Comments (8)
POC is not considered a valid file and hits another safe guard.
liblnk_location_information_read_data: network share name offset exceeds network share information data.
liblnk_location_information_read: unable to read location information.
liblnk_file_open_read: unable to read location information.
liblnk_file_open_file_io_handle: unable to read from file IO handle.
liblnk_file_open: unable to open file: issue40-1.lnk.
info_handle_open_input: unable to open input file.
Yet another example of Mitre CVE failing to do due diligence.
Worst case for the POC is OOB read of 8 but the data read does not appear to be used further since error path is triggered. So this is mainly an issue with little/no impact.
from liblnk.
I'll have a closer look when time permits but this looks like an OOB read of 1, flagged by ASAN because it is strict by nature.
This is definitely no Heap Buffer overflow since nothing is written.
We found Heap Buffer Overflow in lnkinfo binary and lnkinfo is complied with clang enabling ASAN.
@c0d3xpl0it can you spend a bit more time in analyzing the fuzzer results before making claims next time, thank in advance.
from liblnk.
Appears to have been assigned CVE-2019-17401.
from liblnk.
@nluedtke thanks for the info but per #33 CVE numbers and NVD evaluations are essentially useless security advice.
from liblnk.
Below is output with attached POC with old commit : c962bb7 lnkinfo 20191006 (On which I reported issue)
fuzzer@thickfuzzer:~/victim/liblnk/lnktools$ ./lnkinfo -v POC
lnkinfo 20191006
=================================================================
==28265==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000ddff at pc 0x0000005a4184 bp 0x7ffe2b2b9610 sp 0x7ffe2b2b9608
READ of size 1 at 0x60400000ddff thread T0
#0 0x5a4183 in liblnk_location_information_read_data /home/fuzzer/victim/liblnk/liblnk/liblnk_location_information.c:1090:4
#1 0x5a45d7 in liblnk_location_information_read /home/fuzzer/victim/liblnk/liblnk/liblnk_location_information.c:1915:6
#2 0x58e4b8 in liblnk_file_open_read /home/fuzzer/victim/liblnk/liblnk/liblnk_file.c:1282:16
#3 0x58d718 in liblnk_file_open_file_io_handle /home/fuzzer/victim/liblnk/liblnk/liblnk_file.c:628:6
#4 0x58d0de in liblnk_file_open /home/fuzzer/victim/liblnk/liblnk/liblnk_file.c:346:6
#5 0x4eb095 in info_handle_open_input /home/fuzzer/victim/liblnk/lnktools/info_handle.c:415:6
#6 0x4f1728 in main /home/fuzzer/victim/liblnk/lnktools/lnkinfo.c:265:6
#7 0x7f7c3fbbc82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
#8 0x418c68 in _start (/home/fuzzer/victim/liblnk/lnktools/lnkinfo+0x418c68)
0x60400000ddff is located 0 bytes to the right of 47-byte region [0x60400000ddd0,0x60400000ddff)
allocated by thread T0 here:
#0 0x4b8d98 in malloc (/home/fuzzer/victim/liblnk/lnktools/lnkinfo+0x4b8d98)
#1 0x5a454b in liblnk_location_information_read /home/fuzzer/victim/liblnk/liblnk/liblnk_location_information.c:1884:42
#2 0x58e4b8 in liblnk_file_open_read /home/fuzzer/victim/liblnk/liblnk/liblnk_file.c:1282:16
#3 0x58d718 in liblnk_file_open_file_io_handle /home/fuzzer/victim/liblnk/liblnk/liblnk_file.c:628:6
#4 0x7f7c3fbd5785 in getenv /build/glibc-LK5gWL/glibc-2.23/stdlib/getenv.c:35
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzzer/victim/liblnk/liblnk/liblnk_location_information.c:1090:4 in liblnk_location_information_read_data
Shadow bytes around the buggy address:
0x0c087fff9b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9b70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9b90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c087fff9bb0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00[07]
0x0c087fff9bc0: fa fa 00 00 00 00 00 02 fa fa fd fd fd fd fd fd
0x0c087fff9bd0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
0x0c087fff9be0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
0x0c087fff9bf0: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa
0x0c087fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==28265==ABORTING
Below is output with attached POC with latest commit : 6a5ee82 lnkinfo 20191010
fuzzer@thickfuzzer:~/victim/test/liblnk/lnktools$ ./lnkinfo -v /home/fuzzer/victim/liblnk/lnktools/POC
lnkinfo 20191010
liblnk_location_information_read_data: location information value size value out of bounds.
liblnk_location_information_read: unable to read location information.
liblnk_file_open_read: unable to read location information.
liblnk_file_open_file_io_handle: unable to read from file IO handle.
liblnk_file_open: unable to open file: /home/fuzzer/victim/liblnk/lnktools/POC.
info_handle_open_input: unable to open input file.
from liblnk.
@c0d3xpl0it yes I know what are you trying to tell me? that adding an additional safeguard prevents ASAN from raising the issue?
BTW if you run c962bb7 without ASAN you'll get:
liblnk_location_information_read_data: network share name offset exceeds network share information data.
liblnk_location_information_read: unable to read location information.
liblnk_file_open_read: unable to read location information.
liblnk_file_open_file_io_handle: unable to read from file IO handle.
liblnk_file_open: unable to open file: issue40-1.lnk.
info_handle_open_input: unable to open input file.
from liblnk.
For completeness, since I did not get around to this yet. Added an additional safeguard to prevent ASAN detecting an OOB read in 6a5ee82
Closing issue
from liblnk.
And again NVD showing their incompetence as usual https://nvd.nist.gov/vuln/detail/CVE-2019-17401:
CVSS v2.0 Severity and Metrics:
Base Score: 2.1 LOW
Vector: (AV:L/AC:L/Au:N/C:N/I:N/A:P) (V2 legend)
Impact Subscore: 2.9
Exploitability Subscore: 3.9
Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (AU): None
Confidentiality (C): None
Integrity (I): None
Availability (A): Partial
Additional Information:
Allows disruption of service
"Allows disruption of service" WTF?
- the file is not considered valid to start with, so there is no proof of a disruption
- liblnk does not provide "a service"
from liblnk.
Related Issues (20)
- AddressSanitizer: heap-buffer-overflow at shell_items.c:1282 HOT 1
- AddressSanitizer: heap-buffer-overflow at shell_items.c:294 HOT 1
- AddressSanitizer: heap-buffer-overflow at shell_items.c:367 HOT 1
- AddressSanitizer: heap-use-after-free at libfwsi/libfwsi_file_entry.c:279 HOT 4
- liblnk_io_handle_read_data_blocks does not check data size before reading 4 byte signature HOT 3
- Incorrect and misleading security advisories CVE-2018-12096, CVE-2018-12097 and CVE-2018-12098
- unable to compile HEAD HOT 3
- OOB read of 1 in libfwsi/libfwsi_item_list.c:261 HOT 4
- OOB read of 1 in liblnk_location_information.c:595 HOT 6
- How can I get mac address from this tool ? HOT 2
- Incorrect use of network_share_name_offset for device_name in liblnk_location_information.c HOT 6
- undefined malloc(0) behavior of compiler causes ASAN warning about printf invoked from info_handle.c:1624 HOT 4
- liblnk liblnk_file_get_show_window_value() fetches file size not window value HOT 2
- How do you install and use this? HOT 3
- Cygwin compilation doesn't produce cyglnk-1.dll HOT 1
- lnkinfo: string in metadata property store data block is not shown HOT 18
- Support for property streams and SIDs HOT 2
- Support for detecting trailing non-LNK data
- Improve `liblnk-python` installation documentation
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from liblnk.