search

sleuthkit / sleuthkit

The Sleuth Kit® (TSK) is a library and collection of command line digital forensics tools that allow you to investigate volume and file system data. The library can be incorporated into larger digital forensics tools and the command line tools can be directly used to find evidence.
http://www.sleuthkit.org/sleuthkit/
2.57k stars 604 forks source link

Out of Bounds read in ISO9660 #1576

Open nicowaisman opened 5 years ago

nicowaisman commented 5 years ago

Dear sleuthkit team,

I would like to report a security vulnerability in SleuthKit.

There is an out of bound read on iso9660 while parsing System Use Sharing Protocol data.

On the parse_susp function, while parsing an ER entry, it will try to read the different Extension strings. However, there is no control of the size fields and they will read out of the buf size bound.

    else if ((head->sig[0] == 'E') && (head->sig[1] == 'R')) {
        iso9660_susp_er *er = (iso9660_susp_er *) buf;
        if (hFile) {
            char buf[258];
            fprintf(hFile, "ER Entry\n");

            memcpy(buf, er->ext_id, er->len_id);
            buf[er->len_id] = '\0';
            fprintf(hFile, "* Extension ID: %s\n", buf);

            memcpy(buf, er->ext_id + er->len_id, er->len_des);
            buf[er->len_des] = '\0';
            fprintf(hFile, "* Extension Descriptor: %s\n", buf);

            memcpy(buf, er->ext_id + er->len_id + er->len_des,
                er->len_src);
            buf[er->len_src] = '\0';
            fprintf(hFile, "* Extension Spec Source: %s\n", buf);

This could be trigger through the istat tool:

nico@genmaicha:~/Semmle/Projects/SleuthKit/sleuthkit/tools/fstools$ ./istat ~/Images/sample.iso 1Entry: 1 Type: Directory Links: 1 Flags: Name: DIR1 Size: 2048

Rock Ridge Extension Data ER Entry

Please let me know if you need my proof of concept ISO file since I can't attach it through github report System

The exact line could be found here: https://lgtm.com/projects/g/sleuthkit/sleuthkit/snapshot/09ed6f84870b18aec51cbb9373e226d04264da8f/files/tsk/fs/iso9660.c?sort=name&dir=ASC&mode=heatmap#L215

Please let me know when you have fixed the vulnerability so that I can coordinate my disclosure with yours. For reference, here is a link to Semmle's vulnerability disclosure policy: https://lgtm.com/security#disclosure_policy

Thank you,

Nico Waisman Semmle Security Research Team istat_poc

nluedtke commented 5 years ago

This was assigned CVE-2019-14531.