Open LeeHun9 opened 1 year ago
Hi, I am running some experiments for AFLNET and it has found a global-buffer-overflow bug in recv when sent this pdus to tcpmodbus
recv
poc: poc.zip
To reproduce: Complie the demo/LINUXTCP with ASAN
then use aflnet-replay to send the binary_poc to the port, detail in aflnet
I also captured the pcap file when send those pdus to the tcpmodbus, both pcap and binary in poc.zip
ASAN show this information:
================================================================= ==62032==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000daefa7 at pc 0x00000046d94c bp 0x7f77940fec50 sp 0x7f77940fe418 WRITE of size 36 at 0x000000daefa7 thread T1 #0 0x46d94b in recv (/home/ubuntu/Documents/freemodbus/demo/LINUXTCP/tcpmodbus+0x46d94b) #1 0x4c9d48 in xMBPortTCPPool /home/ubuntu/Documents/freemodbus/demo/LINUXTCP/port/porttcp.c:224:25 #2 0x4c8ca4 in xMBPortEventGet /home/ubuntu/Documents/freemodbus/demo/LINUXTCP/port/portevent.c:69:17 #3 0x4cb3df in eMBPoll /home/ubuntu/Documents/freemodbus/demo/LINUXTCP/../../modbus/mb.c:351:9 #4 0x4c7dd4 in pvPollingThread /home/ubuntu/Documents/freemodbus/demo/LINUXTCP/demo.c:195:17 #5 0x7f7797a97608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8 #6 0x7f7797842132 in clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95 0x000000daefa7 is located 0 bytes to the right of global variable 'aucTCPBuf' defined in 'port/porttcp.c:80:17' (0xdaeea0) of size 263 SUMMARY: AddressSanitizer: global-buffer-overflow (/home/ubuntu/Documents/freemodbus/demo/LINUXTCP/tcpmodbus+0x46d94b) in recv Shadow bytes around the buggy address: 0x0000801adda0: 00 00 00 00 01 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 0x0000801addb0: f9 f9 f9 f9 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9 0x0000801addc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000801addd0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 0x0000801adde0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0000801addf0: 00 00 00 00[07]f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0000801ade00: 02 f9 f9 f9 f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9 0x0000801ade10: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 0x0000801ade20: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 0x0000801ade30: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 0x0000801ade40: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc Thread T1 created by T0 here: #0 0x480dfa in pthread_create (/home/ubuntu/Documents/freemodbus/demo/LINUXTCP/tcpmodbus+0x480dfa) #1 0x4c6264 in bCreatePollingThread /home/ubuntu/Documents/freemodbus/demo/LINUXTCP/demo.c:169:13 #2 0x4c6264 in main /home/ubuntu/Documents/freemodbus/demo/LINUXTCP/demo.c:92:21 #3 0x7f7797747082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 ==62032==ABORTING
Hi, I am running some experiments for AFLNET and it has found a global-buffer-overflow bug in
recv
when sent this pdus to tcpmodbuspoc: poc.zip
To reproduce: Complie the demo/LINUXTCP with ASAN
then use aflnet-replay to send the binary_poc to the port, detail in aflnet
I also captured the pcap file when send those pdus to the tcpmodbus, both pcap and binary in poc.zip
ASAN show this information: