WARNING! Fake news / Disputed / BOGUS

libyal libfwsi Buffer Overread

2019.10.09
Credit: Mishra Dhiraj
Risk: High
Local: Yes
Remote: No
CWE: CWE-119


CVSS Base Score: 2.1/10
Impact Subscore: 2.9/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

Exploit Title: libfwsi_extension_block minimum size should be 8 not 6 # Exploit Author: Dhiraj Mishra # Vendor Homepage: https://github.com/libyal/libyal/wiki/Overview # Software Link: https://github.com/libyal/libfwsi # CVE: CVE-2019-17263 # References: # https://nvd.nist.gov/vuln/detail/CVE-2019-17263 # https://github.com/libyal/libfwsi/issues/13 Summary: In libyal libfwsi before 20191006, libfwsi_extension_block_copy_from_byte_stream in libfwsi_extension_block.c has a heap-based buffer over-read because rejection of an unsupported size only considers values less than 6, even though values of 6 and 7 are also unsupported. ASAN: ==513==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6140000003f6 at pc 0x0000005204c3 bp 0x7ffeb5d945c0 sp 0x7ffeb5d945b8 READ of size 1 at 0x6140000003f6 thread T0 #0 0x5204c2 in libfwsi_extension_block_copy_from_byte_stream /home/dhiraj/liblnk/libfwsi/libfwsi_extension_block.c:276:2 libyal/liblnk#1 0x52a8f7 in libfwsi_item_copy_from_byte_stream /home/dhiraj/liblnk/libfwsi/libfwsi_item.c:1245:13 libyal/liblnk#2 0x52e64f in libfwsi_item_list_copy_from_byte_stream /home/dhiraj/liblnk/libfwsi/libfwsi_item_list.c:334:7 libyal/liblnk#3 0x517f94 in info_handle_link_target_identifier_fprint /home/dhiraj/liblnk/lnktools/info_handle.c:2207:7 libyal/liblnk#4 0x518f5e in info_handle_file_fprint /home/dhiraj/liblnk/lnktools/info_handle.c:2667:6 libyal/liblnk#5 0x519dd4 in main /home/dhiraj/liblnk/lnktools/lnkinfo.c:277:6 libyal/liblnk#6 0x7f6705b65b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 libyal/liblnk#7 0x41a319 in _start (/home/dhiraj/liblnk/lnktools/lnkinfo+0x41a319) 0x6140000003f6 is located 0 bytes to the right of 438-byte region [0x614000000240,0x6140000003f6) allocated by thread T0 here: #0 0x4da1d0 in malloc (/home/dhiraj/liblnk/lnktools/lnkinfo+0x4da1d0) libyal/liblnk#1 0x517e37 in info_handle_link_target_identifier_fprint /home/dhiraj/liblnk/lnktools/info_handle.c:2159:45 libyal/liblnk#2 0x518f5e in info_handle_file_fprint /home/dhiraj/liblnk/lnktools/info_handle.c:2667:6 libyal/liblnk#3 0x7f6705b65b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/dhiraj/liblnk/libfwsi/libfwsi_extension_block.c:276:2 in libfwsi_extension_block_copy_from_byte_stream Shadow bytes around the buggy address: 0x0c287fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c287fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 fa 0x0c287fff8040: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c287fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c287fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c287fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[06]fa 0x0c287fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c287fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c287fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c287fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c287fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==513==ABORTING


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top