search

libyal / libfwsi

Library to access the Windows Shell Item format
GNU Lesser General Public License v3.0
67 stars 12 forks source link

libfwsi_extension_block minimum size should be 8 not 6 #13

Closed RootUp closed 5 years ago

RootUp commented 5 years ago

Version: lnkinfo 20190922

==513==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6140000003f6 at pc 0x0000005204c3 bp 0x7ffeb5d945c0 sp 0x7ffeb5d945b8
READ of size 1 at 0x6140000003f6 thread T0
    #0 0x5204c2 in libfwsi_extension_block_copy_from_byte_stream /home/dhiraj/liblnk/libfwsi/libfwsi_extension_block.c:276:2
    libyal/liblnk#1 0x52a8f7 in libfwsi_item_copy_from_byte_stream /home/dhiraj/liblnk/libfwsi/libfwsi_item.c:1245:13
    libyal/liblnk#2 0x52e64f in libfwsi_item_list_copy_from_byte_stream /home/dhiraj/liblnk/libfwsi/libfwsi_item_list.c:334:7
    libyal/liblnk#3 0x517f94 in info_handle_link_target_identifier_fprint /home/dhiraj/liblnk/lnktools/info_handle.c:2207:7
    libyal/liblnk#4 0x518f5e in info_handle_file_fprint /home/dhiraj/liblnk/lnktools/info_handle.c:2667:6
    libyal/liblnk#5 0x519dd4 in main /home/dhiraj/liblnk/lnktools/lnkinfo.c:277:6
    libyal/liblnk#6 0x7f6705b65b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    libyal/liblnk#7 0x41a319 in _start (/home/dhiraj/liblnk/lnktools/lnkinfo+0x41a319)

0x6140000003f6 is located 0 bytes to the right of 438-byte region [0x614000000240,0x6140000003f6)
allocated by thread T0 here:
    #0 0x4da1d0 in malloc (/home/dhiraj/liblnk/lnktools/lnkinfo+0x4da1d0)
    libyal/liblnk#1 0x517e37 in info_handle_link_target_identifier_fprint /home/dhiraj/liblnk/lnktools/info_handle.c:2159:45
    libyal/liblnk#2 0x518f5e in info_handle_file_fprint /home/dhiraj/liblnk/lnktools/info_handle.c:2667:6
    libyal/liblnk#3 0x7f6705b65b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/dhiraj/liblnk/libfwsi/libfwsi_extension_block.c:276:2 in libfwsi_extension_block_copy_from_byte_stream
Shadow bytes around the buggy address:
  0x0c287fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 fa
  0x0c287fff8040: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c287fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c287fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[06]fa
  0x0c287fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==513==ABORTING

To reproduce: ./lnkinfo $POC

joachimmetz commented 5 years ago

Which version of libfwsi are you using?

RootUp commented 5 years ago

Hi, thank you for looking into this. I am unable to find the libfwsi version in my fuzzed folder. I've clone the master branch of liblnk then,

  1. synclibs.sh
  2. autogen.sh
  3. configure && make

As far I can see my libfwsi folder under liblnk doesn't have any executable binary.

joachimmetz commented 5 years ago

there is libfwsi/libfwsi_definitions.h but based on your description this I assume you're using the latest tagged version.

joachimmetz commented 5 years ago

This is an OOB read of 1 in libfwsi_extension_block. Mainly triggered because ASAN being strict about this. I'll address the issue.

joachimmetz commented 5 years ago

The underlying issue is logical of nature.

joachimmetz commented 5 years ago

Addressed in https://github.com/libyal/libfwsi/commit/54afa5c71d6c795a555dbcb1e160fea393b98fb3

nluedtke commented 5 years ago

This appears to have been assigned CVE-2019-17263.

joachimmetz commented 5 years ago

Ack @nluedtke same BS as before. Mitre CVE and NIST NVD continue to waste of peoples valuable time by useless and incorrect assessments.

In libyal libfwsi before 20191006, libfwsi_extension_block_copy_from_byte_stream
in libfwsi_extension_block.c has a heap-based buffer over-read because rejection
of an unsupported size only considers values less than 6, even though values of
6 and 7 are also unsupported.

This appears to be an overly obscure way of describing the issue. Have they even read it? What is this going to help advise?

CVSS v2.0 Severity and Metrics:
Base Score: 2.1 LOW
Vector: (AV:L/AC:L/Au:N/C:N/I:N/A:P) (V2 legend)
Impact Subscore: 2.9
Exploitability Subscore: 3.9

Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (AU): None
Confidentiality (C): None
Integrity (I): None
Availability (A): Partial
Additional Information:
Allows disruption of service

This assessment by NVD is BS libfwsi provides no "service" there is no proof of a "disruption" either. This appears to be an OOB read without any impact.