Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-40923: SEGV in LIEF::MachO::SegmentCommand::virtual_address at MachO/SegmentCommand.cpp:137 · Issue #784 · lief-project/LIEF

A vulnerability in the LIEF::MachO::SegmentCommand::virtual_address function of LIEF v0.12.1 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted MachO file.

CVE
#vulnerability#mac#ubuntu#dos

Describe the bug
A bad macho file which can lead LIEF::MachO::Parser::parse() to segmentation fault.
Poc is here : poc2.zip

// read_mecho.c #include <LIEF/LIEF.hpp>

int main(int argc, char** argv){

if(argc != 2) return 0;

try {
    std::unique\_ptr<LIEF::MachO::FatBinary> macho = LIEF::MachO::Parser::parse(argv\[1\]);
} catch (const LIEF::exception& err) {
    std::cerr << err.what() << std::endl;
}

return 0;

}

Expected behavior
Parse the Mach-O file without segmentation fault because segmentation fault can cause a Denial of Service (Dos).

ubuntu@ubuntu:~/test/LIEF/fuzz$ ./read_macho ./poc2.bin 
nlist[0].str_idx seems corrupted (0x00700000)
nlist[1].str_idx seems corrupted (0x00015381)
.......
Indirect symbol index is out of range (1392508928 vs max sym: 356)
Wrong index: 7
Wrong index: 7
Wrong index: 7
Wrong index: 7
Wrong index: 7
Wrong index: 7
Wrong index: 7
Wrong index: 7
Wrong index: 7
AddressSanitizer:DEADLYSIGNAL
=================================================================
==837035==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000058 (pc 0x5653a24eacfd bp 0x7ffdbf694b60 sp 0x7ffdbf6943d0 T0)
==837035==The signal is caused by a READ memory access.
==837035==Hint: address points to the zero page.
    #0 0x5653a24eacfc in LIEF::MachO::SegmentCommand::virtual_address() const /home/ubuntu/test/LIEF/src/MachO/SegmentCommand.cpp:137
    #1 0x5653a22244b8 in boost::leaf::result<LIEF::ok_t> LIEF::MachO::BinaryParser::parse_dyldinfo_generic_bind<LIEF::MachO::details::MachO32>() /home/ubuntu/test/LIEF/src/MachO/BinaryParser.tcc:1631
    #2 0x5653a21f1a79 in boost::leaf::result<LIEF::ok_t> LIEF::MachO::BinaryParser::parse_dyldinfo_binds<LIEF::MachO::details::MachO32>() /home/ubuntu/test/LIEF/src/MachO/BinaryParser.tcc:1357
    #3 0x5653a21c1735 in boost::leaf::result<LIEF::ok_t> LIEF::MachO::BinaryParser::parse<LIEF::MachO::details::MachO32>() /home/ubuntu/test/LIEF/src/MachO/BinaryParser.tcc:113
    #4 0x5653a21b2348 in LIEF::MachO::BinaryParser::init_and_parse() /home/ubuntu/test/LIEF/src/MachO/BinaryParser.cpp:145
    #5 0x5653a21b1ab0 in LIEF::MachO::BinaryParser::parse(std::unique_ptr<LIEF::BinaryStream, std::default_delete<LIEF::BinaryStream> >, unsigned long, LIEF::MachO::ParserConfig const&) /home/ubuntu/test/LIEF/src/MachO/BinaryParser.cpp:125
    #6 0x5653a1a3bc01 in LIEF::MachO::Parser::build() /home/ubuntu/test/LIEF/src/MachO/Parser.cpp:174
    #7 0x5653a1a38995 in LIEF::MachO::Parser::parse(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, LIEF::MachO::ParserConfig const&) /home/ubuntu/test/LIEF/src/MachO/Parser.cpp:64
    #8 0x5653a18a3923 in main /home/ubuntu/test/LIEF/fuzz/read_macho.c:8
    #9 0x7f5206270082 in __libc_start_main ../csu/libc-start.c:308
    #10 0x5653a18a355d in _start (/home/ubuntu/test/LIEF/fuzz/read_macho+0x33055d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ubuntu/test/LIEF/src/MachO/SegmentCommand.cpp:137 in LIEF::MachO::SegmentCommand::virtual_address() const
==837035==ABORTING

Related news

GHSA-rm2x-hgr8-w343: LIEF vulnerable to denial of service through segmentation fault

A vulnerability in the LIEF::MachO::SegmentCommand::virtual_address function of LIEF v0.12.1 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted MachO file. A [patch](https://github.com/lief-project/LIEF/commit/24935f654f6df700a9a062298258b9485f584502) is available at commit number 24935f654f6df700a9a062298258b9485f584502.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907