libyal libfwsi 安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1772207 漏洞类型 缓冲区错误
发布时间 2019-10-09 更新时间 2019-11-13
CVE编号 CVE-2019-17263 CNNVD-ID CNNVD-201910-224
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019100057
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201910-224
|漏洞详情
libyal libfwsi是一款用于访问Windows Shell的库。 libyal libfwsi 20191006之前版本中的libfwsi_extension_block.c文件的‘libfwsi_extension_block_copy_from_byte_stream’函数存在缓冲区错误漏洞。该漏洞源于网络系统或产品在内存上执行操作时,未正确验证数据边界,导致向关联的其他内存位置上执行了错误的读写操作。攻击者可利用该漏洞导致缓冲区溢出或堆溢出等。
|漏洞EXP
Exploit Title: libfwsi_extension_block minimum size should be 8 not 6
# Exploit Author: Dhiraj Mishra
# Vendor Homepage: https://github.com/libyal/libyal/wiki/Overview
# Software Link: https://github.com/libyal/libfwsi
# CVE: CVE-2019-17263
# References:
# https://nvd.nist.gov/vuln/detail/CVE-2019-17263
# https://github.com/libyal/libfwsi/issues/13

Summary:
In libyal libfwsi before 20191006,
libfwsi_extension_block_copy_from_byte_stream in libfwsi_extension_block.c
has a heap-based buffer over-read because rejection of an unsupported size
only considers values less than 6, even though values of 6 and 7 are also
unsupported.

ASAN:
==513==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6140000003f6 at pc 0x0000005204c3 bp 0x7ffeb5d945c0 sp 0x7ffeb5d945b8
READ of size 1 at 0x6140000003f6 thread T0
    #0 0x5204c2 in libfwsi_extension_block_copy_from_byte_stream
/home/dhiraj/liblnk/libfwsi/libfwsi_extension_block.c:276:2
    libyal/liblnk#1 0x52a8f7 in libfwsi_item_copy_from_byte_stream
/home/dhiraj/liblnk/libfwsi/libfwsi_item.c:1245:13
    libyal/liblnk#2 0x52e64f in libfwsi_item_list_copy_from_byte_stream
/home/dhiraj/liblnk/libfwsi/libfwsi_item_list.c:334:7
    libyal/liblnk#3 0x517f94 in info_handle_link_target_identifier_fprint
/home/dhiraj/liblnk/lnktools/info_handle.c:2207:7
    libyal/liblnk#4 0x518f5e in info_handle_file_fprint
/home/dhiraj/liblnk/lnktools/info_handle.c:2667:6
    libyal/liblnk#5 0x519dd4 in main
/home/dhiraj/liblnk/lnktools/lnkinfo.c:277:6
    libyal/liblnk#6 0x7f6705b65b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    libyal/liblnk#7 0x41a319 in _start
(/home/dhiraj/liblnk/lnktools/lnkinfo+0x41a319)

0x6140000003f6 is located 0 bytes to the right of 438-byte region
[0x614000000240,0x6140000003f6)
allocated by thread T0 here:
    #0 0x4da1d0 in malloc (/home/dhiraj/liblnk/lnktools/lnkinfo+0x4da1d0)
    libyal/liblnk#1 0x517e37 in info_handle_link_target_identifier_fprint
/home/dhiraj/liblnk/lnktools/info_handle.c:2159:45
    libyal/liblnk#2 0x518f5e in info_handle_file_fprint
/home/dhiraj/liblnk/lnktools/info_handle.c:2667:6
    libyal/liblnk#3 0x7f6705b65b96 in __libc_start_main
/build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/dhiraj/liblnk/libfwsi/libfwsi_extension_block.c:276:2 in
libfwsi_extension_block_copy_from_byte_stream
Shadow bytes around the buggy address:
  0x0c287fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 fa
  0x0c287fff8040: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c287fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c287fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[06]fa
  0x0c287fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==513==ABORTING
|参考资料

来源:github.com

链接:https://github.com/libyal/libfwsi/issues/13


来源:github.com

链接:https://github.com/libyal/libfwsi/compare/20181227...20191006


来源:nvd.nist.gov

链接:https://nvd.nist.gov/vuln/detail/CVE-2019-17263