lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 9 Jul 2020 18:42:53 +0200 From: X41 D-Sec GmbH Advisories <advisories@...-dsec.de> To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org Subject: [FD] X41 D-Sec GmbH Security Advisory X41-2020-006: Memory Corruption Vulnerability in bspatch -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 X41 D-SEC GmbH Security Advisory: X41-2020-006 Advisory X41-2020-006: Memory Corruption Vulnerability in bspatch ================================================================= Severity Rating: High Confirmed Affected Versions: Colin Percival's bsdiff 4.3 Confirmed Patched Versions: FreeBSD's bsdiff (https://svnweb.freebsd.org/base/head/usr.bin/bsdiff/bspatch/bspatch.c) Vendor: Colin Percival Vendor URL: https://www.daemonology.net/bsdiff/ Vendor Reference: None Vector: Patch file Credit: X41 D-SEC GmbH, Luis Merino Status: Public CVE: CVE-2020-14315 CWE: 119 CVSS Score: N/A CVSS Vector: N/A Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2020-006-bspatch/ Summary and Impact ================== A memory corruption vulnerability is present in bspatch as shipped in Colin Percival’s bsdiff tools version 4.3. Insufficient checks when handling external inputs allows an attacker to bypass the sanity checks in place and write out of a dynamically allocated buffer boundaries. Even though the patching procedure is usually combined with integrity and authenticity checks, an attacker that is able to deliver a malicious patch can cause heap corruption in the process running bspatch code, when the authenticity checks happen after applying the patches. Depending on their ability to control and shape the heap state before and during the processing of a malicious patch file, remote code execution may be achieved. This has already been demonstrated (https://gist.github.com/anonymous/e48209b03f1dd9625a992717e7b89c4f#file-freebsd-txt-L1192) as a proof-of-concept exploit in 2016 by an anonymous author against the FreeBSD bspatch implementation on 32bit architectures. This issue was initially reported for bspatch in bsdiff “as used in Apple OS X before 10.11.6 and other products” with CVE-2014-9862 by an anonymous researcher and was partially addressed by several projects, including Android (https://android.googlesource.com/platform/external/bsdiff/+/4d054795b673855e3a7556c6f2f7ab99ca509998%5E%21/#F0), ChromiumOS (https://bugs.chromium.org/p/chromium/issue/detail?id=372525) and FreeBSD (https://www.freebsd.org/security/advisories/FreeBSD-SA-16:25.bspatch.asc) during 2016. This initial batch of fixes prevented the attack via negative control values. Nevertheless, huge control values that would integer overflow the sanity checks and allow an attacker writing out of bounds were not fixed. A subsequent patch was released by FreeBSD (https://www.freebsd.org/security/advisories/FreeBSD-SA-16:29.bspatch.asc) addressing the remaining issues together with additional hardening. Unfortunately, most of bspatch copies didn’t port this fix. It is worth mentioning that bsdiff 4.3, as hosted at Colin Percival’s bsdiff website https://www.daemonology.net/bsdiff/, still ships a copy of bspatch.c vulnerable to these issues via both negative and huge control values. All the Linux distributions we have checked shipping bsdiff are building from this sources, with some of them applying the partial fix initially released. Product Description =================== bsdiff and bspatch are tools for building and applying patches to binary files. They provide an efficient way to apply binary patches for applications update mechanisms. Analysis ======== Insufficient checks when calculating the buffer offset and size of write operations allows writing out of a heap allocated buffer boundaries. - - - - - ------------------8<--------------------------------------------------------- while(newpos<newsize) { /* Read control data / for(i=0;i<=2;i++) { lenread = BZ2bzRead(&cbz2err, cpfbz2, buf, 8); if ((lenread < 8) || ((cbz2err != BZOK) && (cbz2err != BZSTREAMEND))) errx(1, "Corrupt patch\n"); ctrl[i]=offtin(buf); }; / Sanity-check */ if(newpos+ctrl[0]>newsize) errx(1,"Corrupt patch\n"); /* Read diff string */ lenread = BZ2_bzRead(&dbz2err, dpfbz2, new + newpos, ctrl[0]); - - - - - ------------------8<--------------------------------------------------------- When ctrl[0] takes either negative values or big enough values to overflow newpos+ctrl[0], the sanity check in place will pass allowing operations that write out of buffer new boundaries via BZ2_bzRead(). It is worth mentioning that BZ2_bzRead() will truncate ctrl[0] from 64-bit off_t to 32-bit int. It is expected that an attacker that is able to deliver an specially crafted patch file can gain remote code execution capabilities when certain conditions for exploitation are met. Proof of Concept ================ A crashing reproducer can be downloaded from https://github.com/x41sec/advisories/blob/master/X41-2020-006/x41-2020-006-bspatch-poc.patch Fix === Please, refer to the FreeBSD advisories https://www.freebsd.org/security/advisories/FreeBSD-SA-16:25.bspatch.asc and https://www.freebsd.org/security/advisories/FreeBSD-SA-16:29.bspatch.asc for fixes. Workarounds =========== As a workaround, only patches passing integrity and authenticity checks should be applied. Timeline ======== 2016-07-21 CVE-2014-9862 published 2016-07-25 Partial fix for FreeBSD published at FreeBSD-SA-16:25.bspatch 2016-10-10 Complete fix for FreeBSD published at FreeBSD-SA-16:29.bspatch 2020-07-02 X41 Discovers the vulnerability was not or incorrectly fixed upstream and in prominent forks of the code 2020-07-06 Colin Percival and distros@ notified 2020-07-09 Public disclosure About X41 D-SEC GmbH ==================== X41 is an expert provider for application security services. Having extensive industry experience and expertise in the area of information security, a strong core security team of world class security experts enables X41 to perform premium security services. Fields of expertise in the area of application security are security centered code reviews, binary reverse engineering and vulnerability discovery. Custom research and IT security consulting and support services are core competencies of X41. -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAl8HSQwACgkQo5Klpg50 CxANqBAAplHzLQsf5GpXq/ByPCLhGjbBkSav6o3gO455i3LtIOQxUb+36QW0vj4m Q3vh6eU6mBIiiSfo4K0HWLDHD7p/OsTaFb+48MX3RwPqJmC4eBnXtmHYuCDb8eLg GOM9wrt7MW0/4CC9yzytbOwYlSvaw1MG4LkxHF2DwTLFn5/IF9QFhkgC8FALKcmu WaizFCaMduQWGBf7R5CGlzycQK1QLHvtArZYmQ529Lm/V0zwLllqVdvHjMkXf+N1 VE2RWIk4ysPLxQAlSBj9vpIq+VtndcbBx1Jl3DyrAkX9taDFGm8SMxVzL8bB2Pdj eNUqBb+Xg+7fuo/yN4RIWw/rE9VZjl9ZG2MRu94ak41odN84emLJXDx296fOu+De 8czYq7cfhn6mTe7edaSOlRvi6vXG3BCxDv/xwIaZjI0L9MILPFlP6/00VK7aTWmH aRByT2PViWJILpYHIDGjSP5azQBVDKfXIsPzVDB4xbuhKpgvjLQo8cSqfK0gEpyU eCRLqnOL3Cx/LJmO3zqd+9TsPLfxPgo8PnC/iHjTUXp+Di/9fXjL+7WVV1kc1Ky6 TW6hsWHEEL1FSbccOJqaPIAwEH1VEbo0gzblB1J70cfbrQ5RM8yI1+LvVBiux0rr NSPGIx4xJV3pp6GTVdJqm4BJ8aZfk2SHeOVRL4OY0SNQqxAYBWk= =PnnB -----END PGP SIGNATURE----- _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists