Buffer Overflow in ZipInfo

Bug #1643750 reported by alexis on 2016-11-22
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
unzip (Ubuntu)
Low
Unassigned

Bug Description

Hello,

I am a security consultant and recently discovered this during some fuzzing exercises.

A buffer overflow occurs in zipinfo (part of the unzip package) when the compression method in the central directory file header is greater then 999;

user@lab:~$ lsb_release -rd
Description: Ubuntu 16.04.1 LTS
Release: 16.04

user@lab:~$ apt-cache policy unzip
unzip:
  Installed: 6.0-20ubuntu1
  Candidate: 6.0-20ubuntu1
  Version table:
 *** 6.0-20ubuntu1 500
        500 http://gb.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
        100 /var/lib/dpkg/status

Here is an example output:

user@lab:~$ zipinfo PoC.zip
Archive: PoC.zip
Zip file size: 154 bytes, number of entries: 1
*** buffer overflow detected ***: zipinfo terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f7fedfc07e5]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7f7fee06156c]
/lib/x86_64-linux-gnu/libc.so.6(+0x116570)[0x7f7fee05f570]
/lib/x86_64-linux-gnu/libc.so.6(+0x115ad9)[0x7f7fee05ead9]
/lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0x80)[0x7f7fedfc46b0]
/lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0xc90)[0x7f7fedf96e00]
/lib/x86_64-linux-gnu/libc.so.6(__vsprintf_chk+0x84)[0x7f7fee05eb64]
/lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x7d)[0x7f7fee05eabd]
zipinfo[0x41729b]
zipinfo[0x41144a]
zipinfo[0x411bdf]
zipinfo[0x404191]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f7fedf69830]
zipinfo[0x401fa9]
======= Memory map: ========
00400000-00427000 r-xp 00000000 08:01 9176785 /usr/bin/zipinfo
00626000-00627000 r--p 00026000 08:01 9176785 /usr/bin/zipinfo
00627000-00628000 rw-p 00027000 08:01 9176785 /usr/bin/zipinfo
00628000-0071a000 rw-p 00000000 00:00 0
0207b000-0209c000 rw-p 00000000 00:00 0 [heap]
7f7feda5b000-7f7feda71000 r-xp 00000000 08:01 6427015 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f7feda71000-7f7fedc70000 ---p 00016000 08:01 6427015 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f7fedc70000-7f7fedc71000 rw-p 00015000 08:01 6427015 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f7fedc71000-7f7fedf49000 r--p 00000000 08:01 9176532 /usr/lib/locale/locale-archive
7f7fedf49000-7f7fee108000 r-xp 00000000 08:01 6426937 /lib/x86_64-linux-gnu/libc-2.23.so
7f7fee108000-7f7fee308000 ---p 001bf000 08:01 6426937 /lib/x86_64-linux-gnu/libc-2.23.so
7f7fee308000-7f7fee30c000 r--p 001bf000 08:01 6426937 /lib/x86_64-linux-gnu/libc-2.23.so
7f7fee30c000-7f7fee30e000 rw-p 001c3000 08:01 6426937 /lib/x86_64-linux-gnu/libc-2.23.so
7f7fee30e000-7f7fee312000 rw-p 00000000 00:00 0
7f7fee312000-7f7fee321000 r-xp 00000000 08:01 6426976 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f7fee321000-7f7fee520000 ---p 0000f000 08:01 6426976 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f7fee520000-7f7fee521000 r--p 0000e000 08:01 6426976 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f7fee521000-7f7fee522000 rw-p 0000f000 08:01 6426976 /lib/x86_64-linux-gnu/libbz2.so.1.0.4
7f7fee522000-7f7fee548000 r-xp 00000000 08:01 6426917 /lib/x86_64-linux-gnu/ld-2.23.so
7f7fee729000-7f7fee72c000 rw-p 00000000 00:00 0
7f7fee744000-7f7fee747000 rw-p 00000000 00:00 0
7f7fee747000-7f7fee748000 r--p 00025000 08:01 6426917 /lib/x86_64-linux-gnu/ld-2.23.so
7f7fee748000-7f7fee749000 rw-p 00026000 08:01 6426917 /lib/x86_64-linux-gnu/ld-2.23.so
7f7fee749000-7f7fee74a000 rw-p 00000000 00:00 0
7fffad5d3000-7fffad5f4000 rw-p 00000000 00:00 0 [stack]
7fffad5f8000-7fffad5fa000 r--p 00000000 00:00 0 [vvar]
7fffad5fa000-7fffad5fc000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]

I look forward to hearing from you,

Alexis

CVE References

alexis (vandeneijnde) wrote :
Tyler Hicks (tyhicks) wrote :

Hi Alexis - Thanks for the bug report.

I can verify the issue that you have reported. After some research, I've determined it is very similar to but different than an older unzip -l crasher reported on oss-security:

  http://www.openwall.com/lists/oss-security/2014/11/03/5

Your PoC also happens to trigger that issue in unzip -l but they crash in different areas of the unzip codebase.

Since there are a number of similar unzip issues that never received CVEs or fixes from around 11-2014, I plan to make this issue public and forward the report to the oss-security list early Monday (I'd prefer to avoid reporting an issue at the end of the day on a Friday).

I'd like to credit you for the issue. Would you mind sharing your first and last name so that I can include it in my email report? Thanks again!

Changed in unzip (Ubuntu):
status: New → Triaged
alexis (vandeneijnde) wrote :

Hi Tyler,

Thanks for the quick response and research; My first and last name is Alexis Vanden Eijnde.

I look forward to any updates and/or CVE's ;-)

Best Regards,

Alexis

Tyler Hicks (tyhicks) on 2016-12-05
Changed in unzip (Ubuntu):
importance: Undecided → Low
information type: Private Security → Public Security
Tyler Hicks (tyhicks) wrote :
Josef Möllers (jmoellers) wrote :

May I humbly offer the attached patch?
As the methbuf is used for display only, I have made it large enough to hold 'u' + an unsigned short (5 digits) + the trailing NUL character.

The attachment "cve-2016-9844.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Josef Möllers (jmoellers) wrote :

I just found, that a different solution is already present in
http://antinode.info/ftp/info-zip/unzip60/zipinfo.c
Please ignore my drool.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers