Lucene search
Thecrott40F1D75F-FB2F-4281-B585-A41017F217E2HistoryApr 28, 2022 - 8:53 p.m.
Use after free in append_command
2022-04-2820:53:58
thecrott
www.huntr.dev
13
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.003 Low
EPSS
Percentile
63.3%
✍️ Description
When fuzzing vim commit fc78a0369 (works with latest build and latest commit 202b4bd3a per this time of this report) with clang 13 and ASan, I discovered a buffer overflow.
Proof of Concept
Here is the poc
https://drive.google.com/file/d/1QFs9OysjzlRQP4hmfnMdfohaEg8lIZ8y/view?usp=sharing
How to build
LD=lld AS=llvm-as AR=llvm-ar RANLIB=llvm-ranlib CC=clang CXX=clang++ CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" LDFLAGS="-ldl -fsanitize=address" ./configure --with-features=huge --enable-gui=none
make -j$(nproc)
Proof of Concept
Run crafted file with this command
./vim -u NONE -X -Z -e -s -S poc_mb_copy_char_min -c :qa!
ASan stack trace:
aldo@vps:~/vimbaru/src$ ASAN_OPTIONS=symbolize=1 ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer ./vim -u NONE -X -Z -e -s -S poc_mb_copy_char_min -c :qa!
=================================================================
==829948==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000e81 at pc 0x0000006fc616 bp 0x7fffffff8d10 sp 0x7fffffff8d08
WRITE of size 1 at 0x619000000e81 thread T0
#0 0x6fc615 in append_command /home/aldo/vimtes/src/ex_docmd.c:3449:8
#1 0x6d705d in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2618:6
#2 0x6ca342 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:992:17
#3 0xafd4a5 in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1674:5
#4 0xafaef0 in do_source /home/aldo/vimtes/src/scriptfile.c:1801:12
#5 0xafaa29 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1174:14
#6 0xafa50d in ex_source /home/aldo/vimtes/src/scriptfile.c:1200:2
#7 0x6d6612 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
#8 0x6ca342 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:992:17
#9 0x6cd5d0 in do_cmdline_cmd /home/aldo/vimtes/src/ex_docmd.c:586:12
#10 0xed6bb4 in exe_commands /home/aldo/vimtes/src/main.c:3108:2
#11 0xed48e9 in vim_main2 /home/aldo/vimtes/src/main.c:780:2
#12 0xece1d0 in main /home/aldo/vimtes/src/main.c:432:12
#13 0x7ffff78240b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
#14 0x41edcd in _start (/home/aldo/vimtes/src/vim+0x41edcd)
0x619000000e81 is located 0 bytes to the right of 1025-byte region [0x619000000a80,0x619000000e81)
allocated by thread T0 here:
#0 0x499c8d in malloc (/home/aldo/vimtes/src/vim+0x499c8d)
#1 0x4cb0e0 in lalloc /home/aldo/vimtes/src/alloc.c:246:11
#2 0x4cb039 in alloc /home/aldo/vimtes/src/alloc.c:151:12
#3 0xece209 in common_init /home/aldo/vimtes/src/main.c:914:19
#4 0xecdd84 in main /home/aldo/vimtes/src/main.c:185:5
#5 0x7ffff78240b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/aldo/vimtes/src/ex_docmd.c:3449:8 in append_command
Shadow bytes around the buggy address:
0x0c327fff8180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff81a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff81b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff81c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff81d0:[01]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff81e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff81f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==829948==ABORTING
Related
nessus
nessus
CBL Mariner 2.0 Security Update: vim (CVE-2022-1616)
2023-03-28 00:00:00
Ubuntu 20.04 LTS : Vim regression (USN-5613-2)
2022-09-19 00:00:00
Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS : Vim vulnerabilities (USN-5613-1)
2022-09-15 00:00:00
cve
cve
CVE-2022-1616
2022-05-07 19:15:00
ubuntucve
ubuntucve
CVE-2022-1616
2022-05-07 00:00:00
prion
prion
Design/Logic Flaw
2022-05-07 19:15:00
veracode
veracode
Use-After-Free
2022-05-30 15:13:24
cbl_mariner
cbl_mariner
CVE-2022-1616 affecting package vim 8.2.4774-1
2022-06-15 17:03:10
CVE-2022-1616 affecting package vim 8.2.4743-2
2022-06-03 17:54:02
debiancve
debiancve
CVE-2022-1616
2022-05-07 19:15:00
redhatcve
redhatcve
CVE-2022-1616
2022-05-09 06:45:00
alpinelinux
alpinelinux
CVE-2022-1616
2022-05-07 19:15:00
openvas
openvas
Fedora: Security Advisory for vim (FEDORA-2022-f0db3943d9)
2022-05-12 00:00:00
Fedora: Security Advisory for vim (FEDORA-2022-e92c3ce170)
2022-05-12 00:00:00
Fedora: Security Advisory for vim (FEDORA-2022-8df66cdbef)
2022-05-18 00:00:00
fedora
fedora
[SECURITY] Fedora 36 Update: vim-8.2.4927-1.fc36
2022-05-11 01:22:58
[SECURITY] Fedora 35 Update: vim-8.2.4927-1.fc35
2022-05-11 01:27:18
[SECURITY] Fedora 34 Update: vim-8.2.4927-1.fc34
2022-05-18 01:25:20
cloudlinux
cloudlinux
photon
photon
Important Photon OS Security Update - PHSA-2022-0397
2022-05-26 00:00:00
Important Photon OS Security Update - PHSA-2022-3.0-0397
2022-05-26 00:00:00
Critical Photon OS Security Update - PHSA-2022-0189
2022-05-27 00:00:00
cloudfoundry
cloudfoundry
USN-5613-1: Vim vulnerabilities | Cloud Foundry
2022-09-29 00:00:00
osv
osv
vim vulnerabilities
2022-09-15 11:04:50
vim regression
2022-09-19 12:53:35
vim - security update
2022-05-16 00:00:00
ubuntu
ubuntu
Vim regression
2022-09-19 00:00:00
Vim vulnerabilities
2022-09-15 00:00:00
Vim vulnerabilities
2022-06-06 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 9 package vim version 4:8.2.5019-alt1
2022-06-02 00:00:00
Security fix for the ALT Linux 10 package vim version 4:8.2.5019-alt1
2022-05-31 00:00:00
debian
debian
[SECURITY] [DLA 3011-1] vim security update
2022-05-16 19:42:09
[SECURITY] [DLA 3182-1] vim security update
2022-11-08 14:54:53
redos
redos
ROS-20220525-01
2022-05-25 00:00:00
mageia
mageia
Updated vim packages fix security vulnerability
2022-05-25 21:46:18
amazon
amazon
Medium: vim
2022-07-19 01:26:00
Medium: vim
2022-07-28 20:41:00
suse
suse
Security update for vim (important)
2022-06-16 00:00:00
gentoo
gentoo
Vim, gVim: Multiple Vulnerabilities
2023-05-03 00:00:00
Vim, gVim: Multiple Vulnerabilities
2022-08-21 00:00:00
apple
apple
About the security content of macOS Ventura 13
2022-10-24 00:00:00
avleonov
avleonov
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.003 Low
EPSS
Percentile
63.3%
Related for 40F1D75F-FB2F-4281-B585-A41017F217E2