Lucene search
7resp4ss06E2484C-D6F1-4497-AF67-26549BE9FFFDHistoryAug 11, 2023 - 6:44 p.m.
Heap-based Buffer Overflow
2023-08-1118:44:23
7resp4ss
www.huntr.dev
12
radare2
heap-based
buffer-overflow
address-sanitizer
decode
linux-x86-64
gcc
g++
asan
EPSS
0.001
Percentile
46.9%
Description
heap-buffer-overflow p/bf/plugin.c:176 in decode
Environment
radare2 5.8.9 31000 @ linux-x86-64
commit: 95b648f0907e91e10d55fc48147a7dae99029c5b
Build
export CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan" CXXFLAGS="-fsanitize=address -static-libasan" LDFLAGS="-fsanitize=address -static-libasan"
./configure && make && make install
Proof of Concept
radare2 -A ./heap-buffer-overflow-poc0x1
#Asan
286237==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61100015607f at pc 0x7f33249902bd bp 0x7fff636244a0 sp 0x7fff63624490
READ of size 1 at 0x61100015607f thread T0
#0 0x7f33249902bc in decode p/bf/plugin.c:176
#1 0x7f3324238256 in r_arch_decode /home/hack/fuzz/radare2/libr/arch/arch.c:292
#2 0x7f33222b4d29 in r_anal_op /home/hack/fuzz/radare2/libr/anal/op.c:186
#3 0x7f332596b909 in _anal_calls /home/hack/fuzz/radare2/libr/core/cmd_anal.c:8705
#4 0x7f332596c4df in cmd_anal_calls /home/hack/fuzz/radare2/libr/core/cmd_anal.c:8811
#5 0x7f33259892f3 in cmd_anal_all /home/hack/fuzz/radare2/libr/core/cmd_anal.c:12465
#6 0x7f332599120a in cmd_anal /home/hack/fuzz/radare2/libr/core/cmd_anal.c:13726
#7 0x7f3325b2dbe1 in r_cmd_call /home/hack/fuzz/radare2/libr/core/cmd_api.c:520
#8 0x7f3325a5e192 in r_core_cmd_call /home/hack/fuzz/radare2/libr/core/cmd.c:6266
#9 0x7f3321f74e46 in perform_analysis /home/hack/fuzz/radare2/libr/main/radare2.c:428
#10 0x7f3321f7ca28 in r_main_radare2 /home/hack/fuzz/radare2/libr/main/radare2.c:1633
#11 0x56371e08ad6b in main /home/hack/fuzz/radare2/binr/radare2/radare2.c:102
#12 0x7f3321d0a082 in __libc_start_main ../csu/libc-start.c:308
#13 0x56371df5e5fd in _start (/home/hack/fuzz_r2/asan_r2/bin/radare2+0x3e5fd)
0x61100015607f is located 0 bytes to the right of 255-byte region [0x611000155f80,0x61100015607f)
allocated by thread T0 here:
#0 0x56371e049288 in malloc (/home/hack/fuzz/asan_r2/bin/radare2+0x129288)
#1 0x7f3324990034 in decode p/bf/plugin.c:167
#2 0x7f3324238256 in r_arch_decode /home/hack/fuzz/radare2/libr/arch/arch.c:292
#3 0x7f33222b4d29 in r_anal_op /home/hack/fuzz/radare2/libr/anal/op.c:186
#4 0x7f332596b909 in _anal_calls /home/hack/fuzz/radare2/libr/core/cmd_anal.c:8705
#5 0x7f332596c4df in cmd_anal_calls /home/hack/fuzz/radare2/libr/core/cmd_anal.c:8811
#6 0x7f33259892f3 in cmd_anal_all /home/hack/fuzz/radare2/libr/core/cmd_anal.c:12465
#7 0x7f332599120a in cmd_anal /home/hack/fuzz/radare2/libr/core/cmd_anal.c:13726
#8 0x7f3325b2dbe1 in r_cmd_call /home/hack/fuzz/radare2/libr/core/cmd_api.c:520
#9 0x7f3325a5e192 in r_core_cmd_call /home/hack/fuzz/radare2/libr/core/cmd.c:6266
#10 0x7f3321f74e46 in perform_analysis /home/hack/fuzz/radare2/libr/main/radare2.c:428
#11 0x7f3321f7ca28 in r_main_radare2 /home/hack/fuzz/radare2/libr/main/radare2.c:1633
#12 0x56371e08ad6b in main /home/hack/fuzz/radare2/binr/radare2/radare2.c:102
#13 0x7f3321d0a082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow p/bf/plugin.c:176 in decode
Shadow bytes around the buggy address:
0x0c2280022bb0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0c2280022bc0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c2280022bd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2280022be0: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
0x0c2280022bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2280022c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[07]
0x0c2280022c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2280022c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2280022c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2280022c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2280022c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==286237==ABORTING
Related
alpinelinux
alpinelinux
CVE-2023-4322
2023-08-14 16:15:09
prion
prion
Heap overflow
2023-08-14 16:15:00
nvd
nvd
CVE-2023-4322
2023-08-14 16:15:09
cvelist
cvelist
CVE-2023-4322 Heap-based Buffer Overflow in radareorg/radare2
2023-08-14 15:27:40
cve
cve
CVE-2023-4322
2023-08-14 16:15:09
debiancve
debiancve
CVE-2023-4322
2023-08-14 16:15:09
osv
osv
CVE-2023-4322
2023-08-14 16:15:09
ubuntucve
ubuntucve
CVE-2023-4322
2023-08-14 00:00:00
cnvd
cnvd
radare2 buffer overflow vulnerability (CNVD-2023-64112)
2023-08-16 00:00:00
veracode
veracode
Heap-Based Buffer Overflow
2024-05-07 21:57:29
nessus
nessus
Fedora 37 : radare2 (2023-f2a6d27239)
2023-11-13 00:00:00
Fedora 38 : radare2 (2023-ffaebb1e10)
2023-11-13 00:00:00
fedora
fedora
[SECURITY] Fedora 37 Update: radare2-5.8.8-2.fc37
2023-11-14 01:10:42
[SECURITY] Fedora 38 Update: radare2-5.8.8-2.fc38
2023-11-14 01:57:25
[SECURITY] Fedora 39 Update: radare2-5.9.4-1.fc39
2024-08-23 01:24:54
openvas
openvas
Fedora: Security Advisory for radare2 (FEDORA-2023-ffaebb1e10)
2023-11-14 00:00:00
Mageia: Security Advisory (MGASA-2024-0044)
2024-02-20 00:00:00
Fedora: Security Advisory for radare2 (FEDORA-2023-f2a6d27239)
2023-11-14 00:00:00
mageia
mageia
Updated radare2 packages fix security vulnerabilities
2024-02-19 21:16:13