lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 21 Feb 2018 15:30:16 +0800
From: nafiez <nafiez.skins@...il.com>
To: oss.security@...ts.openwall.com, bugtraq@...urityfocus.com
Subject: Sharutils 4.15.2 Heap-Buffer-Overflow

Unshar scans the input files (typically email messages) looking for the
start of a shell archive. If no files are given, then standard input is
processed instead. Shipped along with Sharutils.

Bug was found with AFL.

=================================================================
==11164==ERROR: AddressSanitizer: heap-buffer-overflow on address
0xb5901100 at pc 0x0804c695 bp 0xbfe86f28 sp 0xbfe86f18
READ of size 1 at 0xb5901100 thread T0
    #0 0x804c694 in looks_like_c_code
/home/john/sharutils-4.15.2/src/unshar.c:75
    #1 0x804c694 in find_archive
/home/john/sharutils-4.15.2/src/unshar.c:253
    #2 0x804c694 in unshar_file /home/john/sharutils-4.15.2/src/unshar.c:379
    #3 0x804a2f4 in validate_fname
/home/john/sharutils-4.15.2/src/unshar-opts.c:604
    #4 0x804a2f4 in main /home/john/sharutils-4.15.2/src/unshar-opts.c:639
    #5 0xb70ab636 in __libc_start_main
(/lib/i386-linux-gnu/libc.so.6+0x18636)
    #6 0x804ab95  (/home/john/sharutils-4.15.2/src/unshar+0x804ab95)

0xb5901100 is located 0 bytes to the right of 4096-byte region
[0xb5900100,0xb5901100)
allocated by thread T0 here:
    #0 0xb72dfdee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)
    #1 0x804c9e4 in init_unshar /home/john/sharutils-4.15.2/src/unshar.c:450
    #2 0xb70ab636 in __libc_start_main
(/lib/i386-linux-gnu/libc.so.6+0x18636)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/john/sharutils-4.15.2/src/unshar.c:75 looks_like_c_code
Shadow bytes around the buggy address:
  0x36b201d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36b201e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36b201f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36b20200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36b20210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x36b20220:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b20230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b20240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b20250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b20260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b20270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==11164==ABORTING


Thanks,

nafiez

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ