{"id":1010,"date":"2016-12-01T17:52:32","date_gmt":"2016-12-01T15:52:32","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=1010"},"modified":"2017-04-29T15:44:07","modified_gmt":"2017-04-29T13:44:07","slug":"libming-listswf-heap-based-buffer-overflow-in-_iprintf-outputtxt-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2016\/12\/01\/libming-listswf-heap-based-buffer-overflow-in-_iprintf-outputtxt-c\/","title":{"rendered":"libming: listswf: heap-based buffer overflow in _iprintf (outputtxt.c)"},"content":{"rendered":"<p><strong>Description<\/strong>:<br \/>\n<a href=\"http:\/\/www.libming.org\">libming<\/a> is a Flash (SWF) output library. It can be used from PHP, Perl, Ruby, Python, C, C++, Java, and probably more on the way..<\/p>\n<p>A fuzzing revealed an overflow in listswf. The bug does not reside in any shared object but if you have a web application that calls directly the listswf binary to parse untrusted swf, then you are affected.<\/p>\n<p>The complete ASan output:<\/p>\n<pre><font size=\"2\"># listswf $FILE\r\nheader indicates a filesize of 18446744072727653119 but filesize is 165\r\nFile version: 128\r\nFile size: 165\r\nFrame size: (-4671272,-4672424)x(-4703645,4404051)\r\nFrame rate: 142.777344 \/ sec.\r\nTotal frames: 2696\r\n\r\nOffset: 25 (0x0019)\r\nBlock type: 67 (Unknown Block Type)\r\nBlock length: 24\r\n\r\n\r\n0000: 00 97 6b ba 06 91 6f 98  7a 38 01 00 a6 e3 80 2c    ..k...o. z8.....,\r\n0010: 77 25 d3 d3 1a 19 80 7f                            w%.....\r\n\r\n\r\n\r\nOffset: 51 (0x0033)\r\nBlock type: 24 (SWF_PROTECT)\r\nBlock length: 1                                                                                                                                                                                \r\n                                                                                                                                                                                               \r\n=================================================================                                                                                                                              \r\n==3132==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eff1 at pc 0x000000499d10 bp 0x7ffc34a55e10 sp 0x7ffc34a555c0                                                       \r\nREAD of size 2 at 0x60200000eff1 thread T0                                                                                                                                                     \r\n    #0 0x499d0f in printf_common \/tmp\/portage\/sys-devel\/llvm-3.9.0-r1\/work\/llvm-3.9.0.src\/projects\/compiler-rt\/lib\/asan\/..\/sanitizer_common\/sanitizer_common_interceptors_format.inc:545       \r\n    #1 0x499a9d in printf_common \/tmp\/portage\/sys-devel\/llvm-3.9.0-r1\/work\/llvm-3.9.0.src\/projects\/compiler-rt\/lib\/asan\/..\/sanitizer_common\/sanitizer_common_interceptors_format.inc:545       \r\n    #2 0x49abfa in __interceptor_vfprintf \/tmp\/portage\/sys-devel\/llvm-3.9.0-r1\/work\/llvm-3.9.0.src\/projects\/compiler-rt\/lib\/asan\/..\/sanitizer_common\/sanitizer_common_interceptors.inc:1321    \r\n    #3 0x509dd7 in vprintf \/usr\/include\/bits\/stdio.h:38:10                                                                                                                                     \r\n    #4 0x509dd7 in _iprintf \/tmp\/portage\/media-libs\/ming-0.4.7\/work\/ming-0_4_7\/util\/outputtxt.c:144                                                                                            \r\n    #5 0x51f1f5 in outputSWF_PROTECT \/tmp\/portage\/media-libs\/ming-0.4.7\/work\/ming-0_4_7\/util\/outputtxt.c:1873:5                                                                                \r\n    #6 0x51c35b in outputBlock \/tmp\/portage\/media-libs\/ming-0.4.7\/work\/ming-0_4_7\/util\/outputtxt.c:2933:4                                                                                      \r\n    #7 0x527e83 in readMovie \/tmp\/portage\/media-libs\/ming-0.4.7\/work\/ming-0_4_7\/util\/main.c:277:4                                                                                              \r\n    #8 0x527e83 in main \/tmp\/portage\/media-libs\/ming-0.4.7\/work\/ming-0_4_7\/util\/main.c:350                                                                                                     \r\n    #9 0x7f0f1ff6861f in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.22-r4\/work\/glibc-2.22\/csu\/libc-start.c:289                                                                        \r\n    #10 0x419b38 in _init (\/usr\/bin\/listswf+0x419b38)                                                                                                                                          \r\n                                                                                                                                                                                               \r\n0x60200000eff1 is located 0 bytes to the right of 1-byte region [0x60200000eff0,0x60200000eff1)                                                                                                \r\nallocated by thread T0 here:                                                                                                                                                                   \r\n    #0 0x4d28f8 in malloc \/tmp\/portage\/sys-devel\/llvm-3.9.0-r1\/work\/llvm-3.9.0.src\/projects\/compiler-rt\/lib\/asan\/asan_malloc_linux.cc:64                                                       \r\n    #1 0x59b9ab in readBytes \/tmp\/portage\/media-libs\/ming-0.4.7\/work\/ming-0_4_7\/util\/read.c:201:17                                                                                             \r\n    #2 0x592864 in parseSWF_PROTECT \/tmp\/portage\/media-libs\/ming-0.4.7\/work\/ming-0_4_7\/util\/parser.c:2668:26                                                                                   \r\n    #3 0x5302cb in blockParse \/tmp\/portage\/media-libs\/ming-0.4.7\/work\/ming-0_4_7\/util\/blocktypes.c:145:14                                                                                      \r\n    #4 0x527d4f in readMovie \/tmp\/portage\/media-libs\/ming-0.4.7\/work\/ming-0_4_7\/util\/main.c:265:11                                                                                             \r\n    #5 0x527d4f in main \/tmp\/portage\/media-libs\/ming-0.4.7\/work\/ming-0_4_7\/util\/main.c:350                                                                                                     \r\n    #6 0x7f0f1ff6861f in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.22-r4\/work\/glibc-2.22\/csu\/libc-start.c:289                                                                        \r\n                                                                                                                                                                                               \r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/tmp\/portage\/sys-devel\/llvm-3.9.0-r1\/work\/llvm-3.9.0.src\/projects\/compiler-rt\/lib\/asan\/..\/sanitizer_common\/sanitizer_common_interceptors_format.inc:545 in printf_common                                                                                                                                                                      \r\nShadow bytes around the buggy address:\r\n  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n=&gt;0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[01]fa\r\n  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n  Addressable:           00\r\n  Partially addressable: 01 02 03 04 05 06 07 \r\n  Heap left redzone:       fa\r\n  Heap right redzone:      fb\r\n  Freed heap region:       fd\r\n  Stack left redzone:      f1\r\n  Stack mid redzone:       f2\r\n  Stack right redzone:     f3\r\n  Stack partial redzone:   f4\r\n  Stack after return:      f5\r\n  Stack use after scope:   f8\r\n  Global redzone:          f9\r\n  Global init order:       f6\r\n  Poisoned by user:        f7\r\n  Container overflow:      fc\r\n  Array cookie:            ac\r\n  Intra object redzone:    bb\r\n  ASan internal:           fe\r\n  Left alloca redzone:     ca\r\n  Right alloca redzone:    cb\r\n==3132==ABORTING\r\n<\/font><\/pre>\n<p><strong>Affected version:<\/strong><br \/>\n0.4.7<\/p>\n<p><strong>Fixed version:<\/strong><br \/>\n0.4.8<\/p>\n<p><strong>Commit fix:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/libming\/libming\/commit\/459fa79d04dcd240996765727a726e5dc5c38f34\">https:\/\/github.com\/libming\/libming\/commit\/459fa79d04dcd240996765727a726e5dc5c38f34<\/a><\/p>\n<p><strong>Credit:<\/strong><br \/>\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n<p><strong>CVE:<\/strong><br \/>\nCVE-2016-9827<\/p>\n<p><strong>Reproducer:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00077-libming-heapoverflow-_iprintf\">https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00077-libming-heapoverflow-_iprintf<\/a><\/p>\n<p><strong>Timeline:<\/strong><br \/>\n2016-11-24: bug discovered and reported to upstream<br \/>\n2016-12-01: blog post about the issue<br \/>\n2016-12-05: CVE assigned<br \/>\n2017-01-30: upstream released a patch<br \/>\n2017-04-07: upstream released 0.4.8<\/p>\n<p><strong>Note:<\/strong><br \/>\nThis bug was found with <a href=\"http:\/\/lcamtuf.coredump.cx\/afl\">American Fuzzy Lop<\/a>.<\/p>\n<p><strong>Permalink:<\/strong><\/p>\n<blockquote data-secret=\"uU814E13Hw\" class=\"wp-embedded-content\"><p><a href=\"http:\/\/blogs.gentoo.org\/ago\/2016\/12\/01\/libming-listswf-heap-based-buffer-overflow-in-_iprintf-outputtxt-c\/\">libming: listswf: heap-based buffer overflow in _iprintf (outputtxt.c)<\/a><\/p><\/blockquote>\n<p><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" src=\"http:\/\/blogs.gentoo.org\/ago\/2016\/12\/01\/libming-listswf-heap-based-buffer-overflow-in-_iprintf-outputtxt-c\/embed\/#?secret=uU814E13Hw\" data-secret=\"uU814E13Hw\" width=\"600\" height=\"338\" title=\"&#8220;libming: listswf: heap-based buffer overflow in _iprintf (outputtxt.c)&#8221; &#8212; agostino&#039;s blog\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description: libming is a Flash (SWF) output library. It can be used from PHP, Perl, Ruby, Python, C, C++, Java, and probably more on the way.. A fuzzing revealed an overflow in listswf. The bug does not reside in any &hellip; <a href=\"https:\/\/blogs.gentoo.org\/ago\/2016\/12\/01\/libming-listswf-heap-based-buffer-overflow-in-_iprintf-outputtxt-c\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":140,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[12,10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2EaBc-gi","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1010"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/users\/140"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/comments?post=1010"}],"version-history":[{"count":9,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1010\/revisions"}],"predecessor-version":[{"id":1689,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1010\/revisions\/1689"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/media?parent=1010"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/categories?post=1010"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/tags?post=1010"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}