.c:276:2
libyal/liblnk#1 0x52a8f7 in libfwsi_item_copy_from_byte_stream
/home/dhiraj/liblnk/libfwsi/libfwsi_item.c:1245:13
libyal/liblnk#2 0x52e64f in libfwsi_item_list_copy_from_byte_stream
/home/dhiraj/liblnk/libfwsi/libfwsi_item_list.c:334:7
libyal/liblnk#3 0x517f94 in info_handle_link_target_identifier_fprint
/home/dhiraj/liblnk/lnktools/info_handle.c:2207:7
libyal/liblnk#4 0x518f5e in info_handle_file_fprint
/home/dhiraj/liblnk/lnktools/info_handle.c:2667:6
libyal/liblnk#5 0x519dd4 in main
/home/dhiraj/liblnk/lnktools/lnkinfo.c:277:6
libyal/liblnk#6 0x7f6705b65b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
libyal/liblnk#7 0x41a319 in _start
(/home/dhiraj/liblnk/lnktools/lnkinfo+0x41a319)

0x6140000003f6 is located 0 bytes to the right of 438-byte region
[0x614000000240,0x6140000003f6)
allocated by thread T0 here:
#0 0x4da1d0 in malloc (/home/dhiraj/liblnk/lnktools/lnkinfo+0x4da1d0)
libyal/liblnk#1 0x517e37 in info_handle_link_target_identifier_fprint
/home/dhiraj/liblnk/lnktools/info_handle.c:2159:45
libyal/liblnk#2 0x518f5e in info_handle_file_fprint
/home/dhiraj/liblnk/lnktools/info_handle.c:2667:6
libyal/liblnk#3 0x7f6705b65b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/dhiraj/liblnk/libfwsi/libfwsi_extension_block.c:276:2 in
libfwsi_extension_block_copy_from_byte_stream
Shadow bytes around the buggy address:
0x0c287fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c287fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 fa
0x0c287fff8040: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c287fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c287fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c287fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[06]fa
0x0c287fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c287fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c287fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c287fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c287fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==513==ABORTING
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    0 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close