BugTraq
Sharutils 4.15.2 Heap-Buffer-Overflow Feb 21 2018 07:30AM
nafiez (nafiez skins gmail com) (1 replies)
Unshar scans the input files (typically email messages) looking for the

start of a shell archive. If no files are given, then standard input is

processed instead. Shipped along with Sharutils.

Bug was found with AFL.

=================================================================

==11164==ERROR: AddressSanitizer: heap-buffer-overflow on address

0xb5901100 at pc 0x0804c695 bp 0xbfe86f28 sp 0xbfe86f18

READ of size 1 at 0xb5901100 thread T0

    #0 0x804c694 in looks_like_c_code

/home/john/sharutils-4.15.2/src/unshar.c:75

    #1 0x804c694 in find_archive

/home/john/sharutils-4.15.2/src/unshar.c:253

    #2 0x804c694 in unshar_file /home/john/sharutils-4.15.2/src/unshar.c:379

    #3 0x804a2f4 in validate_fname

/home/john/sharutils-4.15.2/src/unshar-opts.c:604

    #4 0x804a2f4 in main /home/john/sharutils-4.15.2/src/unshar-opts.c:639

    #5 0xb70ab636 in __libc_start_main

(/lib/i386-linux-gnu/libc.so.6+0x18636)

    #6 0x804ab95  (/home/john/sharutils-4.15.2/src/unshar+0x804ab95)

0xb5901100 is located 0 bytes to the right of 4096-byte region

[0xb5900100,0xb5901100)

allocated by thread T0 here:

    #0 0xb72dfdee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)

    #1 0x804c9e4 in init_unshar /home/john/sharutils-4.15.2/src/unshar.c:450

    #2 0xb70ab636 in __libc_start_main

(/lib/i386-linux-gnu/libc.so.6+0x18636)

SUMMARY: AddressSanitizer: heap-buffer-overflow

/home/john/sharutils-4.15.2/src/unshar.c:75 looks_like_c_code

Shadow bytes around the buggy address:

  0x36b201d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x36b201e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x36b201f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x36b20200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x36b20210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

=>0x36b20220:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x36b20230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x36b20240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x36b20250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x36b20260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x36b20270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:       fa

  Heap right redzone:      fb

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack partial redzone:   f4

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

==11164==ABORTING

Thanks,

nafiez

[ reply ]
Sharutils 4.15.2 Heap-Buffer-Overflow Feb 21 2018 07:33AM
nafiez (nafiez skins gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus