search

gdraheim / zziplib

The ZZIPlib provides read access on ZIP-archives and unpacked data. It features an additional simplified API following the standard Posix API for file access
Other
62 stars 50 forks source link

Bus error in __zzip_parse_root_directory (in zzip/zip.c:482) [CVE-2018-7726] #41

Closed fantasy7082 closed 6 years ago

fantasy7082 commented 6 years ago

In ZZIPlib v0.13.68, there is a bus error caused by the __zzip_parse_root_directory function of zzip/zip.c. attackers could leverage this vulnerability to cause a denial of service via a crafted zip file. To reproduce the issue, run: ./zzdir $POC:

gdb ../../zzip-fuzz/bin/zzdir
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ../../zzip-fuzz/bin/zzdir...done.
(gdb) r c005-bus-zzip_parse_root_directory
Starting program: /usr/local/zzip-fuzz/bin/zzdir c005-bus-zzip_parse_root_directory

Program received signal SIGBUS, Bus error.
__zzip_parse_root_directory (fd=3, trailer=trailer@entry=0x7fffffffe1f0, hdr_return=hdr_return@entry=0x603038, io=0x7ffff7dd5da0 <default_io>) at ../../zzip/zip.c:482
482         if (! zzip_disk_entry_check_magic(d)) {
(gdb) bt
#0  __zzip_parse_root_directory (fd=3, trailer=trailer@entry=0x7fffffffe1f0, hdr_return=hdr_return@entry=0x603038, io=0x7ffff7dd5da0 <default_io>) at ../../zzip/zip.c:482
#1  0x00007ffff7bc6a72 in __zzip_dir_parse (dir=0x603010) at ../../zzip/zip.c:750
#2  zzip_dir_fdopen_ext_io (fd=<optimized out>, errcode_p=errcode_p@entry=0x7fffffffe26c, ext=<optimized out>, io=<optimized out>) at ../../zzip/zip.c:708
#3  0x00007ffff7bc72ee in zzip_dir_open_ext_io (filename=filename@entry=0x7fffffffe71c "c005-bus-zzip_parse_root_directory", e=e@entry=0x7fffffffe26c, ext=ext@entry=0x0, io=<optimized out>, io@entry=0x0) at ../../zzip/zip.c:830
#4  0x00007ffff7bce53b in zzip_opendir_ext_io (filename=0x7fffffffe71c "c005-bus-zzip_parse_root_directory", o_modes=0, ext=0x0, io=0x0) at ../../zzip/dir.c:292
#5  0x0000000000400d11 in main (argc=2, argv=<optimized out>) at ../../bins/zzdir.c:41
(gdb)

POC FILE:https://github.com/fantasy7082/image_test/blob/master/c005-bus-zzip_parse_root_directory

stevebeattie commented 6 years ago

This was assigned CVE-2018-7726.

gdraheim commented 6 years ago

fixed - checking rootseek to be positive

gdraheim commented 6 years ago

done.