Heap-based buffer overflow in function inc

2022-06-2904:21:43

acquykhud

www.huntr.dev

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

31.5%

JSON

Description

Heap-based buffer overflow in function inc at misc2.c:344

Version

commit 8eba2bd291b347e3008aa9e565652d51ad638cfa (HEAD, tag: v8.2.5151)

Proof of Concept

guest@elk:~/trung$ valgrind ./vim_latest/src/vim  -u NONE -i NONE -n -m -X -Z -e -s -S ./poc/poc80min3 -c :qa!
==6151== Memcheck, a memory error detector
==6151== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==6151== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==6151== Command: ./vim_latest/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc/poc80min3 -c :qa!
==6151== 
==6151== Invalid read of size 1
==6151==    at 0x223E25: inc (misc2.c:344)
==6151==    by 0x2340DB: nv_put_opt (normal.c:7372)
==6151==    by 0x238604: normal_cmd (normal.c:939)
==6151==    by 0x1B674C: exec_normal (ex_docmd.c:8807)
==6151==    by 0x1B69AF: ex_normal (ex_docmd.c:8693)
==6151==    by 0x1BB2CD: do_one_cmd (ex_docmd.c:2570)
==6151==    by 0x1BB2CD: do_cmdline (ex_docmd.c:992)
==6151==    by 0x2ABF50: do_source_ext (scriptfile.c:1674)
==6151==    by 0x2ACF43: do_source (scriptfile.c:1801)
==6151==    by 0x2ACF43: cmd_source (scriptfile.c:1174)
==6151==    by 0x1BB2CD: do_one_cmd (ex_docmd.c:2570)
==6151==    by 0x1BB2CD: do_cmdline (ex_docmd.c:992)
==6151==    by 0x380B1F: exe_commands (main.c:3133)
==6151==    by 0x380B1F: vim_main2 (main.c:780)
==6151==    by 0x13F6DC: main (main.c:432)
==6151==  Address 0x5e5f794 is 4 bytes after a block of size 4,096 alloc'd
==6151==    at 0x4C31B0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==6151==    by 0x140C70: lalloc (alloc.c:246)
==6151==    by 0x3812AA: mf_alloc_bhdr.isra.3 (memfile.c:884)
==6151==    by 0x382086: mf_new (memfile.c:375)
==6151==    by 0x21480F: ml_new_data (memline.c:4080)
==6151==    by 0x2176CC: ml_open (memline.c:394)
==6151==    by 0x150EB4: open_buffer (buffer.c:186)
==6151==    by 0x380429: create_windows (main.c:2902)
==6151==    by 0x380429: vim_main2 (main.c:711)
==6151==    by 0x13F6DC: main (main.c:432)
==6151== 
==6151== 
==6151== HEAP SUMMARY:
==6151==     in use at exit: 69,739 bytes in 405 blocks
==6151==   total heap usage: 1,204 allocs, 799 frees, 261,409 bytes allocated
==6151== 
==6151== LEAK SUMMARY:
==6151==    definitely lost: 0 bytes in 0 blocks
==6151==    indirectly lost: 0 bytes in 0 blocks
==6151==      possibly lost: 0 bytes in 0 blocks
==6151==    still reachable: 69,739 bytes in 405 blocks
==6151==         suppressed: 0 bytes in 0 blocks
==6151== Rerun with --leak-check=full to see details of leaked memory
==6151== 
==6151== For counts of detected and suppressed errors, rerun with: -v
==6151== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)