Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 28 Jun 2016 08:57:03 +0200
From: Gustavo Grieco <gustavo.grieco@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Apache Xerces getLastExtEntityInfo Use-After-Free

Hi,

Is it related with CVE-2016-2099 still unfixed in 3.1.3
(https://issues.apache.org/jira/browse/XERCESC-2066) ?

Thanks!

2016-06-28 8:50 GMT+02:00 Marco Grassi <marco.gra@...il.com>:
> Hi,
>
> the attached xml will trigger a UAF in xerces-c version 3.1.3 and the trunk
> version
>
>
> ➜  xml cat xerces_uaf | xerces-c-3.1.3/samples/StdInParse
> =================================================================
> ==16010==ERROR: AddressSanitizer: heap-use-after-free on address 0xf4a0dfcc
> at pc 0x0836c7f4 bp 0xfff9a198 sp 0xfff9a188
> READ of size 1 at 0xf4a0dfcc thread T0
>     #0 0x836c7f3 in
> xercesc_3_1::ReaderMgr::getLastExtEntityInfo(xercesc_3_1::ReaderMgr::LastExtEntityInfo&)
> const xercesc/internal/ReaderMgr.cpp:833
>     #1 0x83a42d4 in
> xercesc_3_1::XMLScanner::emitError(xercesc_3_1::XMLErrs::Codes,
> xercesc_3_1::XMLExcepts::Codes, unsigned short const*, unsigned short
> const*, unsigned short const*, unsigned short const*)
> xercesc/internal/XMLScanner.cpp:927
>     #2 0x8e40963 in
> xercesc_3_1::IGXMLScanner::scanDocument(xercesc_3_1::InputSource const&)
> xercesc/internal/IGXMLScanner.cpp:276
>     #3 0x84b4cca in xercesc_3_1::SAXParser::parse(xercesc_3_1::InputSource
> const&) xercesc/parsers/SAXParser.cpp:575
>     #4 0x80533d6 in main src/StdInParse/StdInParse.cpp:186
>     #5 0xf6dd5636 in __libc_start_main (/lib32/libc.so.6+0x18636)
>     #6 0x80624f1
> (/home/bob/VulnResearch/misc/xml/xerces-c-3.1.3/samples/StdInParse+0x80624f1)
>
> 0xf4a0dfcc is located 44 bytes inside of 56-byte region
> [0xf4a0dfa0,0xf4a0dfd8)
> freed by thread T0 here:
>     #0 0xf7228034 in operator delete(void*)
> (/usr/lib32/libasan.so.3+0xc5034)
>     #1 0x80992df in xercesc_3_1::XMemory::operator delete(void*)
> xercesc/util/XMemory.cpp:89
>
> previously allocated by thread T0 here:
>     #0 0xf72279b4 in operator new(unsigned int)
> (/usr/lib32/libasan.so.3+0xc49b4)
>     #1 0x8357ad9 in xercesc_3_1::MemoryManagerImpl::allocate(unsigned int)
> xercesc/internal/MemoryManagerImpl.cpp:40
>     #2 0x8099042 in xercesc_3_1::XMemory::operator new(unsigned int,
> xercesc_3_1::MemoryManager*) xercesc/util/XMemory.cpp:68
>
> SUMMARY: AddressSanitizer: heap-use-after-free
> xercesc/internal/ReaderMgr.cpp:833 in
> xercesc_3_1::ReaderMgr::getLastExtEntityInfo(xercesc_3_1::ReaderMgr::LastExtEntityInfo&)
> const
> Shadow bytes around the buggy address:
>   0x3e941ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x3e941bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x3e941bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x3e941bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x3e941be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> =>0x3e941bf0: fa fa fa fa fd fd fd fd fd[fd]fd fa fa fa fa fa
>   0x3e941c00: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
>   0x3e941c10: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
>   0x3e941c20: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
>   0x3e941c30: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
>   0x3e941c40: 00 00 04 fa fa fa fa fa 00 00 00 00 00 00 04 fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07
>   Heap left redzone:       fa
>   Heap right redzone:      fb
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack partial redzone:   f4
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
>   Left alloca redzone:     ca
>   Right alloca redzone:    cb
> ==16010==ABORTING
>
>
>
> Marco
>
> https://marcograss.github.io/

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.