agostino's blog

libarchive: bsdtar: stack-based buffer overflow in bsdtar_expand_char (util.c)

Posted on September 11, 2016 by ago

Description:
libarchive is a multi-format archive and compression library.

After it got fuzzed by hanno and some other people (1 2 3)I decided to fuzz it too.

This bug comes out after 5 days of fuzzing and when AFL reports that it already made 15 cycles. This means that in some cases is not enough do few hours of fuzzing and believe that there aren’t more bugs…

A crafted file causes a stack-buffer overflow write.
Upstream was not able to reproduce the issue, maybe different compiler and compiler options, so he committed the fix based on what the stacktrace printed. The bug is now not anymore reachable through the provided testcase, but I asked to make a new release to launch the fuzzer again.

The complete ASan output:

# bsdtar -t -f $FILE
bsdtar: Missing type keyword in mtree specification
5!\\{bsdtar: Missing type keyword in mtree specification

zO!\\{bsdtar: Missing type keyword in mtree specification

zO\r\r\\{bsdtar: Missing type keyword in mtree specification

zO\r\\w\200r\rbsdtar: Missing type keyword in mtree specification

@;\r\005@{bsdtar: Missing type keyword in mtree specification

zO\r\r\\{bsdtar: Malformed attribute "" (-51)

z\f\fbsdtar: Missing type keyword in mtree specification

h\352*((-.I,\002:%1=\037\257:B\362\020\217(\300\351!\002\341\341\341*(\244\244\263\377\377\377\377\244\377\177\244\244\244\244\244\244\244\264\244\244\244\244\244\244\244\244\244\244\244\244\244\244\244\244\244\244\244\244\244\244\244\244\244\036\036\036\036\036\036\036\036\036\036bsdtar: Missing type keyword in mtree specification
=================================================================
==6259==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fae139bf660 at pc 0x0000004957dc bp 0x7ffc9de91a90 sp 0x7ffc9de91240
WRITE of size 4 at 0x7fae139bf660 thread T0
    #0 0x4957db in vsprintf /var/tmp/portage/sys-devel/llvm-3.8.1/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1128
    #1 0x495912 in sprintf /var/tmp/portage/sys-devel/llvm-3.8.1/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1159
    #2 0x50ab22 in bsdtar_expand_char /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/tar/util.c:223:4
    #3 0x509c47 in safe_fprintf /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/tar/util.c:174:21
    #4 0x50307f in read_archive /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/tar/read.c:320:5
    #5 0x501bf3 in tar_mode_t /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/tar/read.c:94:2
    #6 0x4f8b9f in main /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/tar/bsdtar.c:803:3
    #7 0x7fae1780761f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #8 0x41b778 in _init (/usr/bin/bsdtar+0x41b778)

Address 0x7fae139bf660 is located in stack of thread T0 at offset 608 in frame
    #0 0x50964f in safe_fprintf /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/tar/util.c:95

  This frame has 4 object(s):
    [32, 288) 'fmtbuff_stack'
    [352, 608) 'outbuff' 0x0ff64272fec0: 00 00 00 00 00 00 00 00 00 00 00 00[f2]f2 f2 f2
  0x0ff64272fed0: f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 04 f3 f3 f3
  0x0ff64272fee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff64272fef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff64272ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff64272ff10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6259==ABORTING

Affected version:
3.2.1

Fixed version:
3.2.2

Commit fix:
https://github.com/libarchive/libarchive/commit/e37b620fe8f14535d737e89a4dcabaed4517bf1a

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-8687

Timeline:
2016-08-17: bug discovered
2016-08-17: bug reported to upstream
2016-08-21: upstream released a patch
2016-09-11: blog post about the issue
2016-10-16: CVE Assigned
2016-10-24: Upstream released 3.2.2

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libarchive: bsdtar: stack-based buffer overflow in bsdtar_expand_char (util.c)

Posted in advisories, security | Leave a comment

libarchive: bsdtar use-after-free in detect_form (archive_read_support_format_mtree.c)

Posted on September 11, 2016 by ago

Description:
libarchive is a multi-format archive and compression library.

After it got fuzzed by hanno and some other people (1 2 3)I decided to fuzz it too.

A crafted file causes an use-after-free in the detect_form function in the mtree parser.

This bug seems to be similar to THIS use-after-free, but in this case ASan does not mention bid_entry.

The complete ASan output:

# bsdtar -t -f $FILE
==23484==ERROR: AddressSanitizer: heap-use-after-free on address 0x7fb5fce53b12 at pc 0x7fb5fc825bac bp 0x7ffe5622bb30 sp 0x7ffe5622bb28                                                       
READ of size 1 at 0x7fb5fce53b12 thread T0                                                                                                                                                     
    #0 0x7fb5fc825bab in detect_form /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read_support_format_mtree.c:692:26                                 
    #1 0x7fb5fc6eb18b in choose_format /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read.c:712:10                                                    
    #2 0x7fb5fc6eb18b in archive_read_open1 /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read.c:529                                                  
    #3 0x7fb5fc722f1f in archive_read_open_filename /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read_open_filename.c:109:9                          
    #4 0x501f66 in read_archive /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/tar/read.c:223:6                                                                           
    #5 0x501473 in tar_mode_t /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/tar/read.c:94:2
    #6 0x4f8929 in main /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/tar/bsdtar.c:803:3
    #7 0x7fb5fb75e61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #8 0x41b778 in _init (/usr/bin/bsdtar+0x41b778)

0x7fb5fce53b12 is located 13074 bytes inside of 131072-byte region [0x7fb5fce50800,0x7fb5fce70800)
freed by thread T0 here:
    #0 0x4c29c0 in free /var/tmp/portage/sys-devel/llvm-3.8.0-r3/work/llvm-3.8.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38
    #1 0x7fb5fc6f2c68 in __archive_read_filter_ahead /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read.c:1450:5

previously allocated by thread T0 here:
    #0 0x4c2cc8 in malloc /var/tmp/portage/sys-devel/llvm-3.8.0-r3/work/llvm-3.8.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52
    #1 0x7fb5fc6f2bca in __archive_read_filter_ahead /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read.c:1436:17

SUMMARY: AddressSanitizer: heap-use-after-free /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read_support_format_mtree.c:692:26 in detect_form
Shadow bytes around the buggy address:
  0x0ff73f9c2710: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff73f9c2720: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff73f9c2730: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff73f9c2740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff73f9c2750: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0ff73f9c2760: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff73f9c2770: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff73f9c2780: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff73f9c2790: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff73f9c27a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff73f9c27b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==23484==ABORTING

Affected version:
3.2.1

Fixed version:
3.2.2

Commit fix:
https://github.com/libarchive/libarchive/commit/eec077f52bfa2d3f7103b4b74d52572ba8a15aca

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-8688

Timeline:
2016-08-11: bug discovered
2016-08-11: bug reported to upstream
2016-09-11: blog post about the issue
2016-09-19: upstream released a patch
2016-10-16: CVE Assigned
2016-10-24: Upstream released 3.2.2

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libarchive: bsdtar use-after-free in detect_form (archive_read_support_format_mtree.c)

Posted in advisories, security | Leave a comment

libarchive: bsdtar use-after-free in bid_entry (archive_read_support_format_mtree.c)

Posted on September 11, 2016 by ago

Description:
libarchive is a multi-format archive and compression library.

After it got fuzzed by hanno and some other people (1 2 3)I decided to fuzz it too.

A crafted file causes an use-after-free in the bid_entry function in the mtree parser.

This bug seems to be similar to THIS use-after-free but in this case ASan reports that happens in the bid_entry function instead of detect_form.

The complete ASan output:

# bsdtar -t -f $FILE
==25892==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f2eec8eb31b at pc 0x7f2eec2b9bb6 bp 0x7ffc198b3b30 sp 0x7ffc198b3b28
READ of size 1 at 0x7f2eec8eb31b thread T0
    #0 0x7f2eec2b9bb5 in bid_entry /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read_support_format_mtree.c:567:7
    #1 0x7f2eec2b9bb5 in detect_form /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read_support_format_mtree.c:676
    #2 0x7f2eec17f18b in choose_format /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read.c:712:10
    #3 0x7f2eec17f18b in archive_read_open1 /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read.c:529
    #4 0x7f2eec1b6f1f in archive_read_open_filename /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read_open_filename.c:109:9
    #5 0x501f66 in read_archive /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/tar/read.c:223:6
    #6 0x501473 in tar_mode_t /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/tar/read.c:94:2
    #7 0x4f8929 in main /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/tar/bsdtar.c:803:3
    #8 0x7f2eeb1f261f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #9 0x41b778 in _init (/usr/bin/bsdtar+0x41b778)

0x7f2eec8eb31b is located 27419 bytes inside of 131072-byte region [0x7f2eec8e4800,0x7f2eec904800)
freed by thread T0 here:
    #0 0x4c29c0 in free /var/tmp/portage/sys-devel/llvm-3.8.0-r3/work/llvm-3.8.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38
    #1 0x7f2eec186c68 in __archive_read_filter_ahead /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read.c:1450:5

previously allocated by thread T0 here:
    #0 0x4c2cc8 in malloc /var/tmp/portage/sys-devel/llvm-3.8.0-r3/work/llvm-3.8.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52
    #1 0x7f2eec186bca in __archive_read_filter_ahead /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read.c:1436:17

SUMMARY: AddressSanitizer: heap-use-after-free /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read_support_format_mtree.c:567:7 in bid_entry
Shadow bytes around the buggy address:
  0x0fe65d915610: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fe65d915620: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fe65d915630: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fe65d915640: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fe65d915650: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0fe65d915660: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fe65d915670: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fe65d915680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fe65d915690: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fe65d9156a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fe65d9156b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==25892==ABORTING

Affected version:
3.2.1

Fixed version:
3.2.2

Commit fix:
https://github.com/libarchive/libarchive/commit/eec077f52bfa2d3f7103b4b74d52572ba8a15aca

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-8688

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libarchive: bsdtar use-after-free in bid_entry (archive_read_support_format_mtree.c)

Posted in advisories, security | Leave a comment

libarchive: bsdtar: heap-based buffer overflow in bid_entry (archive_read_support_format_mtree.c)

Posted on September 11, 2016 by ago

Description:
libarchive is a multi-format archive and compression library.

After it got fuzzed by hanno and some other people (1 2 3)I decided to fuzz it too.

A crafted file causes an heap overflow in the bid_entry function in the mtree parser.
This bug seems to be similar to THIS bug, but in this case ASan reports that the issue happens in the heap.

The complete ASan output:

# bsdtar -t -f $FILE
==786==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f3cae7e9a65 at pc 0x7f3cae1c0bb6 bp 0x7ffe4f21cb30 sp 0x7ffe4f21cb28
READ of size 1 at 0x7f3cae7e9a65 thread T0
    #0 0x7f3cae1c0bb5 in bid_entry /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read_support_format_mtree.c:567:7
    #1 0x7f3cae1c0bb5 in detect_form /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read_support_format_mtree.c:676
    #2 0x7f3cae08618b in choose_format /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read.c:712:10
    #3 0x7f3cae08618b in archive_read_open1 /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read.c:529
    #4 0x7f3cae0bdf1f in archive_read_open_filename /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read_open_filename.c:109:9
    #5 0x501f66 in read_archive /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/tar/read.c:223:6
    #6 0x501473 in tar_mode_t /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/tar/read.c:94:2
    #7 0x4f8929 in main /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/tar/bsdtar.c:803:3
    #8 0x7f3cad0f961f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #9 0x41b778 in _init (/usr/bin/bsdtar+0x41b778)

0x7f3cae7e9a65 is located 613 bytes to the right of 262144-byte region [0x7f3cae7a9800,0x7f3cae7e9800)
allocated by thread T0 here:
    #0 0x4c2cc8 in malloc /var/tmp/portage/sys-devel/llvm-3.8.0-r3/work/llvm-3.8.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52
    #1 0x7f3cae08dbca in __archive_read_filter_ahead /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read.c:1436:17

SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read_support_format_mtree.c:567:7 in bid_entry
Shadow bytes around the buggy address:
  0x0fe815cf52f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe815cf5300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe815cf5310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe815cf5320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe815cf5330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0fe815cf5340: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa
  0x0fe815cf5350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe815cf5360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe815cf5370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe815cf5380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe815cf5390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==786==ABORTING

Affected version:
3.2.1

Fixed version:
3.2.2

Commit fix:
https://github.com/libarchive/libarchive/commit/eec077f52bfa2d3f7103b4b74d52572ba8a15aca

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-8688

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libarchive: bsdtar: heap-based buffer overflow in bid_entry (archive_read_support_format_mtree.c)

Posted in advisories, security | Leave a comment

libarchive: bsdtar: memory corruption/unknown-crash in bid_entry (archive_read_support_format_mtree.c)

Posted on September 11, 2016 by ago

Description:
libarchive is a multi-format archive and compression library.

After it got fuzzed by hanno and some other people (1 2 3)I decided to fuzz it too.

A crafted file causes an heap overflow in the bid_entry function in the mtree parser.
This bug seems to be similar to THIS bug, but in this case ASan does not report the issue as in the heap.
Also, this bug was discovered by gsingh93 using the libarchive api.

The complete ASan output:

# bsdtar -t -f $FILE
==6147==ERROR: AddressSanitizer: unknown-crash on address 0x7fa7103c437b at pc 0x7fa70fd73bb6 bp 0x7ffc3948db30 sp 0x7ffc3948db28
READ of size 1 at 0x7fa7103c437b thread T0
    #0 0x7fa70fd73bb5 in bid_entry /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read_support_format_mtree.c:567:7
    #1 0x7fa70fd73bb5 in detect_form /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read_support_format_mtree.c:676
    #2 0x7fa70fc3918b in choose_format /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read.c:712:10
    #3 0x7fa70fc3918b in archive_read_open1 /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read.c:529
    #4 0x7fa70fc70f1f in archive_read_open_filename /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read_open_filename.c:109:9
    #5 0x501f66 in read_archive /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/tar/read.c:223:6
    #6 0x501473 in tar_mode_t /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/tar/read.c:94:2
    #7 0x4f8929 in main /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/tar/bsdtar.c:803:3
    #8 0x7fa70ecac61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #9 0x41b778 in _init (/usr/bin/bsdtar+0x41b778)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: unknown-crash /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read_support_format_mtree.c:567:7 in bid_entry
Shadow bytes around the buggy address:
  0x0ff562070810: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0ff562070820: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0ff562070830: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0ff562070840: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0ff562070850: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
=>0x0ff562070860: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe[fe]
  0x0ff562070870: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0ff562070880: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0ff562070890: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0ff5620708a0: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0ff5620708b0: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6147==ABORTING

Affected version:
3.2.1

Fixed version:
3.2.2

Commit fix:
https://github.com/libarchive/libarchive/commit/eec077f52bfa2d3f7103b4b74d52572ba8a15aca

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
This bug was discovered by gsingh93.

CVE:
CVE-2016-8688

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libarchive: bsdtar: memory corruption/unknown-crash in bid_entry (archive_read_support_format_mtree.c)

Posted in advisories, security | Leave a comment

libarchive: bsdtar: heap-based buffer overflow in read_Header (archive_read_support_format_7zip.c)

Posted on September 11, 2016 by ago

Description:
libarchive is a multi-format archive and compression library.

After it got fuzzed by hanno and some other people (1 2 3)I decided to fuzz it too.

A crafted file causes an heap overflow in the read_Header function in the 7zip parser.

The complete ASan output:

# bsdtar -t -f $FILE
==27481==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ecbb at pc 0x7f01eb0e55fc bp 0x7fff63005ad0 sp 0x7fff63005ac8
READ of size 1 at 0x60200000ecbb thread T0
    #0 0x7f01eb0e55fb in read_Header /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read_support_format_7zip.c:2601:9
    #1 0x7f01eb0e55fb in slurp_central_directory /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read_support_format_7zip.c:2923
    #2 0x7f01eb0e55fb in archive_read_format_7zip_read_header /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read_support_format_7zip.c:638
    #3 0x7f01eb07a0ec in _archive_read_next_header2 /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read.c:649:7
    #4 0x7f01eb079c8f in _archive_read_next_header /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read.c:687:8
    #5 0x5021cb in read_archive /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/tar/read.c:261:7
    #6 0x501473 in tar_mode_t /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/tar/read.c:94:2
    #7 0x4f8929 in main /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/tar/bsdtar.c:803:3
    #8 0x7f01ea0df61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #9 0x41b778 in _init (/usr/bin/bsdtar+0x41b778)

0x60200000ecbb is located 0 bytes to the right of 11-byte region [0x60200000ecb0,0x60200000ecbb)
allocated by thread T0 here:
    #0 0x4c2e50 in calloc /var/tmp/portage/sys-devel/llvm-3.8.0-r3/work/llvm-3.8.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66
    #1 0x7f01eb0dead3 in read_Header /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read_support_format_7zip.c:2454:24
    #2 0x7f01eb0dead3 in slurp_central_directory /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read_support_format_7zip.c:2923
    #3 0x7f01eb0dead3 in archive_read_format_7zip_read_header /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read_support_format_7zip.c:638
    #4 0x7f01eb07a0ec in _archive_read_next_header2 /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read.c:649:7
    #5 0x7f01eb079c8f in _archive_read_next_header /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read.c:687:8
    #6 0x501473 in tar_mode_t /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/tar/read.c:94:2
    #7 0x4f8929 in main /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/tar/bsdtar.c:803:3
    #8 0x7f01ea0df61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read_support_format_7zip.c:2601:9 in read_Header
Shadow bytes around the buggy address:
  0x0c047fff9d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9d90: fa fa fa fa fa fa 00[03]fa fa fd fa fa fa fd fa
  0x0c047fff9da0: fa fa 04 fa fa fa 01 fa fa fa 00 fa fa fa 00 fa
  0x0c047fff9db0: fa fa 00 fa fa fa 04 fa fa fa 01 fa fa fa 00 fa
  0x0c047fff9dc0: fa fa 00 fa fa fa 00 04 fa fa 00 04 fa fa 00 04
  0x0c047fff9dd0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
  0x0c047fff9de0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==27481==ABORTING

Affected version:
3.2.1

Fixed version:
3.2.2

Commit fix:
https://github.com/libarchive/libarchive/commit/7f17c791dcfd8c0416e2cd2485b19410e47ef126

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-8689

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libarchive: bsdtar: heap-based buffer overflow in read_Header (archive_read_support_format_7zip.c)

Posted in advisories, security | Leave a comment

libarchive: bsdtar: heap-based buffer overflow in detect_form (archive_read_support_format_mtree.c)

Posted on September 11, 2016 by ago

Description:
libarchive is a multi-format archive and compression library.

After it got fuzzed by hanno and some other people (1 2 3)I decided to fuzz it too.

A crafted file causes an heap overflow in the detect_form function in the mtree parser.

The complete ASan output:

# bsdtar -t -f $FILE
==25612==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fadef29981e at pc 0x7fadeec6fbac bp 0x7ffd2318bb30 sp 0x7ffd2318bb28                                                      
READ of size 1 at 0x7fadef29981e thread T0                                                                                                                                                     
    #0 0x7fadeec6fbab in detect_form /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read_support_format_mtree.c:692:26                                 
    #1 0x7fadeeb3518b in choose_format /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read.c:712:10                                                    
    #2 0x7fadeeb3518b in archive_read_open1 /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read.c:529
    #3 0x7fadeeb6cf1f in archive_read_open_filename /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read_open_filename.c:109:9
    #4 0x501f66 in read_archive /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/tar/read.c:223:6
    #5 0x501473 in tar_mode_t /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/tar/read.c:94:2
    #6 0x4f8929 in main /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/tar/bsdtar.c:803:3
    #7 0x7fadedba861f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #8 0x41b778 in _init (/usr/bin/bsdtar+0x41b778)

0x7fadef29981e is located 4126 bytes to the right of 262144-byte region [0x7fadef258800,0x7fadef298800)
allocated by thread T0 here:
    #0 0x4c2cc8 in malloc /var/tmp/portage/sys-devel/llvm-3.8.0-r3/work/llvm-3.8.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52
    #1 0x7fadeeb3cbca in __archive_read_filter_ahead /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read.c:1436:17

SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/app-arch/libarchive-3.2.1-r3/work/libarchive-3.2.1/libarchive/archive_read_support_format_mtree.c:692:26 in detect_form
Shadow bytes around the buggy address:
  0x0ff63de4b2b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff63de4b2c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff63de4b2d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff63de4b2e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff63de4b2f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0ff63de4b300: fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff63de4b310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff63de4b320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff63de4b330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff63de4b340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff63de4b350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==25612==ABORTING

Affected version:
3.2.1

Fixed version:
3.2.2

Commit fix:
https://github.com/libarchive/libarchive/commit/eec077f52bfa2d3f7103b4b74d52572ba8a15aca

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-8688

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libarchive: bsdtar: heap-based buffer overflow in detect_form (archive_read_support_format_mtree.c)

Posted in advisories, security | Leave a comment

autotrace: heap-based buffer overflow in pstoedit_suffix_table_init (output-pstoedit.c)

Posted on September 10, 2016 by ago

Description:
autotrace is a program for converting bitmaps to vector graphics.

If compiled with Address Sanitizer, it shows that ANY bmp image causes an out-of-bounds write.

The complete ASan output:

# autotrace $FILE
==31756==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61700000ff20 at pc 0x7f11a5538380 bp 0x7ffecc970f90 sp 0x7ffecc970f88                                                      
WRITE of size 8 at 0x61700000ff20 thread T0                                                                                                                                                    
    #0 0x7f11a553837f in pstoedit_suffix_table_init /var/tmp/portage/media-gfx/autotrace-0.31.1-r7/work/autotrace-0.31.1/output-pstoedit.c:103:54                                              
    #1 0x7f11a5536544 in pstoedit_suffix_table_lookup_shallow /var/tmp/portage/media-gfx/autotrace-0.31.1-r7/work/autotrace-0.31.1/output-pstoedit.c:143:5                                     
    #2 0x7f11a5536544 in output_pstoedit_is_writer /var/tmp/portage/media-gfx/autotrace-0.31.1-r7/work/autotrace-0.31.1/output-pstoedit.c:160                                                  
    #3 0x7f11a556020b in at_splines_write /var/tmp/portage/media-gfx/autotrace-0.31.1-r7/work/autotrace-0.31.1/autotrace.c:375:7                                                               
    #4 0x4f579b in main /var/tmp/portage/media-gfx/autotrace-0.31.1-r7/work/autotrace-0.31.1/main.c:161:3                                                                                      
    #5 0x7f11a460761f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                                                        
    #6 0x4196b8 in _init (/usr/bin/autotrace+0x4196b8)                                                                                                                                         
                                                                                                                                                                                               
0x61700000ff21 is located 0 bytes to the right of 673-byte region [0x61700000fc80,0x61700000ff21)                                                                                              
allocated by thread T0 here:                                                                                                                                                                   
    #0 0x4c0c08 in malloc /var/tmp/portage/sys-devel/llvm-3.8.1/work/llvm-3.8.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52                                                      
    #1 0x7f11a5538053 in pstoedit_suffix_table_init /var/tmp/portage/media-gfx/autotrace-0.31.1-r7/work/autotrace-0.31.1/output-pstoedit.c:87:7                                                
                                                                                                                                                                                               
SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/media-gfx/autotrace-0.31.1-r7/work/autotrace-0.31.1/output-pstoedit.c:103:54 in pstoedit_suffix_table_init                    
Shadow bytes around the buggy address:                                                                                                                                                         
  0x0c2e7fff9f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                                                                                                              
  0x0c2e7fff9fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                                                                                                              
  0x0c2e7fff9fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                                                                                                              
  0x0c2e7fff9fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                                                                                                              
  0x0c2e7fff9fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                                                                                                              
=>0x0c2e7fff9fe0: 00 00 00 00[01]fa fa fa fa fa fa fa fa fa fa fa                                                                                                                              
  0x0c2e7fff9ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                              
  0x0c2e7fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                              
  0x0c2e7fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                              
  0x0c2e7fffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                              
  0x0c2e7fffa030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                              
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==31756==ABORTING

Affected version:
0.31.1

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-7392

Timeline:
2016-09-10: bug discovered
2016-09-10: bug reported to upstream
2016-09-10: blog post about the issue
2016-09-10: CVE assigned

Note:
This bug was found with Address Sanitizer.

Permalink:

autotrace: heap-based buffer overflow in pstoedit_suffix_table_init (output-pstoedit.c)

Posted in advisories, security | Leave a comment

ettercap: etterlog: NULL pointer dereference in fingerprint_search (ec_fingerprint.c)

Posted on September 9, 2016 by ago

Description:
ettercap is a comprehensive suite for man in the middle attacks.

Etterlog, which is part of the package, fails to read malformed data produced from the fuzzer and makes visible a NULL pointer access.

The complete ASan output:

# etterlog $FILE
Log file version    : 0.8.2                                                                                                                                                                    
Timestamp           : Thu Jul 16 15:28:54 2015 [688192]                                                                                                                                        
Type                : LOG_INFO                                                                                                                                                                 

1766 tcp OS fingerprint                                                                                                                                                                        

20530 mac vendor fingerprint                                                                                                                                                                   

2182 known services                                                                                                                                                                            

ASAN:DEADLYSIGNAL                                                                                                                                                                              
=================================================================                                                                                                                              
==9987==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f4671a428b2 bp 0x7ffd1cdbf5b0 sp 0x7ffd1cdbf540 T0)                                                             
    #0 0x7f4671a428b1 in fingerprint_search /tmp/portage/net-analyzer/ettercap-9999/work/ettercap-9999/src/ec_fingerprint.c:189:17                                                             
    #1 0x7f4671a6ee4e in print_host /tmp/portage/net-analyzer/ettercap-9999/work/ettercap-9999/src/ec_passive.c:120:8                                                                          
    #2 0x4fe769 in display_info /tmp/portage/net-analyzer/ettercap-9999/work/ettercap-9999/utils/etterlog/el_display.c:277:10                                                                  
    #3 0x4fe769 in display /tmp/portage/net-analyzer/ettercap-9999/work/ettercap-9999/utils/etterlog/el_display.c:52                                                                           
    #4 0x507818 in main /tmp/portage/net-analyzer/ettercap-9999/work/ettercap-9999/utils/etterlog/el_main.c:94:4                                                                               
    #5 0x7f46706e561f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                                                        
    #6 0x41a408 in _start (/usr/bin/etterlog+0x41a408)                                                                                                                                         

AddressSanitizer can not provide additional info.                                                                                                                                              
SUMMARY: AddressSanitizer: SEGV /tmp/portage/net-analyzer/ettercap-9999/work/ettercap-9999/src/ec_fingerprint.c:189:17 in fingerprint_search                                                   
==9987==ABORTING                                                                                                                                                                               

etterlog 0.8.2 copyright 2001-2015 Ettercap Development Team                                                                                                                                   



==================================================
 IP address   : 192.168.0.31 

 MAC address  : 34:17:EB:9B:21:AD 
 MANUFACTURER : Dell Inc 

 DISTANCE     : 0   
 TYPE         : LAN host

 FINGERPRINT      : �

Affected version:
0.8.2

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Timeline:
2016-08-10: bug discovered
2016-08-11: bug reported to upstream
2016-09-09: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.
The stacktrace is about a git version compiled when I reported the bug to upstream, but is reproducible with 0.8.2 too.

Permalink:

ettercap: etterlog: NULL pointer dereference in fingerprint_search (ec_fingerprint.c)

Posted in advisories, security | Leave a comment

libav: null pointer dereference in get_vlc2 (get_bits.h)

Posted on September 7, 2016 by ago

Description:
Libav is an open source set of tools for audio and video processing.

A crafted file causes a NULL pointer access.
This issue was discovered the past year, but I didn’t make the report and I didn’t follow the state because of a lack of time.

Since I saw that the issue does not happen anymore on the git head, I asked to a libav developer (Luca Barbato) about. He said that the commit e5b019725f53b79159931d3a7317107cbbfd0860 make the issue not anymore reachable through the provided testcase, but the issue is still here (maybe another round of fuzzing will re-discover it on master)

The complete ASan output:

# avconv -i $FILE -f null -
ASAN:SIGSEGV
=================================================================
==20876==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000fc (pc 0x7f5273202c6c bp 0x7ffc8442a690 sp 0x7ffc8442a520 T0)
    #0 0x7f5273202c6b in get_vlc2 /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavcodec/get_bits.h:530:5
    #1 0x7f5273202c6b in mpeg4_decode_sprite_trajectory /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavcodec/mpeg4videodec.c:182
    #2 0x7f527322cbd8 in decode_vop_header /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavcodec/mpeg4videodec.c:2232:13
    #3 0x7f527322cbd8 in ff_mpeg4_decode_picture_header /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavcodec/mpeg4videodec.c:2491
    #4 0x7f52731fa9ae in mpeg4_decode_header /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavcodec/mpeg4video_parser.c:92:11
    #5 0x7f52731fa9ae in mpeg4video_parse /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavcodec/mpeg4video_parser.c:132
    #6 0x7f52735c88e6 in av_parser_parse2 /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavcodec/parser.c:157:13
    #7 0x7f52754f84dd in parse_packet /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavformat/utils.c:794:15
    #8 0x7f52754d5e64 in read_frame_internal /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavformat/utils.c:960:24
    #9 0x7f52754e3783 in avformat_find_stream_info /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavformat/utils.c:2156:15
    #10 0x4f62f6 in open_input_file /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/avconv_opt.c:726:11
    #11 0x4f474f in open_files /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/avconv_opt.c:2127:15
    #12 0x4f3f62 in avconv_parse_options /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/avconv_opt.c:2164:11
    #13 0x528727 in main /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/avconv.c:2629:11
    #14 0x7f527027eaa4 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
    #15 0x43a5d6 in _start (/usr/bin/avconv+0x43a5d6)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/media-video/libav-11.3/work/libav-11.3/libavcodec/get_bits.h:530 get_vlc2
==20876==ABORTING

Affected version:
11.3 (and maybe past versions) to 11.7

Fixed version:
11.9

Commit fix:
https://git.libav.org/?p=libav.git;a=blobdiff;f=libavformat/m4vdec.c;h=9d69dcc042142a93b0a61a2a41854e84a4c26b42;hp=4a0af3c03735e91c0883d797cc34f3f45060b965;hb=45abbe2041753d761b69fbdccc44dbcbd491daea;hpb=d1429c064a68dd0db3fb98af010028fd975ccfdd

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-8676

Timeline:
2015-07-27: bug discovered
2016-09-14: bug reported to upstream
2016-09-24: blog post about the issue
2016-10-16: CVE Assigned
2016-12-06: upstream released a patch

Note:
This bug was found with American Fuzzy Lop.
This bug does not affect ffmpeg.
The stacktrace is about 11.3 but as said before, the issue is present on 11.7 too.

Permalink:

libav: null pointer dereference in get_vlc2 (get_bits.h)

Posted in advisories, security | Leave a comment

libarchive: bsdtar: stack-based buffer overflow in bsdtar_expand_char (util.c)

libarchive: bsdtar use-after-free in detect_form (archive_read_support_format_mtree.c)

libarchive: bsdtar use-after-free in bid_entry (archive_read_support_format_mtree.c)

libarchive: bsdtar: heap-based buffer overflow in bid_entry (archive_read_support_format_mtree.c)

libarchive: bsdtar: memory corruption/unknown-crash in bid_entry (archive_read_support_format_mtree.c)

libarchive: bsdtar: heap-based buffer overflow in read_Header (archive_read_support_format_7zip.c)

libarchive: bsdtar: heap-based buffer overflow in detect_form (archive_read_support_format_mtree.c)

autotrace: heap-based buffer overflow in pstoedit_suffix_table_init (output-pstoedit.c)

ettercap: etterlog: NULL pointer dereference in fingerprint_search (ec_fingerprint.c)

libav: null pointer dereference in get_vlc2 (get_bits.h)

Recent Posts

Recent Comments

Archives

Categories

Meta