search

gdraheim / zziplib

The ZZIPlib provides read access on ZIP-archives and unpacked data. It features an additional simplified API following the standard Posix API for file access
Other
65 stars 53 forks source link

Heap-buffer-overflow in function __zzip_parse_root_directory() at zzip/zip.c:539 #164

Open zhuvensi opened 5 months ago

zhuvensi commented 5 months ago

Describe:

A heap-buffer-overflow was discovered in zziplib v0.13.77. The issue is being triggered in function __zzip_parse_root_directory() at zzip/zip.c:539.Attackers may exploit this vulnerability to execute and cause a DOS attack.

Reproduce:

Tested in Ubuntu 22.04 First,Compile the program with address sanitizer:

AFL_USE_ASAN=1 CC=afl-clang-fast CXX=afl-clang-fast++ cmake ..

Then the poc is inputed:

/home/zziplib/build/bins/unzzip -l /home/zziplib/build/fuzz_out/default/crashes/id:000000,sig:06,src:000083,time:235075,execs:252387,op:havoc,rep:2

ASAN Reports:

==2210678==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000011 at pc 0x7ff22c2f6efc bp 0x7ffca38ca1b0 sp 0x7ffca38ca1a8
READ of size 2 at 0x602000000011 thread T0
    #0 0x7ff22c2f6efb in __zzip_parse_root_directory /home/zziplib/zzip/zip.c:539:17
    #1 0x7ff22c2f6efb in __zzip_dir_parse /home/zziplib/zzip/zip.c:792:15
    #2 0x7ff22c2f6efb in zzip_dir_fdopen_ext_io /home/zziplib/zzip/zip.c:744:15
    #3 0x7ff22c2f7624 in zzip_dir_open_ext_io /home/zziplib/zzip/zip.c:865:16
    #4 0x55cf62158e6b in unzzip_list /home/zziplib/bins/unzzipdir-zip.c:79:12
    #5 0x7ff22bf9cd8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348)
    #6 0x7ff22bf9ce3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348)
    #7 0x55cf62082444 in _start (/home/zziplib/build/bins/unzzip+0x20444) (BuildId: 51480054c521707abc39c358c3a230320af010e2)

0x602000000011 is located 0 bytes after 1-byte region [0x602000000010,0x602000000011)
allocated by thread T0 here:
    #0 0x55cf6211c26e in __interceptor_malloc (/home/zziplib/build/bins/unzzip+0xba26e) (BuildId: 51480054c521707abc39c358c3a230320af010e2)
    #1 0x7ff22c2f5fc5 in __zzip_parse_root_directory /home/zziplib/zzip/zip.c:536:30
    #2 0x7ff22c2f5fc5 in __zzip_dir_parse /home/zziplib/zzip/zip.c:792:15
    #3 0x7ff22c2f5fc5 in zzip_dir_fdopen_ext_io /home/zziplib/zzip/zip.c:744:15
    #4 0x7ff22c2f7624 in zzip_dir_open_ext_io /home/zziplib/zzip/zip.c:865:16
    #5 0x55cf62158e6b in unzzip_list /home/zziplib/bins/unzzipdir-zip.c:79:12
    #6 0x7ff22bf9cd8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/zziplib/zzip/zip.c:539:17 in __zzip_parse_root_directory
Shadow bytes around the buggy address:
  0x601ffffffd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x601ffffffe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x601ffffffe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x601fffffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x601fffffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x602000000000: fa fa[01]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x602000000080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x602000000100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x602000000180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x602000000200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x602000000280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2210678==ABORTING

and this is the code at the bug address:

image

Poc Poc file is here

Fuzzer Fuzzer is AFL.

gdraheim commented 5 months ago

I can not reproduce it. Did you test with master / 0.13.76 ?

zhuvensi commented 5 months ago

Yes,I test it with the newest version.

gdraheim commented 5 months ago

Well, then I must assume there is some information missing. I would have liked to check before the next release but I guess it can wait a bit.

keentux commented 3 months ago

I am also able to reproduce the issue. extra_ptr could be allocated in one byte, where the function ZZIP_EXTRA_ZIP64_CHECK, or later in the code, will call ZZIP_GETEXTRA() where it checks 2 first bytes to check the magic number. Therefor we get a heap-buffer-overflow. extra_ptr should be allocated with at least 2 bytes.

I propose, with my PR to check if the u_extras is at least the same size of the zzip_extra struct.

gdraheim commented 3 months ago

probably fixed in v0.13.78