libyal / liblnk Goto Github PK
View Code? Open in Web Editor NEWLibrary and tools to access the Windows Shortcut File (LNK) format
License: GNU Lesser General Public License v3.0
liblnk's Introduction
The name libyal was initially a pun on the naming theme of the various library projects. Now it serves the purpose of providing an overview of the available projects in a single location and as a home for scripts to help maintain the projects. For more information see: * Project documentation: https://github.com/libyal/libyal/wiki/Home * Overiew of available projects: https://github.com/libyal/libyal/wiki/Overview
liblnk's People
Contributors
Stargazers
Watchers
Forkers
imcooder smartdj rayyang2000 roox gsw-codeshow olivierh59500 jhonconal adiba hardware-forest-utopia ith4cker tieske boogie77 zhangjinde liamjm 5l1v3r1 fengjixuchui ta-b0 manish364824 gavz n1f2c3 000000000000000000000000000000000000005 edvacco peta909 rasmalian woniuke joon-y rnshah9 kycgni wxsbsd chennqqi zerosum0xo janstarkeliblnk's Issues
Invalid volume label string causes read beyond string size in fprintf at info_handle.c:1219
AddressSanitizer: heap-buffer-overflow at info_handle.c:1219
POC file:
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_info_handle.c%3A1219_1.input.txt
gdb output:
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_info_handle.c%3A1219_1.gdb.txt
AddressSanitizer: heap-buffer-overflow at info_handle.c:1978
POC files:
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_info_handle.c%3A1978_1.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_info_handle.c%3A1978_2.input.txt
gdb output:
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_info_handle.c%3A1978_1.gdb.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_info_handle.c%3A1978_2.gdb.txt
AddressSanitizer: heap-buffer-overflow at libfwsi/libfwsi_uri_values.c:402
undefined malloc(0) behavior of compiler causes ASAN warning about printf invoked from info_handle.c:1624
We found Heap Buffer Overflow an issue in lnkinfo binary and lnkinfo is complied with clang enabling ASAN.
Machine Setup
Machine : Ubuntu 16.04.3 LTS
gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.11)
Commit : c962bb7
lnkinfo : 20191006
Command : lnkinfo -v POC
POC : POC.zip
ASAN Output
fuzzer@fuzzer:~/victim/liblnk/lnktools$ ./lnkinfo -v POC
lnkinfo 20191006
Windows Shortcut information:
Contains a link target identifier
Contains a relative path string
Link information:
Creation time : May 27, 1775 06:41:18.046140800 UTC
Modification time : (0x4c61c560 0x00000011) UTC
Access time : Jan 01, 1601 16:36:57.485926400 UTC
File size : 4089677395 bytes
Icon index : 536952832
Show Window value : 0xf3c38653
Hot Key value : 34387
File attribute flags : 0x00000011
Is read-only (FILE_ATTRIBUTE_READ_ONLY)
Is directory (FILE_ATTRIBUTE_DIRECTORY)
Drive type : Not set (0)
Drive serial number : 0x00000000
=================================================================
==14413==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eef1 at pc 0x000000460a06 bp 0x7ffca78431c0 sp 0x7ffca7842970
READ of size 2 at 0x60200000eef1 thread T0
#0 0x460a05 in printf_common(void*, char const*, __va_list_tag*) (/home/fuzzer/victim/liblnk/lnktools/lnkinfo+0x460a05)
#1 0x460302 in printf_common(void*, char const*, __va_list_tag*) (/home/fuzzer/victim/liblnk/lnktools/lnkinfo+0x460302)
#2 0x4611fa in __interceptor_vfprintf (/home/fuzzer/victim/liblnk/lnktools/lnkinfo+0x4611fa)
#3 0x4612b2 in __interceptor_fprintf (/home/fuzzer/victim/liblnk/lnktools/lnkinfo+0x4612b2)
#4 0x4ee345 in info_handle_relative_path_fprint /home/fuzzer/victim/liblnk/lnktools/info_handle.c:1624:3
#5 0x4f07dd in info_handle_file_fprint /home/fuzzer/victim/liblnk/lnktools/info_handle.c:2598:6
#6 0x4f175c in main /home/fuzzer/victim/liblnk/lnktools/lnkinfo.c:277:6
#7 0x7fb993c1782f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
#8 0x418c68 in _start (/home/fuzzer/victim/liblnk/lnktools/lnkinfo+0x418c68)
0x60200000eef1 is located 0 bytes to the right of 1-byte region [0x60200000eef0,0x60200000eef1)
allocated by thread T0 here:
#0 0x4b8d98 in malloc (/home/fuzzer/victim/liblnk/lnktools/lnkinfo+0x4b8d98)
#1 0x4ee287 in info_handle_relative_path_fprint /home/fuzzer/victim/liblnk/lnktools/info_handle.c:1586:18
#2 0x4f07dd in info_handle_file_fprint /home/fuzzer/victim/liblnk/lnktools/info_handle.c:2598:6
#3 0x7fb993c1782f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/fuzzer/victim/liblnk/lnktools/lnkinfo+0x460a05) in printf_common(void*, char const*, __va_list_tag*)
Shadow bytes around the buggy address:
0x0c047fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[01]fa
0x0c047fff9de0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9df0: fa fa fd fa fa fa 02 fa fa fa 01 fa fa fa 00 00
0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==14413==ABORTING
libfwsi: uri_sub_values shell item recognized as file_entry shell item
AddressSanitizer: heap-buffer-overflow at libfwsi/libfwsi_file_entry.c:266
POC files:
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_libfwsi_file_entry.c%3A266_1.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_libfwsi_file_entry.c%3A266_2.input.txt
gdb output:
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_libfwsi_file_entry.c%3A266_1.gdb.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_libfwsi_file_entry.c%3A266_2.gdb.txt
OOB read of 1 in liblnk_location_information.c#L1090 causes ASAN warning
We found Heap Buffer Overflow an issue in lnkinfo binary and lnkinfo is complied with clang enabling ASAN.
Machine Setup
Machine : Ubuntu 16.04.3 LTS
gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.11)
Commit : c962bb7
lnkinfo : 20191006
Command : lnkinfo -v POC
POC : POC.zip
ASAN Output
fuzzer@fuzzer:~/victim/liblnk/lnktools$ ./lnkinfo -v POC
lnkinfo 20191006
=================================================================
==27633==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000de7f at pc 0x0000005a4184 bp 0x7ffc6a441c30 sp 0x7ffc6a441c28
READ of size 1 at 0x60400000de7f thread T0
#0 0x5a4183 in liblnk_location_information_read_data /home/fuzzer/victim/liblnk/liblnk/liblnk_location_information.c:1090:4
#1 0x5a45d7 in liblnk_location_information_read /home/fuzzer/victim/liblnk/liblnk/liblnk_location_information.c:1915:6
#2 0x58e4b8 in liblnk_file_open_read /home/fuzzer/victim/liblnk/liblnk/liblnk_file.c:1282:16
#3 0x58d718 in liblnk_file_open_file_io_handle /home/fuzzer/victim/liblnk/liblnk/liblnk_file.c:628:6
#4 0x58d0de in liblnk_file_open /home/fuzzer/victim/liblnk/liblnk/liblnk_file.c:346:6
#5 0x4eb095 in info_handle_open_input /home/fuzzer/victim/liblnk/lnktools/info_handle.c:415:6
#6 0x4f1728 in main /home/fuzzer/victim/liblnk/lnktools/lnkinfo.c:265:6
#7 0x7f4b3516682f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
#8 0x418c68 in _start (/home/fuzzer/victim/liblnk/lnktools/lnkinfo+0x418c68)
0x60400000de7f is located 0 bytes to the right of 47-byte region [0x60400000de50,0x60400000de7f)
allocated by thread T0 here:
#0 0x4b8d98 in malloc (/home/fuzzer/victim/liblnk/lnktools/lnkinfo+0x4b8d98)
#1 0x5a454b in liblnk_location_information_read /home/fuzzer/victim/liblnk/liblnk/liblnk_location_information.c:1884:42
#2 0x58e4b8 in liblnk_file_open_read /home/fuzzer/victim/liblnk/liblnk/liblnk_file.c:1282:16
#3 0x58d718 in liblnk_file_open_file_io_handle /home/fuzzer/victim/liblnk/liblnk/liblnk_file.c:628:6
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzzer/victim/liblnk/liblnk/liblnk_location_information.c:1090:4 in liblnk_location_information_read_data
Shadow bytes around the buggy address:
0x0c087fff9b70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9b90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c087fff9bc0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00[07]
0x0c087fff9bd0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
0x0c087fff9be0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
0x0c087fff9bf0: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa
0x0c087fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==27633==ABORTING
fuzzer@fuzzer:~/victim/liblnk/lnktools$
liblnk liblnk_file_get_show_window_value() fetches file size not window value
Line 2626 in 71a5ed8
"""
*show_window_value = internal_file->file_information->size;
"""
Also the same in liblnk_file_get_hot_key_value
lnkinfo 20150609 crash when using libfwsi 20150606
Hi,
When using lnkinfo 20150609, with liblnk linking against libfwsi 20150606 from system, I have a crash with https://github.com/log2timeline/plaso/raw/master/test_data/NeroInfoTool.lnk
I reproduced it on both ubuntu and freebsd
$ lnkinfo NeroInfoTool.lnk
lnkinfo 20150609
Windows Shortcut information:
Contains a link target identifier
Contains a description string
Contains a relative path string
Contains a working directory string
Contains a command line arguments string
Contains an icon location string
Contains an icon location block
Link information:
Creation time : Jun 05, 2009 20:13:20.000000000 UTC
Modification time : Jun 05, 2009 20:13:20.000000000 UTC
Access time : Jan 29, 2010 21:30:11.332156900 UTC
File size : 4635160 bytes
File attribute flags : 0x00000020
Should be archived (FILE_ATTRIBUTE_ARCHIVE)
Drive type : Fixed (3)
Drive serial number : 0x70ecfa33
Volume label : OS
Local path : C:\Program Files (x86)\Nero\Nero 9\Nero InfoTool\InfoTool.exe
Description : Nero InfoTool provides you with information about the most important features of installed drives, inserted discs, installed software and much more. With Nero InfoTool you can find out all about your drive and your system configuration.
Relative path : ..\..\..\..\..\..\..\..\Program Files (x86)\Nero\Nero 9\Nero InfoTool\InfoTool.exe
Working directory : C:\Program Files (x86)\Nero\Nero 9\Nero InfoTool
Command line arguments : -ScParameter=30002
Icon location : %ProgramFiles%\Nero\Nero 9\Nero InfoTool\InfoTool.exe
Link target identifier:
Shell item list
Number of items : 7
Shell item: 1
Item type : Root folder
Class type indicator : 0x1f (Root folder)
Shell folder identifier : 20d04fe0-3aea-1069-a2d8-08002b30309d
Segmentation fault (core dumped)
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7280a03 in _IO_vfprintf_internal (s=<optimized out>, format=<optimized out>, ap=<optimized out>) at vfprintf.c:1661
1661 vfprintf.c: No such file or directory.
(gdb) bt
#0 0x00007ffff7280a03 in _IO_vfprintf_internal (s=<optimized out>, format=<optimized out>, ap=<optimized out>) at vfprintf.c:1661
#1 0x00007ffff7283f31 in buffered_vfprintf (s=s@entry=0x7ffff75f4400 <_IO_2_1_stdout_>, format=format@entry=0x4130d4 "\t\tShell folder name\t: %s\n", args=args@entry=0x7fffffffdb48) at vfprintf.c:2356
#2 0x00007ffff727eeae in _IO_vfprintf_internal (s=s@entry=0x7ffff75f4400 <_IO_2_1_stdout_>, format=format@entry=0x4130d4 "\t\tShell folder name\t: %s\n", ap=ap@entry=0x7fffffffdb48) at vfprintf.c:1313
#3 0x00007ffff733e565 in ___fprintf_chk (fp=fp@entry=0x7ffff75f4400 <_IO_2_1_stdout_>, flag=flag@entry=1, format=format@entry=0x4130d4 "\t\tShell folder name\t: %s\n") at fprintf_chk.c:35
#4 0x00000000004077e1 in fprintf (__fmt=0x4130d4 "\t\tShell folder name\t: %s\n", __stream=0x7ffff75f4400 <_IO_2_1_stdout_>) at /usr/include/x86_64-linux-gnu/bits/stdio2.h:97
#5 shell_items_root_folder_fprint (shell_item=shell_item@entry=0x619b60, notify_stream=notify_stream@entry=0x7ffff75f4400 <_IO_2_1_stdout_>, error=error@entry=0x7fffffffddc8) at shell_items.c:1085
#6 0x00000000004083b1 in shell_items_item_fprint (shell_item=0x619b60, shell_item_index=shell_item_index@entry=1, notify_stream=notify_stream@entry=0x7ffff75f4400 <_IO_2_1_stdout_>,
error=error@entry=0x7fffffffddc8) at shell_items.c:857
#7 0x0000000000408586 in shell_items_item_list_fprint (shell_item_list=0x619aa0, notify_stream=0x7ffff75f4400 <_IO_2_1_stdout_>, error=error@entry=0x7fffffffddc8) at shell_items.c:1722
#8 0x0000000000406486 in info_handle_link_target_identifier_fprint (info_handle=info_handle@entry=0x618080, error=error@entry=0x7fffffffddc8) at info_handle.c:2080
#9 0x0000000000406ae4 in info_handle_file_fprint (info_handle=0x618080, error=error@entry=0x7fffffffddc8) at info_handle.c:2687
#10 0x00000000004045d7 in main (argc=2, argv=0x7fffffffded8) at lnkinfo.c:265
Workaround:
build liblnk with --with-libfwsi=no
AddressSanitizer: heap-buffer-overflow at libfwsi/libfwsi_network_location.c:83
POC files:
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_libfwsi_network_location.c%3A83_1.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_libfwsi_network_location.c%3A83_2.input.txt
gdb output:
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_libfwsi_network_location.c%3A83_1.gdb.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_libfwsi_network_location.c%3A83_2.gdb.txt
AddressSanitizer: heap-buffer-overflow at libfwsi/libfwsi_root_folder.c:104
Support for detecting trailing non-LNK data
Some LNK files have data appended to the end. It would be useful if liblnk could detect that there is data at the end of the file and represent it as an offset value so it can be easily carved out. a8fac75d06cf1d4e30f9b118a962a24413d046dec622bd17dd594250252543e9 is one example of a LNK with a PE appended to the end of it. While easy to find the PE I have other examples with encrypted/compressed data on the end that are not easily recognizable.
Check differences outlined in blog post
From: https://ramslack.wordpress.com/2015/06/29/year-of-python-yop-week-twenty-six/
Now the values for this are different if you look at the Microsoft documentation versus the documentation written up by Joachim Metz. For this part of the code I went with the official Microsoft docs, but it’s a trivial matter to modify the code to use the information from Joachim.
libfwsi: libfwsi_file_entry_extension_values_read_data read beyond data size
AddressSanitizer: heap-buffer-overflow at libfwsi/libfwsi_file_entry_extension_values.c:348
POC files:
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_libfwsi_file_entry_extension_values.c%3A348_1.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_libfwsi_file_entry_extension_values.c%3A348_2.input.txt
gdb output:
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_libfwsi_file_entry_extension_values.c%3A348_1.gdb.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_libfwsi_file_entry_extension_values.c%3A348_2.gdb.txt
Cygwin compilation doesn't produce cyglnk-1.dll
I have no idea what is the problem...
$ ./lnkinfo.exe
D:/myDev/_gh_cloned/liblnk/lnktools/.libs/lnkinfo.exe: error while loading shared libraries: cyglnk-1.dll: cannot open shared object file: No such file or directory
```AddressSanitizer: heap-buffer-overflow at libfwsi_root_folder.c:104
In the last element of the revision history, I think you meant 2017, not 2027
AddressSanitizer: heap-buffer-overflow at info_handle.c:2096
POC files:
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_info_handle.c%3A2096_1.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_info_handle.c%3A2096_2.input.txt
gdb output:
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_info_handle.c%3A2096_1.gdb.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_info_handle.c%3A2096_2.gdb.txt
libfwsi: libfwsi_item_copy_from_byte_stream read beyond data size
AddressSanitizer: heap-buffer-overflow at libfwsi/libfwsi_item.c:1218
POC files:
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_libfwsi_item.c%3A1218_1.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_libfwsi_item.c%3A1218_2.input.txt
gdb output:
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_libfwsi_item.c%3A1218_1.gdb.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_libfwsi_item.c%3A1218_2.gdb.txt
liblnk_location_information_read_data does not check volume information size before reading 4 byte unicode volume offset
Multiple heap-buffer-overflow errors inside function liblnk_location_information_read_data (liblnk_location_information.c)
We found with our fuzzer multiple heap-buffer-overflow errors inside function liblnk_location_information_read_data.
These can be triggered when compiled with address sanitizer and run with lnkinfo file.
Settings of the subsequent issues (#14, ... #31) are the same; some of them are inside other projects such as libfwsi. (Someone else also found some relevant crashes, please see http://seclists.org/fulldisclosure/2018/Jun/33)
Undefined command: "". Try "help".
grep: /tmp/gdb_info_target: No such file or directory
Unable to open: liblnk-pocs/crashes/hbo_liblnk_location_information.c:1162_1.txt.
liblnk_data_string_read: unable to read data string data.
liblnk_file_open_read: unable to read relative path.
liblnk_file_open_file_io_handle: unable to read from file IO handle.
liblnk_file_open: unable to open file: liblnk-pocs/crashes/hbo_liblnk_location_information.c:1162_1.txt.
info_handle_open_input: unable to open input file.
No stack.
Starting program: /home/exp/FOT/liblnk/install/bin/lnkinfo liblnk-pocs/crashes/hbo_liblnk_location_information.c:1162_1.txt
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
lnkinfo 20180419
[Inferior 1 (process 18374) exited with code 01]
Undefined command: "". Try "help".
=================================================================
==6867==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c000000172 at pc 0x7ffff78e68c5 bp 0x7fffffffbe80 sp 0x7fffffffbe78
READ of size 1 at 0x60c000000172 thread T0
#0 0x7ffff78e68c4 in liblnk_location_information_read_data /home/exp/FOT/liblnk-fuzz/liblnk/liblnk_location_information.c:1162:11
#1 0x7ffff78e6fe3 in liblnk_location_information_read /home/exp/FOT/liblnk-fuzz/liblnk/liblnk_location_information.c:1907:6
#2 0x7ffff78c71e7 in liblnk_file_open_read /home/exp/FOT/liblnk-fuzz/liblnk/liblnk_file.c:1149:16
#3 0x7ffff78c66d9 in liblnk_file_open_file_io_handle /home/exp/FOT/liblnk-fuzz/liblnk/liblnk_file.c:627:6
#4 0x7ffff78c5e69 in liblnk_file_open /home/exp/FOT/liblnk-fuzz/liblnk/liblnk_file.c:345:6
#5 0x529792 in info_handle_open_input /home/exp/FOT/liblnk-fuzz/lnktools/info_handle.c:415:6
#6 0x53216c in main /home/exp/FOT/liblnk-fuzz/lnktools/lnkinfo.c:265:6
#7 0x7ffff6870b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#8 0x4301c9 in _start (/home/exp/FOT/liblnk-fuzz/install/bin/lnkinfo+0x4301c9)
0x60c000000172 is located 1 bytes to the right of 113-byte region [0x60c000000100,0x60c000000171)
allocated by thread T0 here:
#0 0x4f0080 in malloc (/home/exp/FOT/liblnk-fuzz/install/bin/lnkinfo+0x4f0080)
#1 0x7ffff78e6f9f in liblnk_location_information_read /home/exp/FOT/liblnk-fuzz/liblnk/liblnk_location_information.c:1876:42
#2 0x7ffff78c71e7 in liblnk_file_open_read /home/exp/FOT/liblnk-fuzz/liblnk/liblnk_file.c:1149:16
#3 0x7ffff78c66d9 in liblnk_file_open_file_io_handle /home/exp/FOT/liblnk-fuzz/liblnk/liblnk_file.c:627:6
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/exp/FOT/liblnk-fuzz/liblnk/liblnk_location_information.c:1162:11 in liblnk_location_information_read_data
Shadow bytes around the buggy address:
0x0c187fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c187fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c187fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c187fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187fff8010: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
=>0x0c187fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[01]fa
0x0c187fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==6867==ABORTING
51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
Starting program: /home/exp/FOT/liblnk-fuzz/install/bin/lnkinfo liblnk-pocs/crashes/hbo_liblnk_location_information.c:1162_1.txt
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
lnkinfo 20180419
Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
#0 __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007ffff688f801 in __GI_abort () at abort.c:79
#2 0x00000000005196fb in __sanitizer::Abort() ()
#3 0x0000000000516a28 in __sanitizer::Die() ()
#4 0x00000000004f8cad in __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) ()
#5 0x00000000004f9378 in __asan_report_load1 ()
#6 0x00007ffff78e68c5 in liblnk_location_information_read_data (location_information=0x60b0000000f0, io_handle=<optimized out>, data=0x60c000000100 "\034", data_size=0x71, error=0x7fffffffc2e0) at liblnk_location_information.c:1162
#7 0x00007ffff78e6fe4 in liblnk_location_information_read (location_information=<optimized out>, io_handle=<optimized out>, file_io_handle=0x60c000000100, location_information_offset=<optimized out>, error=<optimized out>) at liblnk_location_information.c:1907
#8 0x00007ffff78c71e8 in liblnk_file_open_read (internal_file=0x60c000000040, file_io_handle=0x60e000000040, error=0x7fffffffc2e0) at liblnk_file.c:1149
#9 0x00007ffff78c66da in liblnk_file_open_file_io_handle (file=0x60c000000040, file_io_handle=0x60e000000040, access_flags=<optimized out>, error=0x7fffffffc2e0) at liblnk_file.c:627
#10 0x00007ffff78c5e6a in liblnk_file_open (file=0x60c000000040, filename=0x7fffffffc9e8 "liblnk-pocs/crashes/hbo_liblnk_location_information.c:1162_1.txt", access_flags=0x1, error=<optimized out>) at liblnk_file.c:345
#11 0x0000000000529793 in info_handle_open_input (info_handle=<optimized out>, filename=0x7fffffffc9e8 "liblnk-pocs/crashes/hbo_liblnk_location_information.c:1162_1.txt", error=0x7fffffffc2e0) at info_handle.c:415
#12 0x000000000053216d in main (argc=0x2, argv=<optimized out>) at lnkinfo.c:265
sample proof-of-crash (POC) files (crash in same function however at different lines ):
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_liblnk_location_information.c%3A507_1.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_liblnk_location_information.c%3A507_2.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_liblnk_location_information.c%3A584_1.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_liblnk_location_information.c%3A584_2.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_liblnk_location_information.c%3A585_1.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_liblnk_location_information.c%3A585_2.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_liblnk_location_information.c%3A623_1.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_liblnk_location_information.c%3A623_2.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_liblnk_location_information.c%3A656_1.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_liblnk_location_information.c%3A656_2.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_liblnk_location_information.c%3A850_1.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_liblnk_location_information.c%3A850_2.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_liblnk_location_information.c%3A883_1.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_liblnk_location_information.c%3A883_2.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_liblnk_location_information.c%3A1037_1.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_liblnk_location_information.c%3A1037_2.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_liblnk_location_information.c%3A1076_1.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_liblnk_location_information.c%3A1076_2.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_liblnk_location_information.c%3A1080_1.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_liblnk_location_information.c%3A1080_2.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_liblnk_location_information.c%3A1162_1.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_liblnk_location_information.c%3A1162_2.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_liblnk_location_information.c%3A1163_1.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_liblnk_location_information.c%3A1163_2.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_liblnk_location_information.c%3A1201_1.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_liblnk_location_information.c%3A1201_2.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_liblnk_location_information.c%3A1234_1.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_liblnk_location_information.c%3A1234_2.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_liblnk_location_information.c%3A1317_1.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_liblnk_location_information.c%3A1317_2.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_liblnk_location_information.c%3A1361_1.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_liblnk_location_information.c%3A1361_2.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_liblnk_location_information.c%3A1400_1.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_liblnk_location_information.c%3A1400_2.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_liblnk_location_information.c%3A1433_1.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_liblnk_location_information.c%3A1433_2.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_liblnk_location_information.c%3A1628_1.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_liblnk_location_information.c%3A1628_2.input.txt
How can I get mac address from this tool ?
How can I get mac address from this tool ?
AddressSanitizer: heap-buffer-overflow at shell_items.c:294
POC files:
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_shell_items.c%3A294_1.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_shell_items.c%3A294_2.input.txt
gdb output:
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_shell_items.c%3A294_1.gdb.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_shell_items.c%3A294_2.gdb.txt
Support for property streams and SIDs
The LNK file mentioned in https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/ has a property stream which represents the SID of the account that created the LNK. Is it possible to extend liblnk to handle these property streams (there are many of them, beyond just the SID one)?
AddressSanitizer: invalid read at libfwsi/libfwsi_uri_values.c:402
How do you install and use this?
I came here after googling for Windows symlink info.
I got some real weird symlink issues, where 2 apparently equal symlinks, does different things.
Was hoping to have some symlink parser that would describe what I'm looking at.
So how do you install and use this?
What is the output? (Screenshots please!)
Some usage info would be very helpful.
AddressSanitizer: heap-buffer-overflow at libfwsi/libfwsi_volume.c:84
POC files:
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_libfwsi_volume.c%3A84_1.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_libfwsi_volume.c%3A84_2.input.txt
gdb output:
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_libfwsi_volume.c%3A84_1.gdb.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_libfwsi_volume.c%3A84_2.gdb.txt
lnkinfo: string in metadata property store data block is not shown
Hello,
I've found that links also contain a field telling where they were first created.
For example, here are 2 nearly equivalent powershell (core) links. One was copied and made to use new path, from an earlier version and the other was automatically created by powershell installer. Although, lnkinfo.exe does not detect any difference apart the timestamps, there is considerable difference in file structure and content (only visible with hexedit), ~40 bytes.
$ \ls -lH pwsh*
-rwxr-xrwx+ 1 xxxx None 1650 Dec 22 06:11 pwsh7.lnk
-rwxr-xrwx+ 1 xxxx None 1610 Dec 22 06:11 pwsh8.lnk
# strings -a -t x -e l -n3 pwsh7.lnk
c1 Program Files
dd @shell32.dll,-21781
14d PowerShell
1a9 w7-preview
207 pwsh.exe
27a %C:\Program Files\PowerShell\7-preview
2f7 7-preview (C:\Program Files\PowerShell\7)
378 S-1-5-21-834826149-1087668994-4147927960-1001
401 pwsh.exe
450 Application
4aa C:\Program Files\PowerShell\7\7-preview\pwsh.exe # <---- HIDDEN
5ce Lucida Console
$ strings -a -t x -e l -n3 pwsh8.lnk
bf TProgram Files
dd @shell32.dll,-21781
14b 1PowerShell
1ab 7-preview
207 pwsh.exe
27a %C:\Program Files\PowerShell\7-preview
2f7 6 (C:\Program Files\PowerShell)
364 S-1-5-21-834826149-1087668994-4147927960-1001
3ed pwsh.exe
43c Application
496 C:\Program Files\PowerShell\6\pwsh.exe # <---- HIDDEN
5a6 Lucida Console
and not seen using this tool:
# lnkinfo.exe pwsh7.lnk |head -22
lnkinfo 20201129
Windows Shortcut information:
Contains a link target identifier
Contains a working directory string
Link information:
Creation time : Apr 21, 2020 16:14:04.000000000 UTC
Modification time : Apr 21, 2020 16:14:04.000000000 UTC
Access time : Apr 29, 2020 16:47:57.799955900 UTC
File size : 297552 bytes
Icon index : 0
Show Window value : 0x00000001
Hot Key value : 0
File attribute flags : 0x00000020
Should be archived (FILE_ATTRIBUTE_ARCHIVE)
Drive type : Fixed (3)
Drive serial number : 0xf7f187d0
Volume label :
Local path : C:\Program Files\PowerShell\7-preview\pwsh.exe
Working directory : C:\Program Files\PowerShell\7-preview
...
# lnkinfo.exe pwsh8.lnk |head -22
lnkinfo 20201129
Windows Shortcut information:
Contains a link target identifier
Contains a working directory string
Link information:
Creation time : Dec 14, 2020 21:05:34.000000000 UTC
Modification time : Dec 14, 2020 21:05:34.000000000 UTC
Access time : Dec 21, 2020 21:10:12.191710900 UTC
File size : 274312 bytes
Icon index : 0
Show Window value : 0x00000001
Hot Key value : 0
File attribute flags : 0x00000020
Should be archived (FILE_ATTRIBUTE_ARCHIVE)
Drive type : Fixed (3)
Drive serial number : 0xf7f187d0
Volume label :
Local path : C:\Program Files\PowerShell\7-preview\pwsh.exe
Working directory : C:\Program Files\PowerShell\7-preview
...AddressSanitizer: heap-buffer-overflow at shell_items.c:1282
POC files:
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_shell_items.c%3A1282_1.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_shell_items.c%3A1282_2.input.txt
gdb output:
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_shell_items.c%3A1282_1.gdb.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_shell_items.c%3A1282_2.gdb.txt
Add support for corruption flag
- API add way to retrieve corruption flag
- lnkinfo show info about corruption
OOB read of 1 in liblnk_location_information.c:595
The liblnk_location_information_read_data function in liblnk_location_information.c in liblnk through 2018-08-29 allows remote attackers to cause an information disclosure (heap-based buffer over-read) via a crafted lnk file. [edit: see follow up comments that highlight the reporter does not have proof to back up these claims]
Here is the testcases
hob-liblnk_location_information.c:595.zip
The output from AddressSanitizer are showed as follow:
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700000014b at pc 0x7f0834351c1c bp 0x7ffc2bc025b0 sp 0x7ffc2bc025a0
READ of size 1 at 0x60700000014b thread T0
#0 0x7f0834351c1b in liblnk_location_information_read_data /home/wcventure/Documents/Fuzzing_Object/liblnk/liblnk/liblnk_location_information.c:595
#1 0x7f08343525d8 in liblnk_location_information_read /home/wcventure/Documents/Fuzzing_Object/liblnk/liblnk/liblnk_location_information.c:1908
#2 0x7f08343321d1 in liblnk_file_open_read /home/wcventure/Documents/Fuzzing_Object/liblnk/liblnk/liblnk_file.c:1281
#3 0x7f08343339b1 in liblnk_file_open_file_io_handle /home/wcventure/Documents/Fuzzing_Object/liblnk/liblnk/liblnk_file.c:627
#4 0x7f0834333f9d in liblnk_file_open /home/wcventure/Documents/Fuzzing_Object/liblnk/liblnk/liblnk_file.c:345
#5 0x423c9b in info_handle_open_input /home/wcventure/Documents/Fuzzing_Object/liblnk/lnktools/info_handle.c:415
#6 0x420ab6 in main /home/wcventure/Documents/Fuzzing_Object/liblnk/lnktools/lnkinfo.c:265
#7 0x7f0833ef182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#8 0x422dc8 in _start (/home/wcventure/Documents/Fuzzing_Object/liblnk/build/bin/lnkinfo+0x422dc8)
0x60700000014b is located 0 bytes to the right of 75-byte region [0x607000000100,0x60700000014b)
allocated by thread T0 here:
#0 0x7f08348efb90 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb90)
#1 0x7f0834352477 in liblnk_location_information_read /home/wcventure/Documents/Fuzzing_Object/liblnk/liblnk/liblnk_location_information.c:1877
SUMMARY: AddressSanitizer: heap-buffer-overflow /liblnk/liblnk/liblnk_location_information.c:595 in liblnk_location_information_read_data
types.h does not exist on windows
So please add a #ifdef _WIN32 to enclose it.
Same problem in fetched subprojects (read-only)
Windows cygwin build instructions don't work
To build the liblnk source code change into the source directory and run the following commands:
./configure
make
-bash: ./configure: No such file or directory
liblnk_io_handle_read_data_blocks does not check data size before reading 4 byte signature
disclosed PoC files affecting liblnk
Per #13
Someone else also found some relevant crashes, please see http://seclists.org/fulldisclosure/2018/Jun/33
This issue was not directly reported to the liblnk project
Also looks overkill to get CVEs for minor OOB reads:
- liblnk_data_string_get_utf8_string_size 1 byte OOB read
- liblnk_location_information_read_data 2 byte OOB read
- liblnk_data_block_read 1 byte OOB read
allows remote attackers to cause an information disclosure (heap-based buffer
over-read) via a crafted lnk file
Until date no proof has been presented to back up these claims
compilation error on El Capitan with PIP
There is a compilation error when install with PIP, using homebrew python 2.7.11
I have checked the Makefile.in and checked the correct .h file in included with the typedef libfwsi_extension_block_t
Please advice how to solve it., thanks a lot.
1 warning generated.
clang -fno-strict-aliasing -fno-common -dynamic -g -O2 -DNDEBUG -g -fwrapv -O3 -Wall -Wstrict-prototypes -DHAVE_CONFIG_H= -DLOCALEDIR="/usr/share/locale" -Iinclude -Icommon -Ilibcstring -Ilibcerror -Ilibcthreads -Ilibcdata -Ilibclocale -Ilibcnotify -Ilibcsplit -Ilibuna -Ilibcfile -Ilibcpath -Ilibbfio -Ilibfdatetime -Ilibfguid -Ilibfole -Ilibfwps -Ilibfwsi -Iliblnk -I/usr/local/include -I/usr/local/opt/openssl/include -I/usr/local/opt/sqlite/include -I/usr/local/Cellar/python/2.7.11/Frameworks/Python.framework/Versions/2.7/include/python2.7 -c libfwsi/libfwsi_extension_block_0xbeef0025_values.c -o build/temp.macosx-10.11-x86_64-2.7/libfwsi/libfwsi_extension_block_0xbeef0025_values.o
libfwsi/libfwsi_extension_block_0xbeef0025_values.c:342:1: warning: unused label 'on_error' [-Wunused-label]
on_error:
^~~~~~~~~
1 warning generated.
clang -fno-strict-aliasing -fno-common -dynamic -g -O2 -DNDEBUG -g -fwrapv -O3 -Wall -Wstrict-prototypes -DHAVE_CONFIG_H= -DLOCALEDIR="/usr/share/locale" -Iinclude -Icommon -Ilibcstring -Ilibcerror -Ilibcthreads -Ilibcdata -Ilibclocale -Ilibcnotify -Ilibcsplit -Ilibuna -Ilibcfile -Ilibcpath -Ilibbfio -Ilibfdatetime -Ilibfguid -Ilibfole -Ilibfwps -Ilibfwsi -Iliblnk -I/usr/local/include -I/usr/local/opt/openssl/include -I/usr/local/opt/sqlite/include -I/usr/local/Cellar/python/2.7.11/Frameworks/Python.framework/Versions/2.7/include/python2.7 -c libfwsi/libfwsi_file_attributes.c -o build/temp.macosx-10.11-x86_64-2.7/libfwsi/libfwsi_file_attributes.o
clang -fno-strict-aliasing -fno-common -dynamic -g -O2 -DNDEBUG -g -fwrapv -O3 -Wall -Wstrict-prototypes -DHAVE_CONFIG_H= -DLOCALEDIR="/usr/share/locale" -Iinclude -Icommon -Ilibcstring -Ilibcerror -Ilibcthreads -Ilibcdata -Ilibclocale -Ilibcnotify -Ilibcsplit -Ilibuna -Ilibcfile -Ilibcpath -Ilibbfio -Ilibfdatetime -Ilibfguid -Ilibfole -Ilibfwps -Ilibfwsi -Iliblnk -I/usr/local/include -I/usr/local/opt/openssl/include -I/usr/local/opt/sqlite/include -I/usr/local/Cellar/python/2.7.11/Frameworks/Python.framework/Versions/2.7/include/python2.7 -c libfwsi/libfwsi_file_entry.c -o build/temp.macosx-10.11-x86_64-2.7/libfwsi/libfwsi_file_entry.o
clang -fno-strict-aliasing -fno-common -dynamic -g -O2 -DNDEBUG -g -fwrapv -O3 -Wall -Wstrict-prototypes -DHAVE_CONFIG_H= -DLOCALEDIR="/usr/share/locale" -Iinclude -Icommon -Ilibcstring -Ilibcerror -Ilibcthreads -Ilibcdata -Ilibclocale -Ilibcnotify -Ilibcsplit -Ilibuna -Ilibcfile -Ilibcpath -Ilibbfio -Ilibfdatetime -Ilibfguid -Ilibfole -Ilibfwps -Ilibfwsi -Iliblnk -I/usr/local/include -I/usr/local/opt/openssl/include -I/usr/local/opt/sqlite/include -I/usr/local/Cellar/python/2.7.11/Frameworks/Python.framework/Versions/2.7/include/python2.7 -c libfwsi/libfwsi_file_entry_extension.c -o build/temp.macosx-10.11-x86_64-2.7/libfwsi/libfwsi_file_entry_extension.o
In file included from libfwsi/libfwsi_file_entry_extension.c:26:
libfwsi/libfwsi_extension_block.h:64:6: error: unknown type name 'libfwsi_extension_block_t'
libfwsi_extension_block_t **extension_block,
^
libfwsi/libfwsi_file_entry_extension.c:168:6: error: unknown type name 'libfwsi_extension_block_t'
libfwsi_extension_block_t *extension_block,
--------- Repeat -------------
^
libfwsi/libfwsi_file_entry_extension.c:238:6: error: unknown type name 'libfwsi_extension_block_t'
libfwsi_extension_block_t *extension_block,
^
fatal error: too many errors emitted, stopping now [-ferror-limit=]
20 errors generated.
error: command 'clang' failed with exit status 1
----------------------------------------
Command "/usr/local/opt/python/bin/python2.7 -u -c "import setuptools, tokenize;file='/private/var/folders/2q/syzcgcnx647_1lkw7zfsx3lh0000gn/T/pip-build-8qmQF2/liblnk-python/setup.py';exec(compile(getattr(tokenize, 'open', open)(file).read().replace('\r\n', '\n'), file, 'exec'))" install --record /var/folders/2q/syzcgcnx647_1lkw7zfsx3lh0000gn/T/pip-39BFYS-record/install-record.txt --single-version-externally-managed --compile" failed with error code 1 in /private/var/folders/2q/syzcgcnx647_1lkw7zfsx3lh0000gn/T/pip-build-8qmQF2/liblnk-python/
Read beyond byte_stream_size in libfwsi_extension_block_copy_from_byte_stream
AddressSanitizer: heap-buffer-overflow at libfwsi/libfwsi_extension_block.c:270
POC files:
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_libfwsi_extension_block.c%3A270_1.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_libfwsi_extension_block.c%3A270_2.input.txt
gdb output:
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_libfwsi_extension_block.c%3A270_1.gdb.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_libfwsi_extension_block.c%3A270_2.gdb.txt
OOB read of 1 in libfwsi/libfwsi_item_list.c:261
The libfwsi_item_list_copy_from_byte_stream function in libfwsi_item_list.c in liblnk through 2018-08-29 allows remote attackers to cause an information disclosure (heap-based buffer over-read) via a crafted lnk file. [edit: reporter did not provide proof to back up these claims]
Here is the testcases
hbo-libfwsi_item_list.c:261.zip
The output from AddressSanitizer are showed as follow:
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6160000005ad at pc 0x00000044bb9b bp 0x7ffed9947820 sp 0x7ffed9947810
READ of size 1 at 0x6160000005ad thread T0
#0 0x44bb9a in libfwsi_item_list_copy_from_byte_stream /home/wcventure/Documents/Fuzzing_Object/liblnk/libfwsi/libfwsi_item_list.c:261
#1 0x429d6b in info_handle_link_target_identifier_fprint /home/wcventure/Documents/Fuzzing_Object/liblnk/lnktools/info_handle.c:2207
#2 0x42ae04 in info_handle_file_fprint /home/wcventure/Documents/Fuzzing_Object/liblnk/lnktools/info_handle.c:2667
#3 0x420afd in main /home/wcventure/Documents/Fuzzing_Object/liblnk/lnktools/lnkinfo.c:277
#4 0x7f57dcbec82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#5 0x422dc8 in _start (/home/wcventure/Documents/Fuzzing_Object/liblnk/build/bin/lnkinfo+0x422dc8)
0x6160000005ad is located 0 bytes to the right of 557-byte region [0x616000000380,0x6160000005ad)
allocated by thread T0 here:
#0 0x7f57dd5eab90 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb90)
#1 0x4299ee in info_handle_link_target_identifier_fprint /home/wcventure/Documents/Fuzzing_Object/liblnk/lnktools/info_handle.c:2159
SUMMARY: AddressSanitizer: heap-buffer-overflow /liblnk/libfwsi/libfwsi_item_list.c:261 in libfwsi_item_list_copy_from_byte_stream
Incorrect GUID in documentation
In section 2 of the documentation you list the The LNK class identifier GUID as:
{00021401-0000-0000-00c0-000000000046}
This is what you see in documentation plastered all over the internet.
However, the sequence of bytes found at that offset is:
01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46
In standard GUID format this should be notated as:
{00021401-0000-0000-c000-000000000046}
This can be verified by looking at the registry key values that are children of: HKEY_CLASSES_ROOT \ .lnk \ ShellEx \
AddressSanitizer: heap-use-after-free at libfwsi/libfwsi_file_entry.c:279
POC files:
https://github.com/ntu-sec/pocs/blob/master/liblnk/huaf_libfwsi_file_entry.c%3A279_1.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/huaf_libfwsi_file_entry.c%3A279_2.input.txt
gdb output:
https://github.com/ntu-sec/pocs/blob/master/liblnk/huaf_libfwsi_file_entry.c%3A279_1.gdb.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/huaf_libfwsi_file_entry.c%3A279_2.gdb.txt
AddressSanitizer: heap-buffer-overflow at libfwsi/libfwsi_item_list.c:261
POC files:
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_libfwsi_item_list.c%3A261_1.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_libfwsi_item_list.c%3A261_2.input.txt
gdb output:
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_libfwsi_item_list.c%3A261_1.gdb.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_libfwsi_item_list.c%3A261_2.gdb.txt
Incorrect use of network_share_name_offset for device_name in liblnk_location_information.c
As i understand from issue #13 the bug was patched in commit 63b54a3 but while fuzzing lnkinfo from the master branch, I still encounter this issue. I complied liblnk with gcc and g++ enabling ASAN the fuzzing results showed me a heap-buffer-overflow in liblnk_location_information.c
ASAN
==28798==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b000000151 at pc 0x5581cae93d41 bp 0x7ffe7f8128c0 sp 0x7ffe7f8128b0
READ of size 1 at 0x60b000000151 thread T0
#0 0x5581cae93d40 in liblnk_location_information_read_data /home/input0/liblnk/liblnk/liblnk_location_information.c:1328
#1 0x5581cae948b8 in liblnk_location_information_read /home/input0/liblnk/liblnk/liblnk_location_information.c:1914
#2 0x5581cae6e39f in liblnk_file_open_read /home/input0/liblnk/liblnk/liblnk_file.c:1282
#3 0x5581cae6e39f in liblnk_file_open_file_io_handle /home/input0/liblnk/liblnk/liblnk_file.c:628
#4 0x5581cae6fb86 in liblnk_file_open /home/input0/liblnk/liblnk/liblnk_file.c:346
#5 0x5581cad4ff8a in info_handle_open_input /home/input0/liblnk/lnktools/info_handle.c:415
#6 0x5581cad4c16b in main /home/input0/liblnk/lnktools/lnkinfo.c:265
#7 0x7ff3e71a4b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#8 0x5581cad4f029 in _start (/home/input0/liblnk/lnktools/lnkinfo+0x48029)
0x60b000000151 is located 0 bytes to the right of 97-byte region [0x60b0000000f0,0x60b000000151)
allocated by thread T0 here:
#0 0x7ff3e7871b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
#1 0x5581cae9471c in liblnk_location_information_read /home/input0/liblnk/liblnk/liblnk_location_information.c:1883
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/input0/liblnk/liblnk/liblnk_location_information.c:1328 in liblnk_location_information_read_data
Shadow bytes around the buggy address:
0x0c167fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c167fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c167fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c167fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c167fff8010: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa 00 00
=>0x0c167fff8020: 00 00 00 00 00 00 00 00 00 00[01]fa fa fa fa fa
0x0c167fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c167fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==28798==ABORTING
I've attached poc.zip for reference, I also observed the program don't return me any SEGFAULT when I passed the above corpus (Disabling ASAN). Request maintainer to please have a look or suggest if I am missing something here.
unable to compile HEAD
Hi,
the lastest version cannot be compiled.
The error information:
gcc: error: @LIBCERROR_DLL_EXPORT@: No such file or directory
Makefile:620: recipe for target 'libcerror_error.lo' failed
make[1]: *** [libcerror_error.lo] Error 1
make[1]: *** Waiting for unfinished jobs....
libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../common -I../include -I../common @LIBCERROR_DLL_EXPORT@ -g -O2 -Wall -MT libcerror_system.lo -MD -MP -MF .deps/libcerror_system.Tpo -c libcerror_system.c -fPIC -DPIC -o .libs/libcerror_system.o
gcc: error: @LIBCERROR_DLL_EXPORT@: No such file or directory
Makefile:620: recipe for target 'libcerror_system.lo' failed
make[1]: *** [libcerror_system.lo] Error 1
libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../common -I../include -I../common @LIBCERROR_DLL_EXPORT@ -g -O2 -Wall -MT libcerror_support.lo -MD -MP -MF .deps/libcerror_support.Tpo -c libcerror_support.c -fPIC -DPIC -o .libs/libcerror_support.o
gcc: error: @LIBCERROR_DLL_EXPORT@: No such file or directory
Makefile:620: recipe for target 'libcerror_support.lo' failed
make[1]: *** [libcerror_support.lo] Error 1
make[1]: Leaving directory '/home/hjwang/Fuzz_Experiment/liblnk-fast/libcerror'
Makefile:747: recipe for target 'all-recursive' failed
make: *** [all-recursive] Error 1
Incorrect and misleading security advisories CVE-2018-12096, CVE-2018-12097 and CVE-2018-12098
Incorrect and misleading security advisories
Recently I was made aware of CVE-2018-12096, CVE-2018-12097 and CVE-2018-12098.
First of all I was surprised to see this “Security Advisories” (quotation intended) seeing neither Mitre (who are responsible for issuing CVEs) nor the reporter had reached out me. Seeing I’m the maintainer of liblnk.
The reporter 熊文彬 <bear.xiong () dbappsecurity com cn> did not reach out to this project. So apparently this reporter does not care much for getting bugs fixed.
First some context
Liblnk clearly indicates it has alpha status and HEAD, which is work in progress. So it will likely contain bugs.
See Wikipedia for an explanation of alpha: https://en.wikipedia.org/wiki/Software_release_life_cycle#Alpha
You cannot expect normal (open source) development if every pre-release or development version is scrutinized as stable software. It will take time and effort to get to stable and secure.
Lack of due diligence
Neither Mitre nor the reporter did reach out to me, as the project maintainer, before they made their "advisory" (quotation intended).
@hongxuchen did the responsible thing and let me know about the reported issues via #13
Mitre and NVD and their arbitrary CVE process
The status of CVE-2018-12096, CVE-2018-12097 and CVE-2018-12098 reads:
This vulnerability is currently awaiting analysis.
How can you post an advisory if have not done your analysis?
... in liblnk through 2018-04-19 allows remote attackers to cause an information
disclosure (heap-based buffer over-read) via a crafted lnk file.
Until date I have not seen any proof how a special crafted lnk file would cause information disclosure.
Also until date Mitre has not provided any evidence of their claims after numerous requests to do so.
As seen in http://seclists.org/fulldisclosure/2018/Jun/33 CVE-2018-12096 describes an OOB read bug in libuna not in liblnk.
READ of size 1 at 0x60200000006f thread T0
#0 0x58f616 in libuna_utf8_string_size_from_byte_stream /home/xxx/liblnk/libuna/libuna_utf8_string.c:82:6
#1 0x606cf0 in liblnk_data_string_get_utf8_string_size /home/xxx/liblnk/liblnk/liblnk_data_string.c:434:12
#2 0x5ea89c in liblnk_file_get_utf8_command_line_arguments_size /home/xxx/liblnk/liblnk/liblnk_file.c:5301:6
#3 0x52cdc9 in info_handle_command_line_arguments_fprint /home/xxx/liblnk/lnktools/info_handle.c:1792:11
#4 0x52ecf4 in info_handle_file_fprint /home/xxx/liblnk/lnktools/info_handle.c:2624:6
#5 0x52fc63 in main /home/xxx/liblnk/lnktools/lnkinfo.c:277:6
#6 0x7f79fb92282f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#7 0x42c678 in _start (/home/xxx/liblnk/lnktools/lnkinfo+0x42c678)
It is now August 8, 2018 Mitre CVE has not responded to multiple inquiries (except for their auto-response). Again Mitre CVE is not giving me confidence in their ability to provide a "responsible disclosure" process (for additional context see: libyal/libevt#5).
August 8, 2018 more wild speculations by NIST NVD
More wild speculations by NIST NVD in CVE-2018-12097 and CVE-2018-12098
Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (AU): None
Confidentiality (C): Partial
Integrity (I): None
Availability (A): None
Additional Information:
Victim must voluntarily interact with attack mechanism
Allows unauthorized disclosure of information
- There is no proof for denial-of-service, no crashes have been presented.
- There are no network capabilities in liblnk
Did NIST NVD reach consult the project maintainer? Of course not, why do due-diligence?
Thank you Mitre CVE and Nist NVD for having such a "responsible disclosure" process (quotation intended). It is very nice of you want the software developer to meet your standards, but when are you going to self-impose quality standards to your own work?
August 18, 2018 some rectification by NIST NVD
After reaching to NVD they did a more realistic assessment this time:
CVSS v2.0 Severity and Metrics:
Base Score: 1.9 LOW
Vector: (AV:L/AC:M/Au:N/C:P/I:N/A:N) (V2 legend)
Impact Subscore: 2.9
Exploitability Subscore: 3.4
Access Vector (AV): Local
Access Complexity (AC): Medium
Authentication (AU): None
Confidentiality (C): Partial
Integrity (I): None
Availability (A): None
Additional Information:
Victim must voluntarily interact with attack mechanism
Allows unauthorized disclosure of information
However no proof has been provided for the claims "Allows unauthorized disclosure of information", seeing this is similar to libyal/libfsntfs#8. I likely have to "thank" the reporter and Mitre CVE to be unable to provide impact assessments that are backed by proof.
Also see
- Similar incorrect and misleading security advisories libyal/libevt#5
- Actual bug(s) #32
AddressSanitizer: heap-buffer-overflow at shell_items.c:367
POC files:
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_shell_items.c%3A367_1.input.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_shell_items.c%3A367_2.input.txt
gdb output:
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_shell_items.c%3A367_1.gdb.txt
https://github.com/ntu-sec/pocs/blob/master/liblnk/hbo_shell_items.c%3A367_2.gdb.txt
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.