ytnef:heap buffer overflow in PrintTNEF
Description
ytnef is a program to work with procmail to decode TNEF streams (winmail.dat attachments) like those created with Outlook. Unlike other similar programs, it can also create vCalendar/vCard entries from meeting requests, address cards, and task entries.
A heap buffer overflow vulnerability was found in function PrintTNEF in main.c, which allows attackers to cause a denial of service via a crafted file.
#ytnefprint $FILE
==========================================================
heap-buffer-overflow on address 0x63200002d72d at pc 0x0000004abe30 bp 0x7ffc9f378f80 sp 0x7ffc9f378730
READ of size 85806 at 0x63200002d72d thread T0
#0 0x4abe2f in printf_common(void*, char const*, __va_list_tag*) /home/haojun/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors_format.inc:544
#1 0x4acbaa in __interceptor_vprintf /home/haojun/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1429
#2 0x4acc67 in printf /home/haojun/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1475
#3 0x515917 in PrintTNEF /home/haojun/Downloads/ytnef-master/ytnefprint/main.c:107:5
#4 0x51554a in main /home/haojun/Downloads/ytnef-master/ytnefprint/main.c:84:5
#5 0x7f80fed7bb34 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274
#6 0x41a8db in _start (/home/haojun/Downloads/ytnef-afl-build/bin/ytnefprint+0x41a8db)
0x63200002d72d is located 0 bytes to the right of 85805-byte region [0x632000018800,0x63200002d72d)
allocated by thread T0 here:
#0 0x4df98d in calloc /home/haojun/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74
#1 0x5184d6 in TNEFFromHandler /home/haojun/Downloads/ytnef-master/lib/ytnef.c:296:21
heap-buffer-overflow /home/haojun/Downloads/llvm-clang/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors_format.inc:544 in printf_common(void*, char const*, __va_list_tag*)
Shadow bytes around the buggy address:
0x0c647fffda90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c647fffdaa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c647fffdab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c647fffdac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c647fffdad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c647fffdae0: 00 00 00 00 00[05]fa fa fa fa fa fa fa fa fa fa
0x0c647fffdaf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c647fffdb00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c647fffdb10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c647fffdb20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c647fffdb30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==17347==ABORTING
Affected version: 1.9.2
Fixed version:N/A
Commit fix:N/A
Credit: ADLab of Venustech.
CVE:N/A
Reproducer:
Timeline:
2017-06-08:bug discovered and reported to the ytnef GitHub issue page
2017-07-30:blog post about the issue
Permalink:
https://somevulnsofadlab.blogspot.com/2017/07/ytnefheap-buffer-overflow-in-printtnef.html
评论
发表评论