vcftools 0.1.15 Out-Of-Bounds Read / Denial Of Service / Buffer Overflow

vcftools version 0.1.15 suffers from out-of-bounds read, denial of service, buffer overflow, and use-after-free vulnerabilities.


MD5 | 2651784ca5ca6bc6e1c40cc6eaf3dd7e

vcftools multiple vulnerabilities
================
Author : Webin security lab - dbapp security Ltd
===============


Introduction:
=============
A set of tools written in Perl and C++ for working with VCF files, such as those generated by the 1000 Genomes Project.
Project website: https://vcftools.github.io/

Affected version:
=====
0.1.15

Vulnerability Description:
==========================
1. the header::add_INFO_descriptor function in header.cpp in vcftools 0.1.15 allow remote attackers to cause a information disclosure(heap-buffer-overflow OOB read) via a crafted vcf file.


./vcftools --vcf heap-buffer-overflow.vcf

==15884==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000368 at pc 0x0000005dd54f bp 0x7ffed30cd750 sp 0x7ffed30cd748
READ of size 8 at 0x603000000368 thread T0
#0 0x5dd54e in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::size() const /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/basic_string.h:716:16
#1 0x5dd54e in header::str2int(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int) /home/xxx/vcftools/src/cpp/header.cpp:490
#2 0x5dd54e in header::add_INFO_descriptor(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int) /home/xxx/vcftools/src/cpp/header.cpp:128
#3 0x5d6746 in header::parse_meta(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned int&) /home/xxx/vcftools/src/cpp/header.cpp:30:17
#4 0x841afe in vcf_file::read_header() /home/xxx/vcftools/src/cpp/vcf_file.cpp:62:15
#5 0x840db3 in vcf_file::vcf_file(parameters const&, bool) /home/xxx/vcftools/src/cpp/vcf_file.cpp:42:2
#6 0x84c112 in main /home/xxx/vcftools/src/cpp/vcftools.cpp:31:12
#7 0x7f462144282f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#8 0x41ec18 in _start (/home/xxx/vcftools/afl-fuzz/vcftools+0x41ec18)

0x603000000368 is located 8 bytes to the right of 32-byte region [0x603000000340,0x603000000360)
allocated by thread T0 here:
#0 0x4e2e48 in __interceptor_malloc (/home/xxx/vcftools/afl-fuzz/vcftools+0x4e2e48)
#1 0x7f46223c1e77 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x8de77)
#2 0x5ee39c in std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >::push_back(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/stl_vector.h:923:4
#3 0x5ee39c in header::tokenize(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, char, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /home/xxx/vcftools/src/cpp/header.cpp:453
#4 0x5d986c in header::add_INFO_descriptor(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int) /home/xxx/vcftools/src/cpp/header.cpp:120:3
#5 0x5d6746 in header::parse_meta(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned int&) /home/xxx/vcftools/src/cpp/header.cpp:30:17
#6 0x841afe in vcf_file::read_header() /home/xxx/vcftools/src/cpp/vcf_file.cpp:62:15
#7 0x840db3 in vcf_file::vcf_file(parameters const&, bool) /home/xxx/vcftools/src/cpp/vcf_file.cpp:42:2
#8 0x84c112 in main /home/xxx/vcftools/src/cpp/vcftools.cpp:31:12
#9 0x7f462144282f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291


Reproducer:
heap-buffer-overflow.vcf
CVE:
CVE-2018-11099


2.
The header::add_INFO_descriptor function in header.cpp in VCFtools 0.1.15 allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted vcf file.

./vcftools --vcf uaf.vcf

==15368==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000001ff0 at pc 0x000000447851 bp 0x7ffe55a71430 sp 0x7ffe55a70be0
READ of size 17 at 0x603000001ff0 thread T0
#4 0x5da1b2 in header::add_INFO_descriptor(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int) /home/xxx/vcftools/src/cpp/header.cpp:145
#5 0x5d6746 in header::parse_meta(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned int&) /home/xxx/vcftools/src/cpp/header.cpp:30:17
#6 0x841afe in vcf_file::read_header() /home/xxx/vcftools/src/cpp/vcf_file.cpp:62:15
#7 0x840db3 in vcf_file::vcf_file(parameters const&, bool) /home/xxx/vcftools/src/cpp/vcf_file.cpp:42:2
#8 0x84c112 in main /home/xxx/vcftools/src/cpp/vcftools.cpp:31:12
#9 0x7fd92c51482f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#10 0x41ec18 in _start (/home/xxx/vcftools/afl-fuzz/vcftools+0x41ec18)

0x603000001ff0 is located 0 bytes inside of 18-byte region [0x603000001ff0,0x603000002002)
freed by thread T0 here:
#12 0x5edf6c in header::tokenize(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, char, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /home/xxx/vcftools/src/cpp/header.cpp:448
#13 0x5d986c in header::add_INFO_descriptor(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int) /home/xxx/vcftools/src/cpp/header.cpp:120:3
#14 0x5d6746 in header::parse_meta(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned int&) /home/xxx/vcftools/src/cpp/header.cpp:30:17
#15 0x841afe in vcf_file::read_header() /home/xxx/vcftools/src/cpp/vcf_file.cpp:62:15
#16 0x840db3 in vcf_file::vcf_file(parameters const&, bool) /home/xxx/vcftools/src/cpp/vcf_file.cpp:42:2
#17 0x84c112 in main /home/xxx/vcftools/src/cpp/vcftools.cpp:31:12
#18 0x7fd92c51482f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

previously allocated by thread T0 here:
#0 0x4e2e48 in __interceptor_malloc (/home/xxx/vcftools/afl-fuzz/vcftools+0x4e2e48)
#1 0x7fd92d493e77 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x8de77)
#2 0x5d986c in header::add_INFO_descriptor(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int) /home/xxx/vcftools/src/cpp/header.cpp:120:3
#3 0x5d6746 in header::parse_meta(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned int&) /home/xxx/vcftools/src/cpp/header.cpp:30:17
#4 0x841afe in vcf_file::read_header() /home/xxx/vcftools/src/cpp/vcf_file.cpp:62:15
#5 0x840db3 in vcf_file::vcf_file(parameters const&, bool) /home/xxx/vcftools/src/cpp/vcf_file.cpp:42:2
#6 0x84c112 in main /home/xxx/vcftools/src/cpp/vcftools.cpp:31:12
#7 0x7fd92c51482f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

Reproducer:
uaf.vcf
CVE:
CVE-2018-11129

3. The header::add_FORMAT_descriptor function in header.cpp in vcftools allow remote attackers to cause a remote code execution(heap-use-after-free) via a crafted vcf file.

./vcftools --vcf uaf1.vcf

==15444==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000000560 at pc 0x0000004b983c bp 0x7ffc678f42e0 sp 0x7ffc678f3a90
READ of size 2 at 0x606000000560 thread T0
#3 0x5e40ca in header::add_FORMAT_descriptor(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int) /home/xxx/vcftools/src/cpp/header.cpp:216
#4 0x5d7409 in header::parse_meta(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned int&) /home/xxx/vcftools/src/cpp/header.cpp:38:17
#5 0x841afe in vcf_file::read_header() /home/xxx/vcftools/src/cpp/vcf_file.cpp:62:15
#6 0x840db3 in vcf_file::vcf_file(parameters const&, bool) /home/xxx/vcftools/src/cpp/vcf_file.cpp:42:2
#7 0x84c112 in main /home/xxx/vcftools/src/cpp/vcftools.cpp:31:12
#8 0x7efe8ad9782f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#9 0x41ec18 in _start (/home/xxx/vcftools/afl-fuzz/vcftools+0x41ec18)

0x606000000560 is located 0 bytes inside of 49-byte region [0x606000000560,0x606000000591)
freed by thread T0 here:
#12 0x5edf6c in header::tokenize(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, char, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /home/xxx/vcftools/src/cpp/header.cpp:448
#13 0x5e408b in header::add_FORMAT_descriptor(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int) /home/xxx/vcftools/src/cpp/header.cpp:215:3
#14 0x5d7409 in header::parse_meta(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned int&) /home/xxx/vcftools/src/cpp/header.cpp:38:17
#15 0x841afe in vcf_file::read_header() /home/xxx/vcftools/src/cpp/vcf_file.cpp:62:15
#16 0x840db3 in vcf_file::vcf_file(parameters const&, bool) /home/xxx/vcftools/src/cpp/vcf_file.cpp:42:2
#17 0x84c112 in main /home/xxx/vcftools/src/cpp/vcftools.cpp:31:12
#18 0x7efe8ad9782f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

previously allocated by thread T0 here:
#0 0x4e2e48 in __interceptor_malloc (/home/xxx/vcftools/afl-fuzz/vcftools+0x4e2e48)
#1 0x7efe8bd16e77 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x8de77)
#2 0x5e408b in header::add_FORMAT_descriptor(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int) /home/xxx/vcftools/src/cpp/header.cpp:215:3
#3 0x5d7409 in header::parse_meta(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned int&) /home/xxx/vcftools/src/cpp/header.cpp:38:17
#4 0x841afe in vcf_file::read_header() /home/xxx/vcftools/src/cpp/vcf_file.cpp:62:15
#5 0x840db3 in vcf_file::vcf_file(parameters const&, bool) /home/xxx/vcftools/src/cpp/vcf_file.cpp:42:2
#6 0x84c112 in main /home/xxx/vcftools/src/cpp/vcftools.cpp:31:12
#7 0x7efe8ad9782f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

Reproducer:
uaf1.vcf
CVE:
CVE-2018-11130

===============================
Best,
Webin security lab - dbapp security Ltd





Related Posts