[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Vulnerability Report: Heap-Buffer-Overflow on Sharutils (unshar) 4.15.2
|
From: |
nafiez |
|
Subject: |
Vulnerability Report: Heap-Buffer-Overflow on Sharutils (unshar) 4.15.2 |
|
Date: |
Wed, 21 Feb 2018 15:17:55 +0800 |
|
User-agent: |
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 |
Hi,
Another issue found was heap-buffer-overflow on Sharutils (unshar)
4.15.2. Attached is the fuzzed file.
Below are the ASAN output:
address@hidden:~/sharutils-4.15.2/src$ ./unshar
out/crashes/id:000000,sig:06,src:000005+000030,op:splice,rep:4
=================================================================
==11164==ERROR: AddressSanitizer: heap-buffer-overflow on address
0xb5901100 at pc 0x0804c695 bp 0xbfe86f28 sp 0xbfe86f18
READ of size 1 at 0xb5901100 thread T0
#0 0x804c694 in looks_like_c_code
/home/john/sharutils-4.15.2/src/unshar.c:75
#1 0x804c694 in find_archive
/home/john/sharutils-4.15.2/src/unshar.c:253
#2 0x804c694 in unshar_file /home/john/sharutils-4.15.2/src/unshar.c:379
#3 0x804a2f4 in validate_fname
/home/john/sharutils-4.15.2/src/unshar-opts.c:604
#4 0x804a2f4 in main /home/john/sharutils-4.15.2/src/unshar-opts.c:639
#5 0xb70ab636 in __libc_start_main
(/lib/i386-linux-gnu/libc.so.6+0x18636)
#6 0x804ab95 (/home/john/sharutils-4.15.2/src/unshar+0x804ab95)
0xb5901100 is located 0 bytes to the right of 4096-byte region
[0xb5900100,0xb5901100)
allocated by thread T0 here:
#0 0xb72dfdee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)
#1 0x804c9e4 in init_unshar /home/john/sharutils-4.15.2/src/unshar.c:450
#2 0xb70ab636 in __libc_start_main
(/lib/i386-linux-gnu/libc.so.6+0x18636)
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/john/sharutils-4.15.2/src/unshar.c:75 looks_like_c_code
Shadow bytes around the buggy address:
0x36b201d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x36b201e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x36b201f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x36b20200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x36b20210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x36b20220:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b20230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b20240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b20250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b20260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b20270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==11164==ABORTING
Thanks,
Nafiez
heap-buffer-overflow.zip
Description: Zip compressed data
- Vulnerability Report: Heap-Buffer-Overflow on Sharutils (unshar) 4.15.2,
nafiez <=