CVE-2019-17263 libyal libfwsi 安全漏洞-漏洞情报、漏洞详情、安全漏洞、CVE

Exploit Title: libfwsi_extension_block minimum size should be 8 not 6
# Exploit Author: Dhiraj Mishra
# Vendor Homepage: https://github.com/libyal/libyal/wiki/Overview
# Software Link: https://github.com/libyal/libfwsi
# CVE: CVE-2019-17263
# References:
# https://nvd.nist.gov/vuln/detail/CVE-2019-17263
# https://github.com/libyal/libfwsi/issues/13

Summary:
In libyal libfwsi before 20191006,
libfwsi_extension_block_copy_from_byte_stream in libfwsi_extension_block.c
has a heap-based buffer over-read because rejection of an unsupported size
only considers values less than 6, even though values of 6 and 7 are also
unsupported.

ASAN:
==513==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6140000003f6 at pc 0x0000005204c3 bp 0x7ffeb5d945c0 sp 0x7ffeb5d945b8
READ of size 1 at 0x6140000003f6 thread T0
    #0 0x5204c2 in libfwsi_extension_block_copy_from_byte_stream
/home/dhiraj/liblnk/libfwsi/libfwsi_extension_block.c:276:2
    libyal/liblnk#1 0x52a8f7 in libfwsi_item_copy_from_byte_stream
/home/dhiraj/liblnk/libfwsi/libfwsi_item.c:1245:13
    libyal/liblnk#2 0x52e64f in libfwsi_item_list_copy_from_byte_stream
/home/dhiraj/liblnk/libfwsi/libfwsi_item_list.c:334:7
    libyal/liblnk#3 0x517f94 in info_handle_link_target_identifier_fprint
/home/dhiraj/liblnk/lnktools/info_handle.c:2207:7
    libyal/liblnk#4 0x518f5e in info_handle_file_fprint
/home/dhiraj/liblnk/lnktools/info_handle.c:2667:6
    libyal/liblnk#5 0x519dd4 in main
/home/dhiraj/liblnk/lnktools/lnkinfo.c:277:6
    libyal/liblnk#6 0x7f6705b65b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    libyal/liblnk#7 0x41a319 in _start
(/home/dhiraj/liblnk/lnktools/lnkinfo+0x41a319)

0x6140000003f6 is located 0 bytes to the right of 438-byte region
[0x614000000240,0x6140000003f6)
allocated by thread T0 here:
    #0 0x4da1d0 in malloc (/home/dhiraj/liblnk/lnktools/lnkinfo+0x4da1d0)
    libyal/liblnk#1 0x517e37 in info_handle_link_target_identifier_fprint
/home/dhiraj/liblnk/lnktools/info_handle.c:2159:45
    libyal/liblnk#2 0x518f5e in info_handle_file_fprint
/home/dhiraj/liblnk/lnktools/info_handle.c:2667:6
    libyal/liblnk#3 0x7f6705b65b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/dhiraj/liblnk/libfwsi/libfwsi_extension_block.c:276:2 in
libfwsi_extension_block_copy_from_byte_stream
Shadow bytes around the buggy address:
  0x0c287fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 fa
  0x0c287fff8040: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c287fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c287fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[06]fa
  0x0c287fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==513==ABORTING
漏洞ID	1772207	漏洞类型	缓冲区错误
发布时间	2019-10-09	更新时间	2019-11-13
CVE编号	CVE-2019-17263	CNNVD-ID	CNNVD-201910-224
漏洞平台	N/A	CVSS评分	N/A
libyal libfwsi 安全漏洞

|漏洞来源

|漏洞详情

|漏洞EXP

|参考资料

检索漏洞

相关漏洞
