Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 7 Sep 2015 08:57:20 -0300
From: Gustavo Grieco <gustavo.grieco@...il.com>
To: oss-security@...ts.openwall.com
Subject: Heap overflow and DoS in unzip 6.0

Hello,

Two issues were found in unzip 6.0:

* A heap overflow triggered by unzipping a file with password (e.g unzip -p
-P x sigsegv.zip)
* A denegation of service with a file that never finishes unzipping (e.g.
unzip sigxcpu.zip).

Upstream is notified. Nevertheless the test cases as well as the valgrind
and the adress sanitizer reports of the heap overflow case are attached (as
a single file) in case someone wants to provide some feedback. These issues
were found with QuickFuzz.

Regards,
Gustavo.

[ CONTENT OF TYPE text/html SKIPPED ]

==7525== Memcheck, a memory error detector
==7525== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==7525== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright info
==7525== Command: unzip -p -P x buggy.fuzzed.sigsegv.zip
==7525== 
warning [buggy.fuzzed.sigsegv.zip]:  11 extra bytes at beginning or within zipfile
  (attempting to process anyway)
error [buggy.fuzzed.sigsegv.zip]:  reported length of central directory is
  -11 bytes too long (Atari STZip zipfile?  J.H.Holm ZIPSPLIT 1.1
  zipfile?).  Compensating...
==7525== Conditional jump or move depends on uninitialised value(s)
==7525==    at 0x80595AF: getZip64Data (process.c:1927)
==7525==    by 0x80534DB: do_string (fileio.c:2300)
==7525==    by 0x804E250: extract_or_test_entrylist (extract.c:1214)
==7525==    by 0x8050C30: extract_or_test_files (extract.c:586)
==7525==    by 0x8058482: do_seekable (process.c:987)
==7525==    by 0x8058BD6: process_zipfiles (process.c:401)
==7525==    by 0x804B3DB: unzip (unzip.c:1278)
==7525==    by 0x80495E6: main (unzip.c:741)
==7525== 
==7525== Conditional jump or move depends on uninitialised value(s)
==7525==    at 0x80595B9: getZip64Data (process.c:1935)
==7525==    by 0x80534DB: do_string (fileio.c:2300)
==7525==    by 0x804E250: extract_or_test_entrylist (extract.c:1214)
==7525==    by 0x8050C30: extract_or_test_files (extract.c:586)
==7525==    by 0x8058482: do_seekable (process.c:987)
==7525==    by 0x8058BD6: process_zipfiles (process.c:401)
==7525==    by 0x804B3DB: unzip (unzip.c:1278)
==7525==    by 0x80495E6: main (unzip.c:741)
==7525== 
==7525== Conditional jump or move depends on uninitialised value(s)
==7525==    at 0x8059588: getZip64Data (process.c:1922)
==7525==    by 0x80534DB: do_string (fileio.c:2300)
==7525==    by 0x804E250: extract_or_test_entrylist (extract.c:1214)
==7525==    by 0x8050C30: extract_or_test_files (extract.c:586)
==7525==    by 0x8058482: do_seekable (process.c:987)
==7525==    by 0x8058BD6: process_zipfiles (process.c:401)
==7525==    by 0x804B3DB: unzip (unzip.c:1278)
==7525==    by 0x80495E6: main (unzip.c:741)
==7525== 
==7525== Use of uninitialised value of size 4
==7525==    at 0x8053D44: makeword (fileio.c:2426)
==7525==    by 0x8059596: getZip64Data (process.c:1924)
==7525==    by 0x80534DB: do_string (fileio.c:2300)
==7525==    by 0x804E250: extract_or_test_entrylist (extract.c:1214)
==7525==    by 0x8050C30: extract_or_test_files (extract.c:586)
==7525==    by 0x8058482: do_seekable (process.c:987)
==7525==    by 0x8058BD6: process_zipfiles (process.c:401)
==7525==    by 0x804B3DB: unzip (unzip.c:1278)
==7525==    by 0x80495E6: main (unzip.c:741)
==7525== 
==7525== Use of uninitialised value of size 4
==7525==    at 0x8053D44: makeword (fileio.c:2426)
==7525==    by 0x80595A3: getZip64Data (process.c:1925)
==7525==    by 0x80534DB: do_string (fileio.c:2300)
==7525==    by 0x804E250: extract_or_test_entrylist (extract.c:1214)
==7525==    by 0x8050C30: extract_or_test_files (extract.c:586)
==7525==    by 0x8058482: do_seekable (process.c:987)
==7525==    by 0x8058BD6: process_zipfiles (process.c:401)
==7525==    by 0x804B3DB: unzip (unzip.c:1278)
==7525==    by 0x80495E6: main (unzip.c:741)
==7525== 
cåM^^[BK¯µ:  mismatching "local" filename (cåM^^ZBK¯µ),
         continuing with "central" filename version
  error:  invalid compressed data to inflate cåM^^[BK¯µ
file #2:  bad zipfile offset (local header sig):  179
^\^F{`0Z(5x.:  mismatching "local" filename (cåM^^ZBK¯µ),
         continuing with "central" filename version
^\^F{`0Z(5x.:  ucsize 7 <> csize 2 for STORED entry
         continuing with "compressed" size value
^\^F{`0Z(5x.            bad CRC 0e988438  (should be 0000000a)
^»ˆ.Làhp:  ucsize 264 <> csize 18446744073709551611 for STORED entry
         continuing with "compressed" size value
==7525== Use of uninitialised value of size 4
==7525==    at 0x804B78B: update_keys (crypt.c:167)
==7525==    by 0x804B8F6: testkey (crypt.c:641)
==7525==    by 0x804B94F: testp (crypt.c:548)
==7525==    by 0x804BA63: decrypt (crypt.c:493)
==7525==    by 0x804E7DD: extract_or_test_entrylist (extract.c:1275)
==7525==    by 0x8050C30: extract_or_test_files (extract.c:586)
==7525==    by 0x8058482: do_seekable (process.c:987)
==7525==    by 0x8058BD6: process_zipfiles (process.c:401)
==7525==    by 0x804B3DB: unzip (unzip.c:1278)
==7525==    by 0x80495E6: main (unzip.c:741)
==7525== 
==7525== Invalid read of size 1
==7525==    at 0x804B8E8: testkey (crypt.c:641)
==7525==    by 0x804B94F: testp (crypt.c:548)
==7525==    by 0x804BA63: decrypt (crypt.c:493)
==7525==    by 0x804E7DD: extract_or_test_entrylist (extract.c:1275)
==7525==    by 0x8050C30: extract_or_test_files (extract.c:586)
==7525==    by 0x8058482: do_seekable (process.c:987)
==7525==    by 0x8058BD6: process_zipfiles (process.c:401)
==7525==    by 0x804B3DB: unzip (unzip.c:1278)
==7525==    by 0x80495E6: main (unzip.c:741)
==7525==  Address 0x4207b3c is 0 bytes after a block of size 8,196 alloc'd
==7525==    at 0x402A17C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==7525==    by 0x8058A90: process_zipfiles (process.c:250)
==7525==    by 0x804B3DB: unzip (unzip.c:1278)
==7525==    by 0x80495E6: main (unzip.c:741)
==7525== 
==7525== Invalid write of size 1
==7525==    at 0x804B8EB: testkey (crypt.c:641)
==7525==    by 0x804B94F: testp (crypt.c:548)
==7525==    by 0x804BA63: decrypt (crypt.c:493)
==7525==    by 0x804E7DD: extract_or_test_entrylist (extract.c:1275)
==7525==    by 0x8050C30: extract_or_test_files (extract.c:586)
==7525==    by 0x8058482: do_seekable (process.c:987)
==7525==    by 0x8058BD6: process_zipfiles (process.c:401)
==7525==    by 0x804B3DB: unzip (unzip.c:1278)
==7525==    by 0x80495E6: main (unzip.c:741)
==7525==  Address 0x4207b3c is 0 bytes after a block of size 8,196 alloc'd
==7525==    at 0x402A17C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==7525==    by 0x8058A90: process_zipfiles (process.c:250)
==7525==    by 0x804B3DB: unzip (unzip.c:1278)
==7525==    by 0x80495E6: main (unzip.c:741)
==7525== 

error:  zipfile probably corrupt (segmentation violation)
==7525== Invalid read of size 4
==7525==    at 0x400F28F: _dl_fini (dl-fini.c:193)
==7525==    by 0x40891B0: __run_exit_handlers (exit.c:82)
==7525==    by 0x408920C: exit (exit.c:104)
==7525==    by 0x805316A: handler (fileio.c:1659)
==7525==    by 0x40846A7: ??? (in /lib/i386-linux-gnu/libc-2.19.so)
==7525==    by 0x8050C30: extract_or_test_files (extract.c:586)
==7525==    by 0x8058482: do_seekable (process.c:987)
==7525==    by 0x8058BD6: process_zipfiles (process.c:401)
==7525==    by 0x804B3DB: unzip (unzip.c:1278)
==7525==    by 0x80495E6: main (unzip.c:741)
==7525==  Address 0x9d541f42 is not stack'd, malloc'd or (recently) free'd
==7525== 
==7525== 
==7525== Process terminating with default action of signal 11 (SIGSEGV)
==7525==  Access not within mapped region at address 0x9D541F42
==7525==    at 0x400F28F: _dl_fini (dl-fini.c:193)
==7525==    by 0x40891B0: __run_exit_handlers (exit.c:82)
==7525==    by 0x408920C: exit (exit.c:104)
==7525==    by 0x805316A: handler (fileio.c:1659)
==7525==    by 0x40846A7: ??? (in /lib/i386-linux-gnu/libc-2.19.so)
==7525==    by 0x8050C30: extract_or_test_files (extract.c:586)
==7525==    by 0x8058482: do_seekable (process.c:987)
==7525==    by 0x8058BD6: process_zipfiles (process.c:401)
==7525==    by 0x804B3DB: unzip (unzip.c:1278)
==7525==    by 0x80495E6: main (unzip.c:741)
==7525==  If you believe this happened as a result of a stack
==7525==  overflow in your program's main thread (unlikely but
==7525==  possible), you can try to increase the size of the
==7525==  main thread stack using the --main-stacksize= flag.
==7525==  The main thread stack size used in this run was 8388608.
==7525== Invalid read of size 4
==7525==    at 0x413D83A: tdestroy_recurse (tsearch.c:638)
==7525==    by 0x413D850: tdestroy_recurse (tsearch.c:639)
==7525==    by 0x419EE06: free_mem (in /lib/i386-linux-gnu/libc-2.19.so)
==7525==    by 0x419F409: __libc_freeres (in /lib/i386-linux-gnu/libc-2.19.so)
==7525==    by 0x4024526: _vgnU_freeres (in /usr/lib/valgrind/vgpreload_core-x86-linux.so)
==7525==  Address 0xf9e4edb6 is not stack'd, malloc'd or (recently) free'd
==7525== 
==7525== 
==7525== Process terminating with default action of signal 11 (SIGSEGV)
==7525==  Access not within mapped region at address 0xF9E4EDB6
==7525==    at 0x413D83A: tdestroy_recurse (tsearch.c:638)
==7525==    by 0x413D850: tdestroy_recurse (tsearch.c:639)
==7525==    by 0x419EE06: free_mem (in /lib/i386-linux-gnu/libc-2.19.so)
==7525==    by 0x419F409: __libc_freeres (in /lib/i386-linux-gnu/libc-2.19.so)
==7525==    by 0x4024526: _vgnU_freeres (in /usr/lib/valgrind/vgpreload_core-x86-linux.so)
==7525==  If you believe this happened as a result of a stack
==7525==  overflow in your program's main thread (unlikely but
==7525==  possible), you can try to increase the size of the
==7525==  main thread stack using the --main-stacksize= flag.
==7525==  The main thread stack size used in this run was 8388608.
==7525== 
==7525== HEAP SUMMARY:
==7525==     in use at exit: 79,869 bytes in 20 blocks
==7525==   total heap usage: 78 allocs, 58 frees, 345,002 bytes allocated
==7525== 
==7525== LEAK SUMMARY:
==7525==    definitely lost: 160 bytes in 3 blocks
==7525==    indirectly lost: 0 bytes in 0 blocks
==7525==      possibly lost: 40 bytes in 2 blocks
==7525==    still reachable: 79,669 bytes in 15 blocks
==7525==         suppressed: 0 bytes in 0 blocks
==7525== Rerun with --leak-check=full to see details of leaked memory
==7525== 
==7525== For counts of detected and suppressed errors, rerun with: -v
==7525== Use --track-origins=yes to see where uninitialised values come from
==7525== ERROR SUMMARY: 8302451 errors from 10 contexts (suppressed: 0 from 0)
Segmentation fault


------------------------------------------------------------------------------------------

./unzip -p -P x buggy.fuzzed.sigsegv.zip
warning [buggy.fuzzed.sigsegv.zip]:  11 extra bytes at beginning or within zipfile
  (attempting to process anyway)
error [buggy.fuzzed.sigsegv.zip]:  reported length of central directory is
  -11 bytes too long (Atari STZip zipfile?  J.H.Holm ZIPSPLIT 1.1
  zipfile?).  Compensating...
c?M^^[BK??:  mismatching "local" filename (c?M^^ZBK??),
         continuing with "central" filename version
  error:  invalid compressed data to inflate c?M^^[BK??
file #2:  bad zipfile offset (local header sig):  179
^\^F{`0Z(5x.:  mismatching "local" filename (c?M^^ZBK??),
         continuing with "central" filename version
^\^F{`0Z(5x.:  ucsize 7 <> csize 2 for STORED entry
         continuing with "compressed" size value
^\^F{`0Z(5x.            bad CRC 0e988438  (should be 0000000a)
^??.L?hp:  ucsize 264 <> csize 18446744073709551611 for STORED entry
         continuing with "compressed" size value
=================================================================
==4394== ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5202104 at pc 0x80500c0 bp 0xbfffedb8 sp 0xbfffedac
READ of size 1 at 0xb5202104 thread T0
    #0 0x80500bf (/home/vagrant/sand/unzip-6.0/unzip+0x80500bf)
    #1 0x8050911 (/home/vagrant/sand/unzip-6.0/unzip+0x8050911)
    #2 0x8058379 (/home/vagrant/sand/unzip-6.0/unzip+0x8058379)
    #3 0x805d111 (/home/vagrant/sand/unzip-6.0/unzip+0x805d111)
    #4 0x807bb97 (/home/vagrant/sand/unzip-6.0/unzip+0x807bb97)
    #5 0x804ee07 (/home/vagrant/sand/unzip-6.0/unzip+0x804ee07)
    #6 0x804996f (/home/vagrant/sand/unzip-6.0/unzip+0x804996f)
    #7 0xb685aa82 (/lib/i386-linux-gnu/libc-2.19.so+0x19a82)
    #8 0x8049b80 (/home/vagrant/sand/unzip-6.0/unzip+0x8049b80)
0xb5202104 is located 0 bytes to the right of 8196-byte region [0xb5200100,0xb5202104)
allocated by thread T0 here:
    #0 0xb6a05854 (/usr/lib/i386-linux-gnu/libasan.so.0.0.0+0x16854)
    #1 0x80798f9 (/home/vagrant/sand/unzip-6.0/unzip+0x80798f9)
    #2 0xbffff8b6 ([stack]+0x208b6)
Shadow bytes around the buggy address:
  0x36a403d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36a403e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36a403f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36a40400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36a40410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x36a40420:[04]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a40430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a40440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a40450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a40460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a40470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==4394== ABORTING

[ CONTENT OF TYPE application/zip SKIPPED ]

[ CONTENT OF TYPE application/zip SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ