Lucene search
Cnitlrt1C22055B-B015-47A8-A57B-4982978751D0HistoryMay 11, 2022 - 10:44 a.m.
Heap-based Buffer Overflow
2022-05-1110:44:47
cnitlrt
www.huntr.dev
11
7.1 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
3.6 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:N/A:P
0.0004 Low
EPSS
Percentile
7.2%
Description
Heap-based Buffer Overflow in msp430_op
Environment
radare2 5.6.9 0 @ linux-x86-64 git.
commit: 5.6.9 build: 2022-05-01__12:17:49
Build
export CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan" CXXFLAGS="-fsanitize=address -static-libasan" LDFLAGS="-fsanitize=address -static-libasan"
./configure && make
POC
radare2 -q -A ./poc6
Asan
=================================================================
==4030479==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000595d3 at pc 0x7f2b12c8cfa6 bp 0x7ffdf5b699b0 sp 0x7ffdf5b699a0
READ of size 1 at 0x6020000595d3 thread T0
#0 0x7f2b12c8cfa5 in r_read_le16 /home/ubuntu/radare2-master/libr/include/r_endian.h:143
#1 0x7f2b12c8cfa5 in r_read_at_le16 /home/ubuntu/radare2-master/libr/include/r_endian.h:151
#2 0x7f2b12c8cfa5 in msp430_op /home/ubuntu/radare2-master/libr/..//libr/anal/p/anal_msp430.c:60
#3 0x7f2b12de2d19 in r_anal_op /home/ubuntu/radare2-master/libr/anal/op.c:121
#4 0x7f2b14f241df in anal_block_cb /home/ubuntu/radare2-master/libr/core/canal.c:3497
#5 0x7f2b12e267e8 in r_anal_block_recurse_depth_first /home/ubuntu/radare2-master/libr/anal/block.c:562
#6 0x7f2b14f565fd in r_core_recover_vars /home/ubuntu/radare2-master/libr/core/canal.c:3548
#7 0x7f2b14bcd43f in r_core_af /home/ubuntu/radare2-master/libr/core/cmd_anal.c:3926
#8 0x7f2b14f5e320 in r_core_anal_all /home/ubuntu/radare2-master/libr/core/canal.c:4247
#9 0x7f2b14cac9e6 in cmd_anal_all /home/ubuntu/radare2-master/libr/core/cmd_anal.c:11219
#10 0x7f2b14d1aadc in cmd_anal /home/ubuntu/radare2-master/libr/core/cmd_anal.c:12436
#11 0x7f2b14c08d2c in r_core_cmd_subst_i /home/ubuntu/radare2-master/libr/core/cmd.c:4490
#12 0x7f2b14c08d2c in r_core_cmd_subst /home/ubuntu/radare2-master/libr/core/cmd.c:3363
#13 0x7f2b14c1682a in run_cmd_depth /home/ubuntu/radare2-master/libr/core/cmd.c:5384
#14 0x7f2b14c1682a in r_core_cmd /home/ubuntu/radare2-master/libr/core/cmd.c:5467
#15 0x7f2b14c1682a in r_core_cmd /home/ubuntu/radare2-master/libr/core/cmd.c:5398
#16 0x7f2b17aee546 in r_main_radare2 /home/ubuntu/radare2-master/libr/main/radare2.c:1419
#17 0x7f2b178900b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#18 0x564ce9a25b6d in _start (/home/ubuntu/radare2-master/binr/radare2/radare2+0x9b6d)
0x6020000595d3 is located 1 bytes to the right of 2-byte region [0x6020000595d0,0x6020000595d2)
allocated by thread T0 here:
#0 0x564ce9b10bb8 in __interceptor_malloc (/home/ubuntu/radare2-master/binr/radare2/radare2+0xf4bb8)
#1 0x7f2b14f23c9b in anal_block_cb /home/ubuntu/radare2-master/libr/core/canal.c:3447
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/radare2-master/libr/include/r_endian.h:143 in r_read_le16
Shadow bytes around the buggy address:
0x0c0480003260: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c0480003270: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c0480003280: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c0480003290: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c04800032a0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
=>0x0c04800032b0: fa fa fd fa fa fa fd fa fa fa[02]fa fa fa fa fa
0x0c04800032c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c04800032d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c04800032e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c04800032f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480003300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==4030479==ABORTING
Related
osv
osv
CVE-2022-1714
2022-05-13 15:15:08
alpinelinux
alpinelinux
CVE-2022-1714
2022-05-13 15:15:00
veracode
veracode
Heap-based Buffer Overflow
2022-12-26 12:56:42
ubuntucve
ubuntucve
CVE-2022-1714
2022-05-13 00:00:00
debiancve
debiancve
CVE-2022-1714
2022-05-13 15:15:00
prion
prion
Design/Logic Flaw
2022-05-13 15:15:00
cvelist
cvelist
CVE-2022-1714 Out-of-bounds Read in radareorg/radare2
2022-05-13 00:00:00
cve
cve
CVE-2022-1714
2022-05-13 15:15:00
7.1 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
3.6 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:N/A:P
0.0004 Low
EPSS
Percentile
7.2%
Related for 1C22055B-B015-47A8-A57B-4982978751D0