Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 3 Jun 2015 01:00:28 +0200
From: Hanno Böck <hanno@...eck.de>
To: oss security list <oss-security@...ts.openwall.com>
Cc: cve-assign@...re.org
Subject: Stack out of bounds read access in uudecode / sharutils

https://blog.fuzzing-project.org/13-Stack-out-of-bounds-read-access-in-uudecode-sharutils.html

uudecode is a tool to decode uuencoded data. It is shipped with the
package sharutils.

An invalid input file can cause an out of bounds stack read access in
the function expand_tilde(). This issue has been reported to the
developers on 2015-03-04. It has been fixed in sharutils 4.15.2
(2015-05-30).

To see this bug one needs to use a tool like valgrind or address
sanitizer that detects out of bounds memory reads. The bug was found
with american fuzzy lop.

Sample file
https://crashes.fuzzing-project.org/uudecode-oob-read-stack-expand_tilde.uu

Address sanitizer output:

==8209==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff8a4a8690 at pc 0x40738d bp 0x7fff8a4a44a0 sp 0x7fff8a4a4490
READ of size 1 at 0x7fff8a4a8690 thread T0
#0 0x40738c in expand_tilde /mnt/ram/sharutils-4.14/src/uudecode.c:252
#1 0x40738c in decode /mnt/ram/sharutils-4.14/src/uudecode.c:437
#2 0x403660 in main /mnt/ram/sharutils-4.14/src/uudecode.c:530
#3 0x7f13d97fff9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
#4 0x403c81 (/mnt/ram/sharutils-4.14/src/uudecode+0x403c81)

Address 0x7fff8a4a8690 is located in stack of thread T0 at offset 16800 in frame
#0 0x403da7 in decode /mnt/ram/sharutils-4.14/src/uudecode.c:362

This frame has 7 object(s):
[32, 36) 'mode'
[96, 104) 'outlen'
[160, 168) 'ctx'
[224, 368) 'attr'
[416, 16800) 'buf' <== Memory access at offset 16800 overflows this variable
[16832, 33216) 'buf_in'
[33248, 49632) 'buf'

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ