#280 heap buffer overflow in the function data_dup()

[Ace Team]

Description - we observed a heap buffer overflow occured in function datadup(const unsigned char , unsigned ) will duplicate a memory buffer in the file data.cc, where it copies “Adata” to “data” using memcpy().

Command in linux - ./advzip -z -p -1 -q -k ./POC

Degub -
ASAN REPORT -

==11275==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62b00000dc15 at pc 0x7f0ffb042733 bp 0x7ffd397b4260 sp 0x7ffd397b3a08 READ of size 30717 at 0x62b00000dc15 thread T0 #0 0x7f0ffb042732 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732) #1 0x55c990d7b681 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34 #2 0x55c990d7b681 in data_dup(unsigned char const*, unsigned int) /home/aceteam/advancecomp/data.cc:39 #3 0x55c990d78379 in zip::open() /home/aceteam/advancecomp/zip.cc:888 #4 0x55c990d6df91 in rezip_single(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned long long&, unsigned long long&, bool, bool, shrink_t, bool) /home/aceteam/advancecomp/rezip.cc:48 #5 0x55c990d6e3bd in rezip_all(int, char**, bool, bool, shrink_t,

bool) /home/aceteam/advancecomp/rezip.cc:85 #6 0x55c990d71f7a in process(int, char**) /home/aceteam/advancecomp/rezip.cc:601 #7 0x55c990d6d87a in main /home/aceteam/advancecomp/rezip.cc:623 #8 0x7f0ffa09db96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #9 0x55c990d6dd59 in _start (/usr/local/bin/advzip+0x3d59) 0x62b00000dc15 is located 0 bytes to the right of 27157-byte region [0x62b000007200,0x62b00000dc15) allocated by thread T0 here: #0 0x7f0ffb0a7b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50) #1 0x55c990d7b6ca in data_alloc(unsigned int) /home/aceteam/advancecomp/data.cc:51 SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732) Shadow bytes around the buggy address: 0x0c567fff9b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c567fff9b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c567fff9b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c567fff9b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c567fff9b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c567fff9b80: 00 00[05]fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c567fff9b90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c567fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c567fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c567fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c567fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb

GDB -

gef➤  r  -z -p -1 -q -k $POC 
Starting program: advzip -z -p -1 -q -k $POC

Program received signal SIGSEGV, Segmentation fault.
[ Legend: Modified register | Code | Heap | Stack | String ]
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax   : 0x00005555558d7120  →  0x00007ffff72743e0  →  0x00007ffff72743d0  →  0x00007ffff72743c0  →  0x00007ffff72743b0  →  0x00007ffff72743a0  →  0x00007ffff7274390  →  0x00007ffff7274380
$rbx   : 0x00007fffffffdc00  →  0x0000000000000000
$rcx   : 0x00005555558d7120  →  0x00007ffff72743e0  →  0x00007ffff72743d0  →  0x00007ffff72743c0  →  0x00007ffff72743b0  →  0x00007ffff72743a0  →  0x00007ffff7274390  →  0x00007ffff7274380
$rdx   : 0x77fd            
$rsp   : 0x00007fffffffd998  →  0x00005555555955c2  →  <data_dup(unsigned+0> mov rcx, rax
$rbp   : 0x00005555558deb66  →  0x00bfe7dffffa4b2c
$rsi   : 0x00005555558deb66  →  0x00bfe7dffffa4b2c
$rdi   : 0x00005555558d7120  →  0x00007ffff72743e0  →  0x00007ffff72743d0  →  0x00007ffff72743c0  →  0x00007ffff72743b0  →  0x00007ffff72743a0  →  0x00007ffff7274390  →  0x00007ffff7274380
$rip   : 0x00007ffff7016c40  →  <__memmove_avx_unaligned_erms+368> vmovdqu ymm5, YMMWORD PTR [rsi+rdx*1-0x20]
$r8    : 0x0               
$r9    : 0x0               
$r10   : 0x00005555558c5010  →  0x0000000000000000
$r11   : 0x1               
$r12   : 0x77fd            
$r13   : 0x16              
$r14   : 0x0               
$r15   : 0x1               
$eflags: [zero CARRY parity ADJUST SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000 
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007fffffffd998│+0x0000: 0x00005555555955c2  →  <data_dup(unsigned+0> mov rcx, rax    ← $rsp
0x00007fffffffd9a0│+0x0008: 0x00007fffffffdc00  →  0x0000000000000000
0x00007fffffffd9a8│+0x0010: 0x00005555558d6ef0  →  0x0000000000000000
0x00007fffffffd9b0│+0x0018: 0x0000000000000001
0x00007fffffffd9b8│+0x0020: 0x0000555555584275  →  <zip::open()+2901> mov rdi, QWORD PTR [rsp+0x50]
0x00007fffffffd9c0│+0x0028: 0x0000000000000000
0x00007fffffffd9c8│+0x0030: 0x00000001f7de4ec3
0x00007fffffffd9d0│+0x0038: 0x00007ffff7855ef0  →  0x000d002200028ee8
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
   0x7ffff7016c30 <__memmove_avx_unaligned_erms+352> ja     0x7ffff7016ce1 <__memmove_avx_unaligned_erms+529>
   0x7ffff7016c36 <__memmove_avx_unaligned_erms+358> je     0x7ffff7016b21 <__memmove_avx_unaligned_erms+81>
   0x7ffff7016c3c <__memmove_avx_unaligned_erms+364> vmovdqu ymm4, YMMWORD PTR [rsi]
 → 0x7ffff7016c40 <__memmove_avx_unaligned_erms+368> vmovdqu ymm5, YMMWORD PTR [rsi+rdx*1-0x20]
   0x7ffff7016c46 <__memmove_avx_unaligned_erms+374> vmovdqu ymm6, YMMWORD PTR [rsi+rdx*1-0x40]
   0x7ffff7016c4c <__memmove_avx_unaligned_erms+380> vmovdqu ymm7, YMMWORD PTR [rsi+rdx*1-0x60]
   0x7ffff7016c52 <__memmove_avx_unaligned_erms+386> vmovdqu ymm8, YMMWORD PTR [rsi+rdx*1-0x80]
   0x7ffff7016c58 <__memmove_avx_unaligned_erms+392> mov    r11, rdi
   0x7ffff7016c5b <__memmove_avx_unaligned_erms+395> lea    rcx, [rdi+rdx*1-0x20]
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "advzip", stopped, reason: SIGSEGV
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x7ffff7016c40 → __memmove_avx_unaligned_erms()
[#1] 0x5555555955c2 → memcpy(__len=0x77fd, __src=0x5555558deb66, __dest=<optimized out>)
[#2] 0x5555555955c2 → data_dup(Adata=0x5555558deb66 ",K\372\377\337", <incomplete sequence \347\277>, Asize=0x77fd)
[#3] 0x555555584275 → zip::open(this=0x7fffffffdc00)
[#4] 0x5555555594c5 → rezip_single(file="$POC", total_0=@0x7fffffffdd58, total_1=@0x7fffffffdd60, quiet=<optimized out>, standard=<optimized out>, level={
  level = shrink_fast, 
  iter = 0x0
}, keep_file_time=0x1)
[#5] 0x55555555a02d → rezip_all(argc=<optimized out>, argv=<optimized out>, quiet=0x1, standard=0x1, level={
  level = shrink_fast, 
  iter = 0x0
}, keep_file_time=0x1)
[#6] 0x55555556874a → process(argc=0x7, argv=0x7fffffffdfe8)
[#7] 0x555555557c63 → main(argc=<optimized out>, argv=<optimized out>)