Headline
CVE-2019-20021: There is a heap-buffer-overflow in the canUnpack function of p_mach.cpp:1539 · Issue #315 · upx/upx
A heap-based buffer over-read was discovered in canUnpack in p_mach.cpp in UPX 3.95 via a crafted Mach-O file.
A crafted input will lead to crash in p_mach.cpp at UPX 3.95(latest version,git clone from branch devel)
Triggered by
./upx.out -d -f POC
OS: Ubuntu 18.04.3 LTS
CPU architecture: x86_64
Poc
002
The ASAN information is as follows:
./upx.out -d -f 002
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2019
UPX git-75a2cc Markus Oberhumer, Laszlo Molnar & John Reiser Feb 24th 2019
File size Ratio Format Name
-------------------- ------ ----------- -----------
=================================================================
==24764==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000010 at pc 0x56476d2e5ab3 bp 0x7ffc2f050250 sp 0x7ffc2f050240
READ of size 4 at 0x602000000010 thread T0
#0 0x56476d2e5ab2 in get_le32(void const*) /home/liuz/upx-asan/upx_new/upx/src/bele.h:164
#1 0x56476d2e5ab2 in LE32::operator unsigned int() const /home/liuz/upx-asan/upx_new/upx/src/bele.h:416
#2 0x56476d2e5ab2 in PackMachBase<N_Mach::MachClass_64<N_BELE_CTP::LEPolicy> >::canUnpack() /home/liuz/upx-asan/upx_new/upx/src/p_mach.cpp:1539
#3 0x56476d3555a6 in try_unpack /home/liuz/upx-asan/upx_new/upx/src/packmast.cpp:114
#4 0x56476d356ad5 in PackMaster::visitAllPackers(Packer* (*)(Packer*, void*), InputFile*, options_t const*, void*) /home/liuz/upx-asan/upx_new/upx/src/packmast.cpp:225
#5 0x56476d3582b0 in PackMaster::getUnpacker(InputFile*) /home/liuz/upx-asan/upx_new/upx/src/packmast.cpp:248
#6 0x56476d3583cf in PackMaster::unpack(OutputFile*) /home/liuz/upx-asan/upx_new/upx/src/packmast.cpp:266
#7 0x56476d3944ee in do_one_file(char const*, char*) /home/liuz/upx-asan/upx_new/upx/src/work.cpp:160
#8 0x56476d39499f in do_files(int, int, char**) /home/liuz/upx-asan/upx_new/upx/src/work.cpp:271
#9 0x56476d2253e6 in main /home/liuz/upx-asan/upx_new/upx/src/main.cpp:1543
#10 0x7ff90c80eb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#11 0x56476d226549 in _start (/home/liuz/upx-asan/upx_new/upx/src/upx.out+0x5c549)
0x602000000011 is located 0 bytes to the right of 1-byte region [0x602000000010,0x602000000011)
allocated by thread T0 here:
#0 0x7ff90d68c618 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0618)
#1 0x56476d2e3bc9 in PackMachBase<N_Mach::MachClass_64<N_BELE_CTP::LEPolicy> >::canUnpack() /home/liuz/upx-asan/upx_new/upx/src/p_mach.cpp:1525
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/liuz/upx-asan/upx_new/upx/src/bele.h:164 in get_le32(void const*)
Shadow bytes around the buggy address:
0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa[01]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==24764==ABORTING