search

libyal / libpff

Library and tools to access the Personal Folder File (PFF) and the Offline Folder File (OFF) format
GNU Lesser General Public License v3.0
286 stars 74 forks source link

libpff_name_to_id_map_entry_read does not check data size before reading 16 byte name to id map class identifier #64

Closed joachimmetz closed 6 years ago

joachimmetz commented 6 years ago

disclosed PoC files affecting libpff

http://seclists.org/fulldisclosure/2018/Jun/15

This issue was not directly reported to the libpff project

 ==40274==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b000000210 at pc 0x0000004ef7dd bp 
0x7ffdcabff1f0 sp 0x7ffdcabfe9a0
 READ of size 16 at 0x60b000000210 thread T0
     #0 0x4ef7dc in __asan_memcpy (/home/xxx/libpff/pfftools/pffinfo+0x4ef7dc)
     #1 0x547371 in libpff_name_to_id_map_entry_read /home/xxx/libpff/libpff/libpff_name_to_id_map.c:668:7
     #2 0x5469fd in libpff_name_to_id_map_read /home/xxx/libpff/libpff/libpff_name_to_id_map.c:498:7
     #3 0x52f49c in libpff_file_open_read /home/xxx/libpff/libpff/libpff_file.c:1081:11
     #4 0x52e93a in libpff_file_open_file_io_handle /home/xxx/libpff/libpff/libpff_file.c:580:6
     #5 0x52e2f3 in libpff_file_open /home/xxx/libpff/libpff/libpff_file.c:322:6
     #6 0x528b63 in info_handle_open_input /home/xxx/libpff/pfftools/info_handle.c:298:6
     #7 0x52c1e4 in main /home/xxx/libpff/pfftools/pffinfo.c:284:6
     #8 0x7f71314be82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
     #9 0x42c728 in _start (/home/xxx/libpff/pfftools/pffinfo+0x42c728)

 0x60b000000210 is located 0 bytes to the right of 112-byte region [0x60b0000001a0,0x60b000000210)
 allocated by thread T0 here:
     #0 0x4f0958 in malloc (/home/xxx/libpff/pfftools/pffinfo+0x4f0958)
     #1 0x54be30 in libpff_record_entry_set_value_data /home/xxx/libpff/libpff/libpff_record_entry.c:593:51

Also looks overkill to get a CVE for a minor OOB read.

allows remote attackers to cause an information disclosure (heap-based buffer
over-read) via a crafted pff file.

Until date no proof has been presented to back up these claims

in libyal libpff through 2018-04-28

Note that libpff-alpha-20120802.tar.gz is significant differently than the current experimental version.

joachimmetz commented 6 years ago 
==15992== Invalid read of size 8
==15992==    at 0x41018E: libpff_name_to_id_map_entry_read (libpff_name_to_id_map.c:668)
==15992==    by 0x40FDE9: libpff_name_to_id_map_read (libpff_name_to_id_map.c:498)
==15992==    by 0x404490: libpff_file_open_read (libpff_file.c:1081)
==15992==    by 0x4039E9: libpff_file_open_file_io_handle (libpff_file.c:580)
==15992==    by 0x403748: libpff_file_open (libpff_file.c:322)
==15992==    by 0x401651: info_handle_open_input (info_handle.c:298)
==15992==    by 0x402AA9: main (pffinfo.c:284)
joachimmetz commented 6 years ago

Addressed in https://github.com/libyal/libpff/commit/7b92bcace7e743cc9417e3cc3e4eee29abb70cf5