search

Yeraze / ytnef

Yeraze's TNEF Stream Reader - for winmail.dat files
GNU General Public License v2.0
32 stars 22 forks source link

[Security]double-free issue with ytnef #90

Closed 5n1p3r0010 closed 3 years ago

5n1p3r0010 commented 3 years ago

Hi,

There is a double free issue with ytnef,this can reproduce on the lattest commit.

Project Github Address:

https://github.com/Yeraze/ytnef

Steps To Reproduce:

steps to build with asan: ./autogen.sh CC=gcc CXX=g++ CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" ./configure make

To execute the ytnef ELF directly probably we need to add libs to ld path,steps: 1.sudo gedit /etc/ld.so.conf.d/my.conf 2.add /path/to/ytnef/lib/.libs/ 3.sudo ldconfig

run as: /path/to/ytnef/ytnef/.libs/ytnef /path/to/poc

The ytnef build with asan shows like:

ERROR: invalid alloc size 260 at ytnef.c : 307, suspected corruption (exceeded 100 bytes)
=================================================================
==335384==ERROR: AddressSanitizer: attempting double-free on 0x602000000030 in thread T0:
    #0 0x7f89f9c777cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
    #1 0x7f89f9b4dd69 in TNEFFree (/home/r00t/fuzz/target/ytnef/lib/.libs/libytnef.so.0+0xdd69)
    #2 0x563599c05092 in main (/home/r00t/fuzz/target/ytnef/ytnef/.libs/ytnef+0x6092)
    #3 0x7f89f99750b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #4 0x563599c0472d in _start (/home/r00t/fuzz/target/ytnef/ytnef/.libs/ytnef+0x572d)

0x602000000030 is located 0 bytes inside of 5-byte region [0x602000000030,0x602000000035)
freed by thread T0 here:
    #0 0x7f89f9c777cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
    #1 0x7f89f9b46825 in TNEFSubjectHandler (/home/r00t/fuzz/target/ytnef/lib/.libs/libytnef.so.0+0x6825)
    #2 0x7f89f9b509fd in TNEFParse (/home/r00t/fuzz/target/ytnef/lib/.libs/libytnef.so.0+0x109fd)
    #3 0x7f89f9b4f477 in TNEFParseFile (/home/r00t/fuzz/target/ytnef/lib/.libs/libytnef.so.0+0xf477)
    #4 0x563599c04f8f in main (/home/r00t/fuzz/target/ytnef/ytnef/.libs/ytnef+0x5f8f)
    #5 0x7f89f99750b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

previously allocated by thread T0 here:
    #0 0x7f89f9c77dc6 in calloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10ddc6)
    #1 0x7f89f9b4687a in TNEFSubjectHandler (/home/r00t/fuzz/target/ytnef/lib/.libs/libytnef.so.0+0x687a)
    #2 0x7f89f9b509fd in TNEFParse (/home/r00t/fuzz/target/ytnef/lib/.libs/libytnef.so.0+0x109fd)
    #3 0x7f89f9b4f477 in TNEFParseFile (/home/r00t/fuzz/target/ytnef/lib/.libs/libytnef.so.0+0xf477)
    #4 0x563599c04f8f in main (/home/r00t/fuzz/target/ytnef/ytnef/.libs/ytnef+0x5f8f)
    #5 0x7f89f99750b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: double-free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf) in __interceptor_free
==335384==ABORTING

Repoter:

5n1p3r0010 from Topsec Alpha Lab

ytnef-double_free1.zip

ohwgiles commented 3 years ago

Dup of #85

5n1p3r0010 commented 3 years ago

Sorry for didn't check that.