ytnef:heap buffer overflow in PrintTNEF

Description

ytnef is a program to work with procmail to decode TNEF streams (winmail.dat attachments) like those created with Outlook. Unlike other similar programs, it can also create vCalendar/vCard entries from meeting requests, address cards, and task entries.

A heap buffer overflow vulnerability was found in function PrintTNEF in main.c, which allows attackers to cause a denial of service via a crafted file.

#ytnefprint $FILE
==========================================================
 heap-buffer-overflow on address 0x63200002d72d at pc 0x0000004abe30 bp 0x7ffc9f378f80 sp 0x7ffc9f378730
READ of size 85806 at 0x63200002d72d thread T0
    #0 0x4abe2f in printf_common(void*, char const*, __va_list_tag*) /home/haojun/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors_format.inc:544
    #1 0x4acbaa in __interceptor_vprintf /home/haojun/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1429
    #2 0x4acc67 in printf /home/haojun/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1475
    #3 0x515917 in PrintTNEF /home/haojun/Downloads/ytnef-master/ytnefprint/main.c:107:5
    #4 0x51554a in main /home/haojun/Downloads/ytnef-master/ytnefprint/main.c:84:5
    #5 0x7f80fed7bb34 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274
    #6 0x41a8db in _start (/home/haojun/Downloads/ytnef-afl-build/bin/ytnefprint+0x41a8db)

0x63200002d72d is located 0 bytes to the right of 85805-byte region [0x632000018800,0x63200002d72d)
allocated by thread T0 here:
    #0 0x4df98d in calloc /home/haojun/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74
    #1 0x5184d6 in TNEFFromHandler /home/haojun/Downloads/ytnef-master/lib/ytnef.c:296:21

 heap-buffer-overflow /home/haojun/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors_format.inc:544 in printf_common(void*, char const*, __va_list_tag*)
Shadow bytes around the buggy address:
  0x0c647fffda90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c647fffdaa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c647fffdab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c647fffdac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c647fffdad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c647fffdae0: 00 00 00 00 00[05]fa fa fa fa fa fa fa fa fa fa
  0x0c647fffdaf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c647fffdb00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c647fffdb10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c647fffdb20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c647fffdb30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==17347==ABORTING

Affected version: 1.9.2
Fixed version:N/A
Commit fix:N/A
Credit: ADLab of Venustech.
CVE:N/A
Reproducer:
Timeline:
2017-06-08:bug discovered and reported to the ytnef GitHub issue page
2017-07-30:blog post about the issue
Permalink:
https://somevulnsofadlab.blogspot.com/2017/07/ytnefheap-buffer-overflow-in-printtnef.html

评论

此博客中的热门博文

lrzip:stack buffer overflow in get_fileinfo

Poppler:stack buffer overflow in GfxImageColorMap::getGray

libming:memory leak in parseSWF_DOACTION