search

libimobiledevice / libplist

A library to handle Apple Property List format in binary or XML
https://libimobiledevice.org
GNU Lesser General Public License v2.1
535 stars 304 forks source link

heap-buffer-overflow in base64encode #100

Closed zhunki closed 7 years ago

zhunki commented 7 years ago 
==8523== ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5e00791 at pc 0x808605e bp 0xbf92fda8 sp 0xbf92fd9c
READ of size 1 at 0xb5e00791 thread T0
    #0 0x808605d in base64encode /home/b/asan/libplist/src/base64.c:58
    #1 0x8050406 in node_to_xml /home/b/asan/libplist/src/xplist.c:303
    #2 0x806036f in plist_to_xml /home/b/asan/libplist/src/xplist.c:408
    #3 0x804a346 in main /home/b/asan/libplist/tools/plistutil.c:151
    #4 0xb5f85a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
    #5 0x804af35 in _start (/home/b/asan/libplist/tools/plistutil+0x804af35)
0xb5e00791 is located 0 bytes to the right of 1-byte region [0xb5e00790,0xb5e00791)
allocated by thread T0 here:
    #0 0xb614d854 (/usr/lib/i386-linux-gnu/libasan.so.0+0x16854)
    #1 0x80621a3 in parse_data_node /home/b/asan/libplist/src/bplist.c:408
    #2 0x80621a3 in parse_bin_node /home/b/asan/libplist/src/bplist.c:661
    #3 0x80621a3 in parse_bin_node_at_index /home/b/asan/libplist/src/bplist.c:759
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/b/asan/libplist/src/base64.c:58 base64encode
Shadow bytes around the buggy address:
  0x36bc00a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc00b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc00c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc00d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc00e0: fa fa fa fa fa fa fa fa fa fa 00 04 fa fa 00 04
=>0x36bc00f0: fa fa[01]fa fa fa fd fd fa fa fd fd fa fa 00 04
  0x36bc0100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc0110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc0120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc0130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36bc0140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe

poc1.txt

carnil commented 7 years ago

This is CVE-2017-6437

carnil commented 7 years ago

It is possible that the bug is only present after 1.12, as git has seen some refactoring of parse_bin_node. Cf. comments on https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-6437.html

nikias commented 7 years ago

Should be fixed with https://github.com/libimobiledevice/libplist/commit/dccd9290745345896e3a4a73154576a599fd8b7b