Sharutils 4.15.2 Heap-Buffer-Overflow

nafiez <nafiez.skins@xxxxxxxxx> · Wed, 21 Feb 2018 15:33:07 +0800

Unshar scans the input files (typically email messages) looking for the start of a shell archive. If no files are given, then standard input is
processed instead. Shipped along with Sharutils.

Bug was found with AFL. Password: abc123

=================================================================
==11164==ERROR: AddressSanitizer: heap-buffer-overflow on address
0xb5901100 at pc 0x0804c695 bp 0xbfe86f28 sp 0xbfe86f18
READ of size 1 at 0xb5901100 thread T0
    #0 0x804c694 in looks_like_c_code
/home/john/sharutils-4.15.2/src/unshar.c:75
    #1 0x804c694 in find_archive
/home/john/sharutils-4.15.2/src/unshar.c:253
    #2 0x804c694 in unshar_file /home/john/sharutils-4.15.2/src/unshar.c:379
    #3 0x804a2f4 in validate_fname
/home/john/sharutils-4.15.2/src/unshar-opts.c:604
    #4 0x804a2f4 in main /home/john/sharutils-4.15.2/src/unshar-opts.c:639
    #5 0xb70ab636 in __libc_start_main
(/lib/i386-linux-gnu/libc.so.6+0x18636)
    #6 0x804ab95  (/home/john/sharutils-4.15.2/src/unshar+0x804ab95)

0xb5901100 is located 0 bytes to the right of 4096-byte region
[0xb5900100,0xb5901100)
allocated by thread T0 here:
    #0 0xb72dfdee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)
    #1 0x804c9e4 in init_unshar /home/john/sharutils-4.15.2/src/unshar.c:450
    #2 0xb70ab636 in __libc_start_main
(/lib/i386-linux-gnu/libc.so.6+0x18636)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/john/sharutils-4.15.2/src/unshar.c:75 looks_like_c_code
Shadow bytes around the buggy address:
  0x36b201d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36b201e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36b201f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36b20200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36b20210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x36b20220:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b20230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b20240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b20250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b20260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36b20270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==11164==ABORTING

Thanks,

nafiez

Attachment:
heap-buffer-overflow.zip

Description: Zip compressed data