Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-26266: Cmplog should search for unprefixed target in PATH, not PWD by YSaxon · Pull Request #1643 · AFLplusplus/AFLplusplus

In AFL++ 4.05c, the CmpLog component uses the current working directory to resolve and execute unprefixed fuzzing targets, allowing code execution.

CVE
#vulnerability

This fixes a bug in cmplog, where, if afl-fuzz is called with an unprefixed-path target (eg – targetapp instead of – /path/to/targetapp), while afl-fuzz itself will correctly look for target in PATH, cmplog instead looks for it in PWD.

If the target does not happen to be in PWD, then it will fail with the confusing error message:

[-] PROGRAM ABORT : Unable to execute target application ('targetapp')
         Location : afl_fsrv_start(), src/afl-forkserver.c:1077

This bug is present in standard instrumented mode and Frida mode, but not QEMU mode.

Inasmuch as it violates the general principle and expectation that unprefixed executables should be executed by PATH rather than PWD, this bug being fixed also constitutes a security vulnerability, which could theoretically be exploited by placing a malicious executable of the same name into the user’s working directory.

Related news

Gentoo Linux Security Advisory 202408-27

Gentoo Linux Security Advisory 202408-27 - A vulnerability has been discovered in AFLplusplus, which can lead to arbitrary code execution via an untrusted CWD. Versions greater than or equal to 4.06c are affected.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907