lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <2E6E746F-84C0-4123-967B-A89DD13ADC41@dbappsecurity.com.cn>
Date: Wed, 16 May 2018 14:42:56 +0800
From: "bear.xiong" <bear.xiong@...ppsecurity.com.cn>
To: fulldisclosure@...lists.org
Subject: [FD] vcftools 0.1.15 vuln bugs

vcftools multiple vulnerabilities
================
Author : Webin security lab - dbapp security Ltd
===============


Introduction:
=============
A set of tools written in Perl and C++ for working with VCF files, such as those generated by the 1000 Genomes Project.
Project website: https://vcftools.github.io/

Affected version:
=====
0.1.15

Vulnerability Description:
==========================
1. the header::add_INFO_descriptor function in header.cpp in vcftools 0.1.15 allow remote attackers to cause a information disclosure(heap-buffer-overflow OOB read) via a crafted vcf file.


./vcftools --vcf heap-buffer-overflow.vcf

==15884==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000368 at pc 0x0000005dd54f bp 0x7ffed30cd750 sp 0x7ffed30cd748
READ of size 8 at 0x603000000368 thread T0
    #0 0x5dd54e in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::size() const /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/basic_string.h:716:16
    #1 0x5dd54e in header::str2int(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int) /home/xxx/vcftools/src/cpp/header.cpp:490
    #2 0x5dd54e in header::add_INFO_descriptor(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int) /home/xxx/vcftools/src/cpp/header.cpp:128
    #3 0x5d6746 in header::parse_meta(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned int&) /home/xxx/vcftools/src/cpp/header.cpp:30:17
    #4 0x841afe in vcf_file::read_header() /home/xxx/vcftools/src/cpp/vcf_file.cpp:62:15
    #5 0x840db3 in vcf_file::vcf_file(parameters const&, bool) /home/xxx/vcftools/src/cpp/vcf_file.cpp:42:2
    #6 0x84c112 in main /home/xxx/vcftools/src/cpp/vcftools.cpp:31:12
    #7 0x7f462144282f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #8 0x41ec18 in _start (/home/xxx/vcftools/afl-fuzz/vcftools+0x41ec18)

0x603000000368 is located 8 bytes to the right of 32-byte region [0x603000000340,0x603000000360)
allocated by thread T0 here:
    #0 0x4e2e48 in __interceptor_malloc (/home/xxx/vcftools/afl-fuzz/vcftools+0x4e2e48)
    #1 0x7f46223c1e77 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x8de77)
    #2 0x5ee39c in std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >::push_back(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/stl_vector.h:923:4
    #3 0x5ee39c in header::tokenize(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, char, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /home/xxx/vcftools/src/cpp/header.cpp:453
    #4 0x5d986c in header::add_INFO_descriptor(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int) /home/xxx/vcftools/src/cpp/header.cpp:120:3
    #5 0x5d6746 in header::parse_meta(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned int&) /home/xxx/vcftools/src/cpp/header.cpp:30:17
    #6 0x841afe in vcf_file::read_header() /home/xxx/vcftools/src/cpp/vcf_file.cpp:62:15
    #7 0x840db3 in vcf_file::vcf_file(parameters const&, bool) /home/xxx/vcftools/src/cpp/vcf_file.cpp:42:2
    #8 0x84c112 in main /home/xxx/vcftools/src/cpp/vcftools.cpp:31:12
    #9 0x7f462144282f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291


Reproducer:
heap-buffer-overflow.vcf
CVE:
CVE-2018-11099


2.
The header::add_INFO_descriptor function in header.cpp in VCFtools 0.1.15 allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted vcf file.

./vcftools --vcf uaf.vcf

==15368==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000001ff0 at pc 0x000000447851 bp 0x7ffe55a71430 sp 0x7ffe55a70be0
READ of size 17 at 0x603000001ff0 thread T0
    #4 0x5da1b2 in header::add_INFO_descriptor(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int) /home/xxx/vcftools/src/cpp/header.cpp:145
    #5 0x5d6746 in header::parse_meta(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned int&) /home/xxx/vcftools/src/cpp/header.cpp:30:17
    #6 0x841afe in vcf_file::read_header() /home/xxx/vcftools/src/cpp/vcf_file.cpp:62:15
    #7 0x840db3 in vcf_file::vcf_file(parameters const&, bool) /home/xxx/vcftools/src/cpp/vcf_file.cpp:42:2
    #8 0x84c112 in main /home/xxx/vcftools/src/cpp/vcftools.cpp:31:12
    #9 0x7fd92c51482f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #10 0x41ec18 in _start (/home/xxx/vcftools/afl-fuzz/vcftools+0x41ec18)

0x603000001ff0 is located 0 bytes inside of 18-byte region [0x603000001ff0,0x603000002002)
freed by thread T0 here:
    #12 0x5edf6c in header::tokenize(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, char, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /home/xxx/vcftools/src/cpp/header.cpp:448
    #13 0x5d986c in header::add_INFO_descriptor(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int) /home/xxx/vcftools/src/cpp/header.cpp:120:3
    #14 0x5d6746 in header::parse_meta(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned int&) /home/xxx/vcftools/src/cpp/header.cpp:30:17
    #15 0x841afe in vcf_file::read_header() /home/xxx/vcftools/src/cpp/vcf_file.cpp:62:15
    #16 0x840db3 in vcf_file::vcf_file(parameters const&, bool) /home/xxx/vcftools/src/cpp/vcf_file.cpp:42:2
    #17 0x84c112 in main /home/xxx/vcftools/src/cpp/vcftools.cpp:31:12
    #18 0x7fd92c51482f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

previously allocated by thread T0 here:
    #0 0x4e2e48 in __interceptor_malloc (/home/xxx/vcftools/afl-fuzz/vcftools+0x4e2e48)
    #1 0x7fd92d493e77 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x8de77)
    #2 0x5d986c in header::add_INFO_descriptor(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int) /home/xxx/vcftools/src/cpp/header.cpp:120:3
    #3 0x5d6746 in header::parse_meta(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned int&) /home/xxx/vcftools/src/cpp/header.cpp:30:17
    #4 0x841afe in vcf_file::read_header() /home/xxx/vcftools/src/cpp/vcf_file.cpp:62:15
    #5 0x840db3 in vcf_file::vcf_file(parameters const&, bool) /home/xxx/vcftools/src/cpp/vcf_file.cpp:42:2
    #6 0x84c112 in main /home/xxx/vcftools/src/cpp/vcftools.cpp:31:12
    #7 0x7fd92c51482f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

Reproducer:
uaf.vcf
CVE:
CVE-2018-11129

3. The header::add_FORMAT_descriptor  function in header.cpp in vcftools  allow remote attackers to cause a remote code execution(heap-use-after-free) via a crafted vcf file.

./vcftools --vcf uaf1.vcf

==15444==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000000560 at pc 0x0000004b983c bp 0x7ffc678f42e0 sp 0x7ffc678f3a90
READ of size 2 at 0x606000000560 thread T0
    #3 0x5e40ca in header::add_FORMAT_descriptor(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int) /home/xxx/vcftools/src/cpp/header.cpp:216
    #4 0x5d7409 in header::parse_meta(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned int&) /home/xxx/vcftools/src/cpp/header.cpp:38:17
    #5 0x841afe in vcf_file::read_header() /home/xxx/vcftools/src/cpp/vcf_file.cpp:62:15
    #6 0x840db3 in vcf_file::vcf_file(parameters const&, bool) /home/xxx/vcftools/src/cpp/vcf_file.cpp:42:2
    #7 0x84c112 in main /home/xxx/vcftools/src/cpp/vcftools.cpp:31:12
    #8 0x7efe8ad9782f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #9 0x41ec18 in _start (/home/xxx/vcftools/afl-fuzz/vcftools+0x41ec18)

0x606000000560 is located 0 bytes inside of 49-byte region [0x606000000560,0x606000000591)
freed by thread T0 here:
    #12 0x5edf6c in header::tokenize(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, char, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /home/xxx/vcftools/src/cpp/header.cpp:448
    #13 0x5e408b in header::add_FORMAT_descriptor(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int) /home/xxx/vcftools/src/cpp/header.cpp:215:3
    #14 0x5d7409 in header::parse_meta(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned int&) /home/xxx/vcftools/src/cpp/header.cpp:38:17
    #15 0x841afe in vcf_file::read_header() /home/xxx/vcftools/src/cpp/vcf_file.cpp:62:15
    #16 0x840db3 in vcf_file::vcf_file(parameters const&, bool) /home/xxx/vcftools/src/cpp/vcf_file.cpp:42:2
    #17 0x84c112 in main /home/xxx/vcftools/src/cpp/vcftools.cpp:31:12
    #18 0x7efe8ad9782f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

previously allocated by thread T0 here:
    #0 0x4e2e48 in __interceptor_malloc (/home/xxx/vcftools/afl-fuzz/vcftools+0x4e2e48)
    #1 0x7efe8bd16e77 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x8de77)
    #2 0x5e408b in header::add_FORMAT_descriptor(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int) /home/xxx/vcftools/src/cpp/header.cpp:215:3
    #3 0x5d7409 in header::parse_meta(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned int&) /home/xxx/vcftools/src/cpp/header.cpp:38:17
    #4 0x841afe in vcf_file::read_header() /home/xxx/vcftools/src/cpp/vcf_file.cpp:62:15
    #5 0x840db3 in vcf_file::vcf_file(parameters const&, bool) /home/xxx/vcftools/src/cpp/vcf_file.cpp:42:2
    #6 0x84c112 in main /home/xxx/vcftools/src/cpp/vcftools.cpp:31:12
    #7 0x7efe8ad9782f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    
Reproducer:
uaf1.vcf
CVE:
CVE-2018-11130

===============================
Best,
Webin security lab - dbapp security Ltd



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ