Giter Site home page Giter Site logo

Comments (7)

kyz avatar kyz commented on May 30, 2024

Thank you for reporting this, and the POC file.

The issue is that checking for specific system file names does not take name length into consideration. The memcmp() will read past the end of the freshly-allocated name buffer. It's not especially exploitable (overread... past a freshly allocated buffer, not attacker controlled), but nonetheless, it is a memory error and has been fixed in commit 2f08413.

from libmspack.

carnil avatar carnil commented on May 30, 2024

This issue apparently got assigned the CVE-2019-1010305 CVE id.

from libmspack.

kyz avatar kyz commented on May 30, 2024

Thanks for letting me know. I've added the CVE id to the existing entry on the list of libmspack security vulnerabilities

from libmspack.

avatar commented on May 30, 2024

I have run this POC but this was my output.
why?

chmextract-overflow-chmd-486
chmextract-overflow-chmd-486: invalid section number '89'.
chmextract-overflow-chmd-486: invalid section number '89'.
chmextract-overflow-chmd-486: invalid section number '89'.
chmextract-overflow-chmd-486: invalid section number '71'.
chmextract-overflow-chmd-486: invalid section number '266694953'.
chmextract-overflow-chmd-486: invalid section number '114'.
chmextract-overflow-chmd-486: invalid section number '84'.
chmextract-overflow-chmd-486: invalid section number '16259'.
chmextract-overflow-chmd-486: invalid section number '58'.
chmextract-overflow-chmd-486: invalid section number '67'.
chmextract-overflow-chmd-486: invalid section number '47'.
chmextract-overflow-chmd-486: invalid section number '48'.
chmextract-overflow-chmd-486: invalid section number '71'.
chmextract-overflow-chmd-486: invalid section number '266694953'.
chmextract-overflow-chmd-486: invalid section number '114'.
chmextract-overflow-chmd-486: invalid section number '84'.
chmextract-overflow-chmd-486: invalid section number '16259'.
chmextract-overflow-chmd-486: invalid section number '58'.
chmextract-overflow-chmd-486: WARNING; contents are corrupt
Extracting ▒▒▒
Extracting  index.ht
Extracting YYYYYYYYYYYYYYYITSF
Extracting $FIftiMain
Extracting Documents/Table o& Contents.hhc
chmextract-overflow-chmd-486: extract error on "/Documents/Table o& Contents.hhc": error in data format
Extracting $FIftiMain
Extracting Documents/Table of Contents.hhc
chmextract-overflow-chmd-486: extract error on "/Documents/Table of Contents.hhc": error in data format
Extracting $FIftiMain
Extracting ▒▒▒
Extracting $FIftiMain
Extracting Documents/Table of Contents.hhc
chmextract-overflow-chmd-486: extract error on "/Documents/Table of Contents.hhc": error in data format
Extracting $FIftiMain
Extracting Documents/Table of Contents.hhc
chmextract-overflow-chmd-486: extract error on "/Documents/Table of Contents.hhc": error in data format
Extracting #IDXHDR▒L▒
chmextract-overflow-chmd-486: extract error on "#IDXHDR▒L▒": read error
Extracting #IDXHDR▒
chmextract-overflow-chmd-486: extract error on "#IDXHDR▒": read error
Extracting #IDXHDR▒
chmextract-overflow-chmd-486: extract error on "#IDXHDR▒": read error
Extracting #IDXHDR▒
chmextract-overflow-chmd-486: extract error on "#IDXHDR▒": read error
Extracting Doculents/Index.hhk
chmextract-overflow-chmd-486: extract error on "/Doculents/Index.hhk": error in data format
Extracting Documents/Index.hhk
chmextract-overflow-chmd-486: extract error on "/Documents/Index.hhk": error in data format
Extracting Doculents/Index.hhk
chmextract-overflow-chmd-486: extract error on "/Doculents/Index.hhk": error in data format
Extracting Documents/Index.hhk
chmextract-overflow-chmd-486: extract error on "/Documents/Index.hhk": error in data format
Extracting Documents/test1.html
chmextract-overflow-chmd-486: extract error on "/Documents/test1.html": error in data format
Extracting Documents/test1.html
chmextract-overflow-chmd-486: extract error on "/Documents/test1.html": error in data format
Extracting Documents/test1.html
chmextract-overflow-chmd-486: extract error on "/Documents/test1.html": error in data format
Extracting Documents/test1.html
chmextract-overflow-chmd-486: extract error on "/Documents/test1.html": error in data format
Extracting $WWKeywordLinks/Property
chmextract-overflow-chmd-486: extract error on "/$WWKeywordLinks/Property": error in data format
Extracting $WWKeywordLinks/Property
chmextract-overflow-chmd-486: extract error on "/$WWKeywordLinks/Property": error in data format
Extracting $WWKeywordLinks/Property
chmextract-overflow-chmd-486: extract error on "/$WWKeywordLinks/Property": error in data format
Extracting $WWKeywordLinks/Property
chmextract-overflow-chmd-486: extract error on "/$WWKeywordLinks/Property": error in data format
Extracting $WWAssociativeLinks/Property
chmextract-overflow-chmd-486: extract error on "/$WWAssociativeLinks/Property": error in data format
Extracting $WWAssociativeLinks/Property
chmextract-overflow-chmd-486: extract error on "/$WWAssociativeLinks/Property": error in data format
Extracting $WWAssociativeLinks/Property
chmextract-overflow-chmd-486: extract error on "/$WWAssociativeLinks/Property": error in data format
Extracting $WWAssociativeLinks/Property
chmextract-overflow-chmd-486: extract error on "/$WWAssociativeLinks/Property": error in data format
Extracting $OBJINST
chmextract-overflow-chmd-486: extract error on "/$OBJINST": error in data format
Extracting $OBJINST
chmextract-overflow-chmd-486: extract error on "/$OBJINST": error in data format
Extracting $OBJINST
chmextract-overflow-chmd-486: extract error on "/$OBJINST": error in data format
Extracting $OBJINST
chmextract-overflow-chmd-486: extract error on "/$OBJINST": error in data format
Extracting $OBJINST
chmextract-overflow-chmd-486: extract error on "/$OBJINST": error in data format
Extracting #TOPICS
chmextract-overflow-chmd-486: extract error on "/#TOPICS": error in data format
Extracting #URLTBL
chmextract-overflow-chmd-486: extract error on "/#URLTBL": error in data format
Extracting #URLSTR
chmextract-overflow-chmd-486: extract error on "/#URLSTR": error in data format
Extracting #TOPICS
chmextract-overflow-chmd-486: extract error on "/#TOPICS": error in data format
Extracting #TOPICS
chmextract-overflow-chmd-486: extract error on "/#TOPICS": error in data format
Extracting #TOPICS
chmextract-overflow-chmd-486: extract error on "/#TOPICS": error in data format
Extracting #URLTBL
chmextract-overflow-chmd-486: extract error on "/#URLTBL": error in data format
Extracting #SYSTEM
chmextract-overflow-chmd-486: extract error on "#SYSTEM": error in data format
Extracting #URLTBL
chmextract-overflow-chmd-486: extract error on "/#URLTBL": error in data format
Extracting #URLTBL
chmextract-overflow-chmd-486: extract error on "/#URLTBL": error in data format
Extracting #SYSTEM
chmextract-overflow-chmd-486: extract error on "#SYSTEM": error in data format
Extracting #URLSTR
chmextract-overflow-chmd-486: extract error on "/#URLSTR": error in data format
Extracting #URLSTR
chmextract-overflow-chmd-486: extract error on "/#URLSTR": error in data format
Extracting #URLSTR
chmextract-overflow-chmd-486: extract error on "/#URLSTR": error in data format

from libmspack.

kyz avatar kyz commented on May 30, 2024

That's the output that would be expected. The file is not a tight, tiny example PoC. It was discovered by fuzzing, so it is a regular CHM file that has been randomly mutated enough to find the bug. It has a lot of mutations that cause extract errors, and so you see the output you do, but nonetheless chmextract still makes it through the file.

The problem is invisible; libmspack reads a few bytes beyond the end of freshly allocated memory. On most systems by default, this is not any kind of error at all. Only if we were very unlucky, and had a system that allocated memory at the end of readable/writable pages, and a few bytes after those pages were unmapped pages that cause a segfault if you try reading them, would we ever see any kind of problem.

So the only way you're going to see this problem is to use ASan to force it to be visible. Here is how you could do that:

$ git clone https://github.com/kyz/libmspack.git
$ cd libmspack/libmspack/
$ git checkout cb5d78c  # switch to the last commit before the vulnerability was fixed
$ ./autogen.sh
$ CFLAGS='-g -O2 -fsanitize=address' ./configure  # configure to use ASan
$ make
$ ./examples/chmextract /tmp/chmextract-overflow-chmd-486 
/tmp/chmextract-overflow-chmd-486
/tmp/chmextract-overflow-chmd-486: invalid section number '89'.
/tmp/chmextract-overflow-chmd-486: invalid section number '89'.
/tmp/chmextract-overflow-chmd-486: invalid section number '89'.
/tmp/chmextract-overflow-chmd-486: invalid section number '71'.
/tmp/chmextract-overflow-chmd-486: invalid section number '266694953'.
/tmp/chmextract-overflow-chmd-486: invalid section number '114'.
/tmp/chmextract-overflow-chmd-486: invalid section number '84'.
/tmp/chmextract-overflow-chmd-486: invalid section number '16259'.
/tmp/chmextract-overflow-chmd-486: invalid section number '58'.
/tmp/chmextract-overflow-chmd-486: invalid section number '67'.
/tmp/chmextract-overflow-chmd-486: invalid section number '47'.
/tmp/chmextract-overflow-chmd-486: invalid section number '48'.
/tmp/chmextract-overflow-chmd-486: invalid section number '71'.
/tmp/chmextract-overflow-chmd-486: invalid section number '266694953'.
/tmp/chmextract-overflow-chmd-486: invalid section number '114'.
/tmp/chmextract-overflow-chmd-486: invalid section number '84'.
/tmp/chmextract-overflow-chmd-486: invalid section number '16259'.
/tmp/chmextract-overflow-chmd-486: invalid section number '58'.
=================================================================
==9494==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000002500 at pc 0x7fa204faef54 bp 0x7ffc600617b0 sp 0x7ffc60060f58
READ of size 31 at 0x621000002500 thread T0
    #0 0x7fa204faef53  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xaff53)
    #1 0x7fa204cd98d3 in chmd_read_headers mspack/chmd.c:486
    #2 0x7fa204cd98d3 in chmd_real_open mspack/chmd.c:163
    #3 0x55fd6cdda76a in main examples/chmextract.c:92
    #4 0x7fa2048fbb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #5 0x55fd6cddad69 in _start (/home/kyz/libmspack/libmspack/examples/.libs/chmextract+0x1d69)

0x621000002500 is located 0 bytes to the right of 4096-byte region [0x621000001500,0x621000002500)
allocated by thread T0 here:
    #0 0x7fa204fddb50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x7fa204cd8bd9 in chmd_read_headers mspack/chmd.c:418
    #2 0x7fa204cd8bd9 in chmd_real_open mspack/chmd.c:163

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xaff53) 
Shadow bytes around the buggy address:
  0x0c427fff8450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fff84a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff84b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff84c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff84d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff84e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff84f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==9494==ABORTING

... and to prove it is fixed in the current version:

$ git checkout master
$ ./autogen.sh
$ CFLAGS='-g -O2 -fsanitize=address' ./configure  # configure to use ASan
$ make
$ ./examples/chmextract /tmp/chmextract-overflow-chmd-486 
... produces the output you saw, even though ASan is enabled, because bug is fixed

from libmspack.

avatar commented on May 30, 2024

Thank you for your explanation.
And
Is there any way to exploit it ?

from libmspack.

kyz avatar kyz commented on May 30, 2024

There's not much to exploit.

The description of CVE-2019-1010305 is "Information Disclosure". The disclosure is whether memory starting near the end of and ending just beyond the end of a heap-based buffer matches one of four fixed strings:

  1. ::DataSpace/Storage/MSCompressed/Content
  2. ::DataSpace/Storage/MSCompressed/ControlData
  3. ::DataSpace/Storage/MSCompressed/SpanInfo
  4. ::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/ResetTable

The attacker cannot arbitrarily choose the memory address nor can they learn what the memory contains, they can only determine if it matches one of four strings, which it most likely doesn't, and they need some way to see what's in the mschmd_file.sec1.{content,control,spaninfo,rtable} fields to exfiltrate that knowledge.

So it is definitely a correctness bug (libmspack should never read unallocated memory), but the security implications are minimal. Contrast it with Heartbleed, where an attacker can get a verbatim copy of up to 64kb of memory that follows where their message is stored in memory.

I can think of a worst-possible-case, but you have to go from normal behaviour, where reading a few bytes beyond allocated memory is wrong does not cause any faults, to pathological behaviour: imagine you've set up a long-running CHM-listing network service, and you've also chosen to instrument all its code with ASan. An attacker can cause the program to crash by sending this PoC file to the service, getting it to read just beyond the end of a buffer and thus trigger your intentional program-crasher.

from libmspack.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.