Menu

#271 null pointer dereference in be_uint32_read()

other
closed-fixed
nobody
None
5
2019-05-09
2019-01-03
Ace Team
No

What is the vulnerability:
During our research on advancecomp we found null pointer dereference in this function be_uint32_read() located in endianrw.h which is giving SIG_SEGV on unknown address.

Package - advancecomp

Version - 2.1

Tetsted environment - Ubuntu 16.04 Lts 32-bit.

Command - advmng -l -0 -1 -2 -3 -4 -i 8 -r -e $POC

Vulnerable code -

switch (type) {
        case ADV_MNG_CN_MHDR :
       cout << " width:" << be_uint32_read(data+0) << " height:" << be_uint32_read(data+4) << " frequency:" << be_uint32_read(data+8);
return (unsigned)ptr8[3] | (unsigned)ptr8[2] << 8 | (unsigned)ptr8[1] << 16 | (unsigned)ptr8[0] << 24;

Debug -

198     return (unsigned)ptr8[3] | (unsigned)ptr8[2] << 8 | (unsigned)ptr8[1] << 16 | (unsigned)ptr8[0] << 24;
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ registers ]────
$rax   : 0x3               
$rbx   : 0x6567e0            →  0x00007ffff7bb4960  →  0x00007ffff7943c00  →  <std::basic_ostream<char,+0> mov rax, QWORD PTR [rip+0x272721]        # 0x7ffff7bb6328
$rcx   : 0x3a687464        
$rdx   : 0x7ffff7bb4960      →  0x00007ffff7943c00  →  <std::basic_ostream<char,+0> mov rax, QWORD PTR [rip+0x272721]        # 0x7ffff7bb6328
$rsp   : 0x7fffffffdb00      →  0x00007fffffffdb50  →  0x00007fffffffdc20  →  0x00007fffffffdc90  →  0x00007fffffffdd70  →  0x00007fffffffddc0  →  0x00000000004439e0  →  <__libc_csu_init+0> push r15
$rbp   : 0x7fffffffdb00      →  0x00007fffffffdb50  →  0x00007fffffffdc20  →  0x00007fffffffdc90  →  0x00007fffffffdd70  →  0x00007fffffffddc0  →  0x00000000004439e0  →  <__libc_csu_init+0> push r15
$rsi   : 0x0               
$rdi   : 0x0               
$rip   : 0x409372            →  <be_uint32_read(void+0> movzx eax, BYTE PTR [rax]
$r8    : 0x7               
$r9    : 0x7ffff730b620      →  0x00000000fbad2a84
$r10   : 0x1               
$r11   : 0x1002            
$r12   : 0x4031c0            →  <_start+0> xor ebp, ebp
$r13   : 0x7fffffffdea0      →  0x000000000000000c
$r14   : 0x0               
$r15   : 0x0               
$eflags: [carry PARITY adjust zero sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$gs: 0x0000  $cs: 0x0033  $ss: 0x002b  $ds: 0x0000  $fs: 0x0000  $es: 0x0000  
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ stack ]────
0x00007fffffffdb00│+0x00: 0x00007fffffffdb50  →  0x00007fffffffdc20  →  0x00007fffffffdc90  →  0x00007fffffffdd70  →  0x00007fffffffddc0  →  0x00000000004439e0  →  <__libc_csu_init+0> push r15     ← $rsp, $rbp
0x00007fffffffdb08│+0x08: 0x0000000000409e79  →  <png_print_chunk(unsigned+0> mov esi, eax
0x00007fffffffdb10│+0x10: 0x0000000000000000
0x00007fffffffdb18│+0x18: 0x4d48445200000000
0x00007fffffffdb20│+0x20: 0x00007fffffffdb80  →  0x0000000000000000
0x00007fffffffdb28│+0x28: 0x000000000066ac50  →  0x0000000000000001
0x00007fffffffdb30│+0x30: 0x005244484dffdb50
0x00007fffffffdb38│+0x38: 0x27f2a27d5f1e4400
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ code:i386:x86-64 ]────
     0x409364 <be_uint32_read(void+0> rex.RB call 0xfffffffff8861cb2
     0x40936a <be_uint32_read(void+0> mov    rax, QWORD PTR [rbp-0x8]
     0x40936e <be_uint32_read(void+0> add    rax, 0x3
 →   0x409372 <be_uint32_read(void+0> movzx  eax, BYTE PTR [rax]
     0x409375 <be_uint32_read(void+0> movzx  eax, al
     0x409378 <be_uint32_read(void+0> mov    rdx, QWORD PTR [rbp-0x8]
     0x40937c <be_uint32_read(void+0> add    rdx, 0x2
     0x409380 <be_uint32_read(void+0> movzx  edx, BYTE PTR [rdx]
     0x409383 <be_uint32_read(void+0> movzx  edx, dl
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ source:lib/endianrw.h+198 ]────
    193  {
    194  #ifdef USE_MSB
    195     return cpu_uint32_read(ptr);
    196  #else
    197     const unsigned char* ptr8 = (const unsigned char*)ptr;
        // ptr8=0x00007fffffffdaf8  →  0x0000000000000000
 →  198     return (unsigned)ptr8[3] | (unsigned)ptr8[2] << 8 | (unsigned)ptr8[1] << 16 | (unsigned)ptr8[0] << 24;
    199  #endif
    200  }
    201  /*@}*/
    202  
    203  /** \name Write
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ threads ]────
[#0] Id 1, Name: "advmng", stopped, reason: SIGSEGV
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ trace ]────
[#0] 0x409372 → Name: be_uint32_read(ptr=0x0)
[#1] 0x409e79 → Name: png_print_chunk(type=0x4d484452, data=0x0, size=0x0)
[#2] 0x405c3b → Name: mng_print(path="/home/loginsoft/$POC")
[#3] 0x4077d4 → Name: list_all(argc=0x1, argv=0x7fffffffdf00)
[#4] 0x40861e → Name: process(argc=0xc, argv=0x7fffffffdea8)
[#5] 0x40895e → Name: main(argc=0xc, argv=0x7fffffffdea8)
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 Attachments

Related

Bugs: #1
Bugs: #2
Bugs: #3
Bugs: #4
Bugs: #5

Discussion

  • Andrea Mazzoleni

    Thanks for reporting!

    Latest git version fix that: https://github.com/amadvance/advancecomp

    Ciao,
    Andrea

     
  • Andrea Mazzoleni

    • status: open --> closed-fixed
     

Log in to post a comment.