search

neraliu / tainted-phantomjs

Tainted PhantomJS
BSD 3-Clause "New" or "Revised" License
53 stars 12 forks source link

buffer overflow detected -- /bin/phantomjs terminated #6

Closed andresriancho closed 10 years ago

andresriancho commented 10 years ago

$ ./bin/phantomjs examples/domxss.js http://w3af.org/ '' 1000 1 [Fri, 04 Apr 2014 12:05:16 GMT] [TPJS] Running Tainted Phantomjs.... [Fri, 04 Apr 2014 12:05:16 GMT] [TPJS] Running Tainted Phantomjs with URL: http://w3af.org/ [Fri, 04 Apr 2014 12:05:16 GMT] [TPJS] Running Tainted Phantomjs with cookie file: [Fri, 04 Apr 2014 12:05:16 GMT] [TPJS] Running Tainted Phantomjs with verbose: 0 [Fri, 04 Apr 2014 12:05:16 GMT] [TPJS] Running Tainted Phantomjs with timeout: 1000 [Fri, 04 Apr 2014 12:05:16 GMT] [TPJS] Running Tainted Phantomjs with fuzz: 1 [Fri, 04 Apr 2014 12:05:16 GMT] [TPJS] Running Tainted Phantomjs with rendering Path: ./ [Fri, 04 Apr 2014 12:05:16 GMT] [TPJS] -------------------- [Fri, 04 Apr 2014 12:05:16 GMT] [TPJS] TEST #1: domxss-db.js(window.onload()) [Fri, 04 Apr 2014 12:05:16 GMT] [TPJS] TEST URL: http://w3af.org/?1396613116520& [Fri, 04 Apr 2014 12:05:16 GMT] [TPJS] [RESULT] document.tainted? false [Fri, 04 Apr 2014 12:05:16 GMT] [TPJS] [RESULT] document.onAlert? false [Fri, 04 Apr 2014 12:05:16 GMT] [TPJS] [RESULT] document.domxss.vulnerable? false [Fri, 04 Apr 2014 12:05:25 GMT] [TPJS] -------------------- [Fri, 04 Apr 2014 12:05:25 GMT] [TPJS] TEST #1000: domxss-db.js() [Fri, 04 Apr 2014 12:05:25 GMT] [TPJS] TEST URL: http://w3af.org/?1396613125922& [Fri, 04 Apr 2014 12:05:25 GMT] [TPJS] -------------------- [Fri, 04 Apr 2014 12:05:25 GMT] [TPJS] TEST #1001: domxss-db.js(');alert('0) [Fri, 04 Apr 2014 12:05:25 GMT] [TPJS] TEST URL: http://w3af.org/?1396613125922& [Fri, 04 Apr 2014 12:05:25 GMT] [TPJS] -------------------- [Fri, 04 Apr 2014 12:05:25 GMT] [TPJS] TEST #1002: domxss-db.js(");alert("0) [Fri, 04 Apr 2014 12:05:25 GMT] [TPJS] TEST URL: http://w3af.org/?1396613125922& [Fri, 04 Apr 2014 12:05:25 GMT] [TPJS] -------------------- [Fri, 04 Apr 2014 12:05:25 GMT] [TPJS] TEST #2000: domxss-db.js() * buffer overflow detected *: ./bin/phantomjs terminated ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(fortify_fail+0x37)[0x7f8f531cdf47] /lib/x86_64-linux-gnu/libc.so.6(+0x109e40)[0x7f8f531cce40] /lib/x86_64-linux-gnu/libc.so.6(+0x10952b)[0x7f8f531cc52b] /lib/x86_64-linux-gnu/libc.so.6(snprintf_chk+0x78)[0x7f8f531cc408] ./bin/phantomjs[0xeae6c3] ./bin/phantomjs[0xeb0606] [0x7f8f0c2bc3b7] ======= Memory map: ======== 00400000-026fe000 r-xp 00000000 00:15 37492574 /home/pablo/PycharmProjects/tpjs/bin/phantomjs 028fe000-02acd000 r--p 022fe000 00:15 37492574 /home/pablo/PycharmProjects/tpjs/bin/phantomjs 02acd000-02ae7000 rw-p 024cd000 00:15 37492574 /home/pablo/PycharmProjects/tpjs/bin/phantomjs 02ae7000-02b1a000 rw-p 00000000 00:00 0 038a0000-05d60000 rw-p 00000000 00:00 0 [heap] 7f8ef350b000-7f8ef374f000 rw-p 00000000 00:00 0 7f8ef374f000-7f8ef3b59000 rw-p 00000000 00:00 0 7f8ef8000000-7f8ef8021000 rw-p 00000000 00:00 0 7f8ef8021000-7f8efc000000 ---p 00000000 00:00 0 7f8efc000000-7f8efc021000 rw-p 00000000 00:00 0 7f8efc021000-7f8f00000000 ---p 00000000 00:00 0 7f8f000cb000-7f8f00354000 rw-p 00000000 00:00 0 7f8f00354000-7f8f00481000 rw-p 00000000 00:00 0 7f8f00481000-7f8f004e7000 r--p 00000000 08:01 52298779 /usr/share/fonts/truetype/ubuntu-font-family/Ubuntu-L.ttf 7f8f004e7000-7f8f00511000 r--p 00000000 08:01 52301678 /usr/share/fonts/truetype/comfortaa/Comfortaa-Light.ttf 7f8f00511000-7f8f0052f000 r--p 00000000 08:01 267499 /usr/share/texmf/fonts/type1/public/lm/lmvtl10.pfb 7f8f0052f000-7f8f00549000 r--p 00000000 08:01 267518 /usr/share/texmf/fonts/type1/public/lm/lmtl10.pfb 7f8f00549000-7f8f00559000 r--p 00000000 08:01 52298791 /usr/share/fonts/type1/gsfonts/a010013l.pfb 7f8f00559000-7f8f0056d000 r--p 00000000 08:01 52298734 /usr/share/fonts/truetype/tlwg/Umpush-Light.ttf 7f8f0056d000-7f8f005c2000 r--p 00000000 08:01 52305469 /usr/share/fonts/truetype/ttf-dejavu/DejaVuSans-ExtraLight.ttf 7f8f005c2000-7f8f00655000 rw-p 00000000 00:00 0 7f8f00655000-7f8f006e8000 r--p 00000000 08:01 52703545 /usr/share/fonts/opentype/linux-libertine/LinLibertine_aDRL.otf 7f8f006e8000-7f8f0079d000 r--p 00000000 08:01 52703949 /usr/share/fonts/opentype/linux-libertine/LinLibertine_aRL.otf 7f8f0079d000-7f8f00841000 r--p 00000000 08:01 52702667 /usr/share/fonts/opentype/linux-libertine/LinBiolinum_aRL.otf 7f8f00841000-7f8f00858000 r--p 00000000 08:01 52298893 /usr/share/fonts/type1/gsfonts/z003034l.pfb 7f8f00858000-7f8f00872000 r--p 00000000 08:01 528460 /usr/share/texmf/fonts/type1/public/tex-gyre/qzcmi.pfb 7f8f00872000-7f8f00891000 r--p 00000000 08:01 267489 /usr/share/texmf/fonts/type1/public/lm/lmtto10.pfb 7f8f00891000-7f8f008b2000 r--p 00000000 08:01 267482 /usr/share/texmf/fonts/type1/public/lm/lmro10.pfb 7f8f008b2000-7f8f008e5000 r--p 00000000 08:01 52298785 /usr/share/fonts/truetype/ubuntu-font-family/UbuntuMono-R.ttf 7f8f008e5000-7f8f0093b000 r--p 00000000 08:01 52298778 /usr/share/fonts/truetype/ubuntu-font-family/Ubuntu-C.ttf 7f8f0093b000-7f8f00992000 r--p 00000000 08:01 52298781 /usr/share/fonts/truetype/ubuntu-font-family/Ubuntu-R.ttf 7f8f00992000-7f8f009ae000 r--p 00000000 08:01 52298774 /usr/share/fonts/truetype/ttf-punjabi-fonts/Saab.ttf 7f8f009ae000-7f8f009c0000 r--p 00000000 08:01 52706502 /usr/share/fonts/truetype/ttf-marvosym/marvosym.ttf 7f8f009c0000-7f8f00a01000 r--p 00000000 08:01 52298773 /usr/share/fonts/truetype/ttf-khmeros-core/KhmerOSsys.ttf 7f8f00a01000-7f8f00a28000 r--p 00000000 08:01 52298771 /usr/share/fonts/truetype/ttf-indic-fonts-core/utkal.ttf 7f8f00a28000-7f8f00a3a000 r--p 00000000 08:01 52298766 /usr/share/fonts/truetype/ttf-indic-fonts-core/gargi.ttf 7f8f00a3a000-7f8f00a6b000 r--p 00000000 08:01 52298765 /usr/share/fonts/truetype/ttf-indic-fonts-core/Vemana.ttf 7f8f00a6b000-7f8f00a80000 r--p 00000000 08:01 52298764 /usr/share/fonts/truetype/ttf-indic-fonts-core/Rekha.ttf 7f8f00a80000-7f8f00ade000 r--p 00000000 08:01 52298763 /usr/share/fonts/truetype/ttf-indic-fonts-core/Rachana_04.ttf 7f8f00ade000-7f8f00b0e000 r--p 00000000 08:01 52298762 /usr/share/fonts/truetype/ttf-indic-fonts-core/Pothana2000.ttf 7f8f00b0e000-7f8f00b2c000 r--p 00000000 08:01 52298758 /usr/share/fonts/truetype/ttf-indic-fonts-core/Malige-n.ttf 7f8f00b2c000-7f8f00b45000 r--p 00000000 08:01 52298756 /usr/share/fonts/truetype/ttf-indic-fonts-core/Kedage-n.ttf 7f8f00b45000-7f8f00b96000 r--p 00000000 08:01 52305462 /usr/share/fonts/truetype/ttf-dejavu/DejaVuSerifCondensed.ttf 7f8f00b96000-7f8f00be8000 r--p 00000000 08:01 52298752 /usr/share/fonts/truetype/ttf-dejavu/DejaVuSansMono.ttf 7f8f00be8000-7f8f00bff000 r--p 00000000 08:01 52298731 /usr/share/fonts/truetype/tlwg/TlwgTypo.ttf 7f8f00bff000-7f8f00c16000 r--p 00000000 08:01 52298722 /usr/share/fonts/truetype/tlwg/TlwgTypist.ttf 7f8f00c16000-7f8f00c2e000 r--p 00000000 08:01 52298721 /usr/share/fonts/truetype/tlwg/TlwgTypewriter.ttf 7f8f00c2e000-7f8f00c45000 r--p 00000000 08:01 52298703 /usr/share/fonts/truetype/tlwg/TlwgMono.ttf 7f8f00c45000-7f8f00c5a000 r--p 00000000 08:01 52298716 /usr/share/fonts/truetype/tlwg/Sawasdee.ttf 7f8f00c5a000-7f8f00c80000 r--p 00000000 08:01 52298711 /usr/share/fonts/truetype/tlwg/Purisa.ttf 7f8f00c80000-7f8f00c9a000 r--p 00000000 08:01 52298723 /usr/share/fonts/truetype/tlwg/Norasi.ttf 7f8f00c9a000-7f8f00caf000 r--p 00000000 08:01 52302088 /usr/share/fonts/truetype/tlwg/Kinnari.ttfPhantomJS has crashed. Please read the crash reporting guide at https://github.com/ariya/phantomjs/wiki/Crash-Reporting and file a bug report at https://github.com/ariya/phantomjs/issues/new with the crash dump file attached: /tmp/53db718b-1a95-cd46-7b353fd9-1a970975.dmp

andresriancho commented 10 years ago

Github doesn't support uploading of the /tmp/53db718b-1a95-cd46-7b353fd9-1a970975.dmp, but I'll happly email you this information.

andresriancho commented 10 years ago

I get the buffer overflow every time I run against w3af.org or www.clarin.com.ar

Other sites, like gmail.com succeed.

yukinying commented 10 years ago

Nera and I are pretty sure this is related to #3 and #4. We need to move away from UString to StringImpl, as UString seems to trigger memory bug in JGlobalData where they allocate a buffer of hardcoded size. Stay tuned...

neraliu commented 10 years ago

can u try this branch and see on 64 bit platform? https://github.com/neraliu/tpjs/tree/rhel64-64-devel

andresriancho commented 10 years ago

:+1:

neraliu commented 10 years ago

yeah. the new implementation is more "friendly" hack to the webkit, but there is performance hit as compared with the 32 bit version. anyway, lot of way to optimize the code.

hopefully it is more stable to the 32 bit version.

yukinying commented 10 years ago

FYI, this bug seems to be triggered via the undocumented object serialization inside Webkit's JavaScriptCore (the version which phantomjs is based on) that their serialization has assumed the underlying UString (or related classes) need to be smaller than certain size. Thus for 64 bit, class size is larger, it hits the size limit quickly.

@neraliu would have more details. And after several trial and error, it appears to us that the only bulletproof fix on this is not to touch their class structure.

neraliu commented 10 years ago

yes. with this issue, we finally think of a new way to hack JavaScriptCore, and this hack can be ported into other javascript engine easily (not yet proven, but with greater chance)