exploit the possibilities

libyal libfwsi Buffer Overread

libyal libfwsi Buffer Overread
Posted Oct 8, 2019
Authored by Mishra Dhiraj

In libyal libfwsi versions prior to 20191006, libfwsi_extension_block_copy_from_byte_stream in libfwsi_extension_block.c has a heap-based buffer over-read because rejection of an unsupported size only considers values less than 6, even though values of 6 and 7 are also unsupported.

tags | advisory
advisories | CVE-2019-17263
MD5 | 023163a259126ce043d5da57e3883280

libyal libfwsi Buffer Overread

Change Mirror Download
Exploit Title: libfwsi_extension_block minimum size should be 8 not 6
# Exploit Author: Dhiraj Mishra
# Vendor Homepage: https://github.com/libyal/libyal/wiki/Overview
# Software Link: https://github.com/libyal/libfwsi
# CVE: CVE-2019-17263
# References:
# https://nvd.nist.gov/vuln/detail/CVE-2019-17263
# https://github.com/libyal/libfwsi/issues/13

Summary:
In libyal libfwsi before 20191006,
libfwsi_extension_block_copy_from_byte_stream in libfwsi_extension_block.c
has a heap-based buffer over-read because rejection of an unsupported size
only considers values less than 6, even though values of 6 and 7 are also
unsupported.

ASAN:
==513==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6140000003f6 at pc 0x0000005204c3 bp 0x7ffeb5d945c0 sp 0x7ffeb5d945b8
READ of size 1 at 0x6140000003f6 thread T0
#0 0x5204c2 in libfwsi_extension_block_copy_from_byte_stream
/home/dhiraj/liblnk/libfwsi/libfwsi_extension_block.c:276:2
libyal/liblnk#1 0x52a8f7 in libfwsi_item_copy_from_byte_stream
/home/dhiraj/liblnk/libfwsi/libfwsi_item.c:1245:13
libyal/liblnk#2 0x52e64f in libfwsi_item_list_copy_from_byte_stream
/home/dhiraj/liblnk/libfwsi/libfwsi_item_list.c:334:7
libyal/liblnk#3 0x517f94 in info_handle_link_target_identifier_fprint
/home/dhiraj/liblnk/lnktools/info_handle.c:2207:7
libyal/liblnk#4 0x518f5e in info_handle_file_fprint
/home/dhiraj/liblnk/lnktools/info_handle.c:2667:6
libyal/liblnk#5 0x519dd4 in main
/home/dhiraj/liblnk/lnktools/lnkinfo.c:277:6
libyal/liblnk#6 0x7f6705b65b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
libyal/liblnk#7 0x41a319 in _start
(/home/dhiraj/liblnk/lnktools/lnkinfo+0x41a319)

0x6140000003f6 is located 0 bytes to the right of 438-byte region
[0x614000000240,0x6140000003f6)
allocated by thread T0 here:
#0 0x4da1d0 in malloc (/home/dhiraj/liblnk/lnktools/lnkinfo+0x4da1d0)
libyal/liblnk#1 0x517e37 in info_handle_link_target_identifier_fprint
/home/dhiraj/liblnk/lnktools/info_handle.c:2159:45
libyal/liblnk#2 0x518f5e in info_handle_file_fprint
/home/dhiraj/liblnk/lnktools/info_handle.c:2667:6
libyal/liblnk#3 0x7f6705b65b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/dhiraj/liblnk/libfwsi/libfwsi_extension_block.c:276:2 in
libfwsi_extension_block_copy_from_byte_stream
Shadow bytes around the buggy address:
0x0c287fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c287fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 fa
0x0c287fff8040: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c287fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c287fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c287fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[06]fa
0x0c287fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c287fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c287fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c287fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c287fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==513==ABORTING

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    1 Files
  • 2
    Feb 2nd
    2 Files
  • 3
    Feb 3rd
    17 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    16 Files
  • 7
    Feb 7th
    19 Files
  • 8
    Feb 8th
    1 Files
  • 9
    Feb 9th
    2 Files
  • 10
    Feb 10th
    15 Files
  • 11
    Feb 11th
    20 Files
  • 12
    Feb 12th
    12 Files
  • 13
    Feb 13th
    18 Files
  • 14
    Feb 14th
    17 Files
  • 15
    Feb 15th
    4 Files
  • 16
    Feb 16th
    4 Files
  • 17
    Feb 17th
    34 Files
  • 18
    Feb 18th
    15 Files
  • 19
    Feb 19th
    19 Files
  • 20
    Feb 20th
    20 Files
  • 21
    Feb 21st
    15 Files
  • 22
    Feb 22nd
    2 Files
  • 23
    Feb 23rd
    2 Files
  • 24
    Feb 24th
    16 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close