Headline
CVE-2023-40857: heap-buffer-overflow libyara/exec.c:1426 in yr_execute_code · Issue #1945 · VirusTotal/yara
Buffer Overflow vulnerability in VirusTotal yara v.4.3.2 allows a remote attacker to execute arbtirary code via the yr_execute_cod function in the exe.c component.
Describe the bug
AddressSanitizer: heap-buffer-overflow libyara/exec.c:1426 in yr_execute_code
To Reproduce
Steps to reproduce the behavior:
1, compile yara with asan: ./configure CC=gcc CXX=g++ CFLAGS="-g -O0 -fsanitize=address" CXXFLAGS="-g -O0 -fsanitize=address" LDFLAGS="-g -O0 -fsanitize=address"
2, run this command: ./yara -C PoC binFile
Please complete the following information:
- OS: ubuntu 20.04
- YARA version: 4.3.2
****Additional context**
ASAN reprot:**
==1855158==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000248 at pc 0x7f168933dfaf bp 0x7ffd229d5530 sp 0x7ffd229d5520
READ of size 8 at 0x604000000248 thread T0
#0 0x7f168933dfae in yr_execute_code libyara/exec.c:1426
#1 0x7f16893a1cd8 in yr_scanner_scan_mem_blocks libyara/scanner.c:526
#2 0x7f16893a27a0 in yr_scanner_scan_mem libyara/scanner.c:670
#3 0x7f16893a2b3e in yr_scanner_scan_fd libyara/scanner.c:706
#4 0x55aa2e6ed11a in scan_file cli/yara.c:736
#5 0x55aa2e6f1444 in main cli/yara.c:1654
#6 0x7f1688c22082 in __libc_start_main …/csu/libc-start.c:308
#7 0x55aa2e6e9ced in _start (/home/root/latestFiles/yara-4.3.2/.libs/yara+0x7ced)
0x604000000248 is located 8 bytes to the left of 48-byte region [0x604000000250,0x604000000280)
allocated by thread T0 here:
#0 0x7f1689535a06 in __interceptor_calloc …/…/…/…/src/libsanitizer/asan/asan_malloc_linux.cc:153
#1 0x7f168936db41 in yr_calloc libyara/mem.c:127
#2 0x7f168939fe48 in yr_scanner_create libyara/scanner.c:242
#3 0x55aa2e6f12af in main cli/yara.c:1640
#4 0x7f1688c22082 in __libc_start_main …/csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow libyara/exec.c:1426 in yr_execute_code
Shadow bytes around the buggy address:
0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c087fff8000: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa
0x0c087fff8010: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa
0x0c087fff8020: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa
0x0c087fff8030: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa
=>0x0c087fff8040: fa fa 00 00 00 00 00 00 fa[fa]00 00 00 00 00 00
0x0c087fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1855158==ABORTING