search

gdraheim / zziplib

The ZZIPlib provides read access on ZIP-archives and unpacked data. It features an additional simplified API following the standard Posix API for file access
Other
65 stars 53 forks source link

Stack-buffer-overflow in function __zzip_fetch_disk_trailer() at zzip/zip.c:340 #165

Closed zhuvensi closed 3 months ago

zhuvensi commented 5 months ago

Describe

A stack-buffer-overflow was discovered in zziplibv 0.13.77. The issue is being triggered in function __zzip_fetch_disk_trailer() at zzip/zip.c:340.Attackers may exploit this vulnerability to execute and cause a DOS attack.

Reproduce:

Tested in Ubuntu 22.04 First,Compile the program with address sanitizer:

AFL_USE_ASAN=1 CC=afl-clang-fast CXX=afl-clang-fast++ cmake ..

Then the poc is inputed:

/home/zziplib/build/bins/unzzip -l /home/zziplib/build/fuzz_out/default/crashes/id\:000002\,sig\:06\,src\:000083+000079\,time\:13022109\,execs\:11393085\,op\:splice\,rep\:12

ASan Reports:

==1388970==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f24faf00471 at pc 0x7f24fcd64b46 bp 0x7ffe441c4250 sp 0x7ffe441c4248
READ of size 8 at 0x7f24faf00471 thread T0
    #0 0x7f24fcd64b45 in __zzip_fetch_disk_trailer /home/zziplib/zzip/zip.c:340:56
    #1 0x7f24fcd64b45 in __zzip_dir_parse /home/zziplib/zzip/zip.c:784:15
    #2 0x7f24fcd64b45 in zzip_dir_fdopen_ext_io /home/zziplib/zzip/zip.c:744:15
    #3 0x7f24fcd65624 in zzip_dir_open_ext_io /home/zziplib/zzip/zip.c:865:16
    #4 0x55987eebce6b in unzzip_list /home/zziplib/bins/unzzipdir-zip.c:79:12
    #5 0x7f24fca0ad8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348)
    #6 0x7f24fca0ae3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348)
    #7 0x55987ede6444 in _start (/home/zziplib/build/bins/unzzip+0x20444) (BuildId: 51480054c521707abc39c358c3a230320af010e2)

Address 0x7f24faf00471 is located in stack of thread T0 at offset 1137 in frame
    #0 0x7f24fcd62cdf in zzip_dir_fdopen_ext_io /home/zziplib/zzip/zip.c:734

  This frame has 2 object(s):
    [32, 78) 'dirent.i.i' (line 404)
    [112, 1136) 'buffer.i.i' (line 187) <== Memory access at offset 1137 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/zziplib/zzip/zip.c:340:56 in __zzip_fetch_disk_trailer
Shadow bytes around the buggy address:
  0x7f24faf00180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f24faf00200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f24faf00280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f24faf00300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f24faf00380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x7f24faf00400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f3]f3
  0x7f24faf00480: f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
  0x7f24faf00500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f24faf00580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f24faf00600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f24faf00680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1388970==ABORTING

Poc Poc file is here

Fuzzer: Fuzzer is AFL.