Sharutils 4.15.2 Heap-Buffer-Overflow

From: nafiez <nafiez.skins@gmail.com>
To: oss.security@lists.openwall.com,bugtraq@securityfocus.com
Cc:
Subject: Sharutils 4.15.2 Heap-Buffer-Overflow
Date:


Unshar scans the input files (typically email messages) looking for the
start of a shell archive. If no files are given, then standard input is
processed instead. Shipped along with Sharutils.

Bug was found with AFL.

=================================================================
==11164==ERROR: AddressSanitizer: heap-buffer-overflow on address
0xb5901100 at pc 0x0804c695 bp 0xbfe86f28 sp 0xbfe86f18
READ of size 1 at 0xb5901100 thread T0
 #0 0x804c694 in looks_like_c_code
/home/john/sharutils-4.15.2/src/unshar.c:75
 #1 0x804c694 in find_archive
/home/john/sharutils-4.15.2/src/unshar.c:253
 #2 0x804c694 in unshar_file /home/john/sharutils-4.15.2/src/unshar.c:379
 #3 0x804a2f4 in validate_fname
/home/john/sharutils-4.15.2/src/unshar-opts.c:604
 #4 0x804a2f4 in main /home/john/sharutils-4.15.2/src/unshar-opts.c:639
 #5 0xb70ab636 in __libc_start_main
(/lib/i386-linux-gnu/libc.so.6+0x18636)
 #6 0x804ab95 (/home/john/sharutils-4.15.2/src/unshar+0x804ab95)

0xb5901100 is located 0 bytes to the right of 4096-byte region
[0xb5900100,0xb5901100)
allocated by thread T0 here:
 #0 0xb72dfdee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)
 #1 0x804c9e4 in init_unshar /home/john/sharutils-4.15.2/src/unshar.c:450
 #2 0xb70ab636 in __libc_start_main
(/lib/i386-linux-gnu/libc.so.6+0x18636)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/john/sharutils-4.15.2/src/unshar.c:75 looks_like_c_code
Shadow bytes around the buggy address:
 0x36b201d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0x36b201e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0x36b201f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0x36b20200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0x36b20210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x36b20220:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 0x36b20230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 0x36b20240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 0x36b20250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 0x36b20260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 0x36b20270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
 Addressable: 00
 Partially addressable: 01 02 03 04 05 06 07
 Heap left redzone: fa
 Heap right redzone: fb
 Freed heap region: fd
 Stack left redzone: f1
 Stack mid redzone: f2
 Stack right redzone: f3
 Stack partial redzone: f4
 Stack after return: f5
 Stack use after scope: f8
 Global redzone: f9
 Global init order: f6
 Poisoned by user: f7
 Container overflow: fc
 Array cookie: ac
 Intra object redzone: bb
 ASan internal: fe
==11164==ABORTING


Thanks,

nafiez






Copyright © 1995-2018 LinuxRocket.net. All rights reserved.