ytnef:heap buffer overflow in TNEFFillMapi
Description
ytnef is a program to work with procmail to decode TNEF streams (winmail.dat attachments) like those created with Outlook. Unlike other similar programs, it can also create vCalendar/vCard entries from meeting requests, address cards, and task entries.
A heap buffer overflow vulnerability was found in function TNEFFillMapi in ytnef.c, which allows attackers to cause a denial of service via a crafted file.
#ytnefprint $FILE
=================================================================
heap-buffer-overflow on address 0x6020000008f8 at pc 0x000000520d34 bp 0x7ffeed1b7070 sp 0x7ffeed1b7068
WRITE of size 4 at 0x6020000008f8 thread T0
#0 0x520d33 in TNEFFillMapi /home/haojun/Downloads/ytnef-master/lib/ytnef.c:543:18
#1 0x51a612 in TNEFMapiProperties /home/haojun/Downloads/ytnef-master/lib/ytnef.c:396:7
#2 0x52bca1 in TNEFParse /home/haojun/Downloads/ytnef-master/lib/ytnef.c:1184:15
#3 0x52a3b2 in TNEFParseFile /home/haojun/Downloads/ytnef-master/lib/ytnef.c:1042:10
#4 0x515530 in main /home/haojun/Downloads/ytnef-master/ytnefprint/main.c:80:9
#5 0x7f917c2c9b34 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274
#6 0x41a8db in _start (/home/haojun/Downloads/ytnef-afl-build/bin/ytnefprint+0x41a8db)
0x6020000008f8 is located 7 bytes to the right of 1-byte region [0x6020000008f0,0x6020000008f1)
allocated by thread T0 here:
#0 0x4df98d in calloc /home/haojun/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74
#1 0x51d470 in TNEFFillMapi /home/haojun/Downloads/ytnef-master/lib/ytnef.c:482:18
#2 0x51a612 in TNEFMapiProperties /home/haojun/Downloads/ytnef-master/lib/ytnef.c:396:7
#3 0x52a3b2 in TNEFParseFile /home/haojun/Downloads/ytnef-master/lib/ytnef.c:1042:10
#4 0x515530 in main /home/haojun/Downloads/ytnef-master/ytnefprint/main.c:80:9
heap-buffer-overflow /home/haojun/Downloads/ytnef-master/lib/ytnef.c:543:18 in TNEFFillMapi
Shadow bytes around the buggy address:
0x0c047fff80c0: fa fa 04 fa fa fa 00 00 fa fa 04 fa fa fa 00 00
0x0c047fff80d0: fa fa 04 fa fa fa 00 00 fa fa 04 fa fa fa 00 00
0x0c047fff80e0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fff80f0: fa fa 00 00 fa fa 04 fa fa fa 00 00 fa fa 04 fa
0x0c047fff8100: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
=>0x0c047fff8110: fa fa 04 fa fa fa 00 00 fa fa 04 fa fa fa 01[fa]
0x0c047fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==17014==ABORTING
Affected version: 1.9.2
Fixed version:N/A
Commit fix:N/A
Credit: ADLab of Venustech.
CVE:N/A
Reproducer:
Timeline:
2017-06-08:bug discovered and reported to the ytnef GitHub issue page
2017-07-30:blog post about the issue
Permalink:
https://somevulnsofadlab.blogspot.com/2017/07/ytnefheap-buffer-overflow-in.html
评论
发表评论