Headline
CVE-2022-38223: [BUG] out of bound write in checkType, etc.c:441 · Issue #242 · tats/w3m
There is an out-of-bounds write in checkType located in etc.c in w3m 0.5.3. It can be triggered by sending a crafted HTML file to the w3m binary. It allows an attacker to cause Denial of Service or possibly have unspecified other impact.
Hello, I found a out of bound write in w3m, function checkType, etc.c:441 while testing my new fuzzer.
step to reproduce
export CC="gcc -fsanitize=address -g" ./configure --disable-shared && make -j8
./w3m $POC
Environment
- Ubuntu 22.04 (docker image)
- w3m latest commit c515ea8
- gcc 11.2.0
ASan log
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1795279==ERROR: AddressSanitizer: BUS on unknown address (pc 0x5639811267b7 bp 0x7f4212857ffe sp 0x7ffdc528ad90 T0)
==1795279==The signal is caused by a WRITE memory access.
==1795279==Hint: this fault was caused by a dereference of a high value address (see register values below). Dissassemble the provided pc to learn which register was used.
#0 0x5639811267b7 in checkType /validate/w3m/etc.c:441
#1 0x5639810ea5e2 in loadBuffer /validate/w3m/file.c:7717
#2 0x563981110094 in loadSomething /validate/w3m/file.c:230
#3 0x563981110094 in loadGeneralFile /validate/w3m/file.c:2286
#4 0x5639810ab87d in main /validate/w3m/main.c:1053
#5 0x7f42159b4d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#6 0x7f42159b4e3f in __libc_start_main_impl ../csu/libc-start.c:392
#7 0x5639810af284 in _start (/validate/w3m/w3m+0xb3284)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: BUS /validate/w3m/etc.c:441 in checkType
==1795279==ABORTING
Credit
Han Zheng
NCNIPC of China
Hexhive
POC
poc0.zip
Copy link
Contributor
****rkta** commented Aug 9, 2022**
On Sun, Aug 07, 2022 at 04:27:40AM -0700, Han Zheng wrote: Hello, I found a out of bound write in w3m, function checkType, etc.c:441 while testing my new fuzzer. ## step to reproduce export CC="gcc -fsanitize=address -g" ./configure --disable-shared && make -j8 ./w3m $POC
Can’t reproduce on Debian with the ‘poc0’ from the attached zip file.
Sorry, I write the wrong command, the command is ./w3m -dump $POC.
Copy link
Author
****kdsjZh** commented Aug 9, 2022 •**
if it didn’t work, could you try docker ubuntu 22.04 image with following command? Or you could give me the debian version you use
apt update && apt install wget git unzip gcc g++ make libgc-dev libtinfo-dev -y
git clone https://github.com/tats/w3m && pushd w3m
export CC="gcc -fsanitize=address -g" && ./configure --disable-shared && make -j8
./w3m -dump $PATH_TO_POC
I try again and it works for me.
Copy link
Contributor
****rkta** commented Aug 9, 2022**
On Tue, Aug 09, 2022 at 07:55:19AM -0700, Han Zheng wrote: if it didn’t work,
Can not reproduce with '-dump’ either.
could you try ubuntu 22.04 image with following command?
I currently don’t have time to setup a VM, maybe at the weekend, sorry.
Or you could give me the debian version you use
Debian stable
``` apt update && apt install wget git unzip gcc g++ make libgc-dev libtinfo-dev -y git clone https://github.com/tats/w3m && pushd w3m export CC="gcc -fsanitize=address -g" && ./configure --disable-shared && make -j8 ./w3m -dump $PATH_TO_POC ``` I try again and it works for me.
Can you reduce the input file? Does it also reproduce with only the first half or the second half?
Copy link
Author
****kdsjZh** commented Aug 9, 2022 •**
I try debian stable in docker image and it still works.
I currently don’t have time to setup a VM, maybe at the weekend, sorry.
I mean you can install docker in your debian and copy following command :
docker pull ubuntu:22.04 && docker run -it ubuntu:22.04 bash
## now step into the container
apt update && apt install wget git unzip gcc g++ make libgc-dev libtinfo-dev -y
git clone https://github.com/tats/w3m && pushd w3m
export CC="gcc -fsanitize=address -g" && ./configure --disable-shared && make -j8
wget https://github.com/tats/w3m/files/9276657/poc0.zip && unzip poc0.zip
./w3m -dump ./poc0
Pls told me if it’s still not available. I could try to reduce the input file later. But I guess it’s environment’s fault.
Copy link
Contributor
****rkta** commented Aug 10, 2022**
On Tue, Aug 09, 2022 at 08:36:15AM -0700, Han Zheng wrote: I try debian stable in docker image and it still works.
I wonder if Docker plays a role here.
> I currently don’t have time to setup a VM, maybe at the weekend, sorry. I mean install docker in your debian and copy following command : ``` docker pull ubuntu:22.04 && docker run -it ubuntu:22.04 bash ## now step into the container apt update && apt install wget git unzip gcc g++ make libgc-dev libtinfo-dev -y git clone https://github.com/tats/w3m && pushd w3m export CC="gcc -fsanitize=address -g" && ./configure --disable-shared && make -j8 wget https://github.com/tats/w3m/files/9276657/poc0.zip && unzip poc0.zip ./w3m -dump ./poc0 ``` Pls told me if it’s still not available.
Yes, can reproduce this way.
I could try to reduce the input file later.
Works: head -c 9215 poc0 | ./w3m -dump Does not work: tail -c 9215 poc0 | ./w3m -dump head -c 9216 poc0 | tail -c 9215 | ./w3m -dump
Copy link
Author
****kdsjZh** commented Aug 10, 2022 •**
I guess it’s not docker. I try to reproduce it in my psychical Desktop (ubuntu 21.10) and success with following command
./w3m -dump crashes/id\:000001\,sig\:11\,src\:000876\,time\:8063946\,execs\:818201\,op\:MOpt_core_havoc\,rep\:8
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3904622==ERROR: AddressSanitizer: SEGV on unknown address 0x7f186ce09ffe (pc 0x55c246d22787 bp 0x7f186ce09ffe sp 0x7ffe334beb20 T0)
==3904622==The signal is caused by a WRITE memory access.
#0 0x55c246d22787 in checkType /home/kdsj/workspace/benchmarks/reproduce/w3m/etc.c:441
#1 0x55c246ce65c2 in loadBuffer /home/kdsj/workspace/benchmarks/reproduce/w3m/file.c:7717
#2 0x55c246d0c074 in loadSomething /home/kdsj/workspace/benchmarks/reproduce/w3m/file.c:230
#3 0x55c246d0c074 in loadGeneralFile /home/kdsj/workspace/benchmarks/reproduce/w3m/file.c:2286
#4 0x55c246ca785d in main /home/kdsj/workspace/benchmarks/reproduce/w3m/main.c:1053
#5 0x7f186fc77fcf in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#6 0x7f186fc7807c in __libc_start_main_impl ../csu/libc-start.c:409
#7 0x55c246cab264 in _start (/home/kdsj/workspace/benchmarks/reproduce/w3m/w3m+0xb3264)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/kdsj/workspace/benchmarks/reproduce/w3m/etc.c:441 in checkType
==3904622==ABORTING
but when try to rename it to poc0, it failed
./w3m -dump crashes/poc0
???????????p???�???*��?&?*?p???�??? �???????????????????���???????
Although I check again and make sure they’re the same crash with same hash…
I guess the name is to be blamed? or there might be some random factor?
Related news
Ubuntu Security Notice 5796-1 - It was discovered that w3m incorrectly handled certain HTML files. A remote attacker could use this issue to cause w3m to crash, resulting in a denial of service, or possibly execute arbitrary code.