Exploit Title: libfwsi_extension_block minimum size should be 8 not 6
# Exploit Author: Dhiraj Mishra
# Vendor Homepage: https://github.com/libyal/libyal/wiki/Overview
# Software Link: https://github.com/libyal/libfwsi
# CVE: CVE-2019-17263
# References:
# https://nvd.nist.gov/vuln/detail/CVE-2019-17263
# https://github.com/libyal/libfwsi/issues/13
Summary:
In libyal libfwsi before 20191006,
libfwsi_extension_block_copy_from_byte_stream in libfwsi_extension_block.c
has a heap-based buffer over-read because rejection of an unsupported size
only considers values less than 6, even though values of 6 and 7 are also
unsupported.
ASAN:
==513==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6140000003f6 at pc 0x0000005204c3 bp 0x7ffeb5d945c0 sp 0x7ffeb5d945b8
READ of size 1 at 0x6140000003f6 thread T0
#0 0x5204c2 in libfwsi_extension_block_copy_from_byte_stream
/home/dhiraj/liblnk/libfwsi/libfwsi_extension_block.c:276:2
libyal/liblnk#1 0x52a8f7 in libfwsi_item_copy_from_byte_stream
/home/dhiraj/liblnk/libfwsi/libfwsi_item.c:1245:13
libyal/liblnk#2 0x52e64f in libfwsi_item_list_copy_from_byte_stream
/home/dhiraj/liblnk/libfwsi/libfwsi_item_list.c:334:7
libyal/liblnk#3 0x517f94 in info_handle_link_target_identifier_fprint
/home/dhiraj/liblnk/lnktools/info_handle.c:2207:7
libyal/liblnk#4 0x518f5e in info_handle_file_fprint
/home/dhiraj/liblnk/lnktools/info_handle.c:2667:6
libyal/liblnk#5 0x519dd4 in main
/home/dhiraj/liblnk/lnktools/lnkinfo.c:277:6
libyal/liblnk#6 0x7f6705b65b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
libyal/liblnk#7 0x41a319 in _start
(/home/dhiraj/liblnk/lnktools/lnkinfo+0x41a319)
0x6140000003f6 is located 0 bytes to the right of 438-byte region
[0x614000000240,0x6140000003f6)
allocated by thread T0 here:
#0 0x4da1d0 in malloc (/home/dhiraj/liblnk/lnktools/lnkinfo+0x4da1d0)
libyal/liblnk#1 0x517e37 in info_handle_link_target_identifier_fprint
/home/dhiraj/liblnk/lnktools/info_handle.c:2159:45
libyal/liblnk#2 0x518f5e in info_handle_file_fprint
/home/dhiraj/liblnk/lnktools/info_handle.c:2667:6
libyal/liblnk#3 0x7f6705b65b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/dhiraj/liblnk/libfwsi/libfwsi_extension_block.c:276:2 in
libfwsi_extension_block_copy_from_byte_stream
Shadow bytes around the buggy address:
0x0c287fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c287fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 fa
0x0c287fff8040: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c287fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c287fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c287fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[06]fa
0x0c287fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c287fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c287fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c287fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c287fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==513==ABORTING
Polish
English