Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 28 Jun 2016 08:57:03 +0200
From: Gustavo Grieco <gustavo.grieco@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Apache Xerces getLastExtEntityInfo Use-After-Free

Hi,

Is it related with CVE-2016-2099 still unfixed in 3.1.3
(https://issues.apache.org/jira/browse/XERCESC-2066) ?

Thanks!

2016-06-28 8:50 GMT+02:00 Marco Grassi <marco.gra@...il.com>:
> Hi,
>
> the attached xml will trigger a UAF in xerces-c version 3.1.3 and the trunk
> version
>
>
> ➜  xml cat xerces_uaf | xerces-c-3.1.3/samples/StdInParse
> =================================================================
> ==16010==ERROR: AddressSanitizer: heap-use-after-free on address 0xf4a0dfcc
> at pc 0x0836c7f4 bp 0xfff9a198 sp 0xfff9a188
> READ of size 1 at 0xf4a0dfcc thread T0
>     #0 0x836c7f3 in
> xercesc_3_1::ReaderMgr::getLastExtEntityInfo(xercesc_3_1::ReaderMgr::LastExtEntityInfo&)
> const xercesc/internal/ReaderMgr.cpp:833
>     #1 0x83a42d4 in
> xercesc_3_1::XMLScanner::emitError(xercesc_3_1::XMLErrs::Codes,
> xercesc_3_1::XMLExcepts::Codes, unsigned short const*, unsigned short
> const*, unsigned short const*, unsigned short const*)
> xercesc/internal/XMLScanner.cpp:927
>     #2 0x8e40963 in
> xercesc_3_1::IGXMLScanner::scanDocument(xercesc_3_1::InputSource const&)
> xercesc/internal/IGXMLScanner.cpp:276
>     #3 0x84b4cca in xercesc_3_1::SAXParser::parse(xercesc_3_1::InputSource
> const&) xercesc/parsers/SAXParser.cpp:575
>     #4 0x80533d6 in main src/StdInParse/StdInParse.cpp:186
>     #5 0xf6dd5636 in __libc_start_main (/lib32/libc.so.6+0x18636)
>     #6 0x80624f1
> (/home/bob/VulnResearch/misc/xml/xerces-c-3.1.3/samples/StdInParse+0x80624f1)
>
> 0xf4a0dfcc is located 44 bytes inside of 56-byte region
> [0xf4a0dfa0,0xf4a0dfd8)
> freed by thread T0 here:
>     #0 0xf7228034 in operator delete(void*)
> (/usr/lib32/libasan.so.3+0xc5034)
>     #1 0x80992df in xercesc_3_1::XMemory::operator delete(void*)
> xercesc/util/XMemory.cpp:89
>
> previously allocated by thread T0 here:
>     #0 0xf72279b4 in operator new(unsigned int)
> (/usr/lib32/libasan.so.3+0xc49b4)
>     #1 0x8357ad9 in xercesc_3_1::MemoryManagerImpl::allocate(unsigned int)
> xercesc/internal/MemoryManagerImpl.cpp:40
>     #2 0x8099042 in xercesc_3_1::XMemory::operator new(unsigned int,
> xercesc_3_1::MemoryManager*) xercesc/util/XMemory.cpp:68
>
> SUMMARY: AddressSanitizer: heap-use-after-free
> xercesc/internal/ReaderMgr.cpp:833 in
> xercesc_3_1::ReaderMgr::getLastExtEntityInfo(xercesc_3_1::ReaderMgr::LastExtEntityInfo&)
> const
> Shadow bytes around the buggy address:
>   0x3e941ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x3e941bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x3e941bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x3e941bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x3e941be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> =>0x3e941bf0: fa fa fa fa fd fd fd fd fd[fd]fd fa fa fa fa fa
>   0x3e941c00: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
>   0x3e941c10: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
>   0x3e941c20: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
>   0x3e941c30: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
>   0x3e941c40: 00 00 04 fa fa fa fa fa 00 00 00 00 00 00 04 fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07
>   Heap left redzone:       fa
>   Heap right redzone:      fb
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack partial redzone:   f4
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
>   Left alloca redzone:     ca
>   Right alloca redzone:    cb
> ==16010==ABORTING
>
>
>
> Marco
>
> https://marcograss.github.io/

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ