Heap Buffer Overflow in UzpPassword

Bug #1824530 reported by Dikkie Dikker on 2019-04-12
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
unzip (Ubuntu)
Undecided
Unassigned

Bug Description

Distributor ID: Ubuntu
Description: Ubuntu 18.04.2 LTS
Release: 18.04
Codename: bionic

unzip:
  Installed: 6.0-21ubuntu1
  Candidate: 6.0-21ubuntu1

The current version of unzip will crash with a heap overflow. I have attached crash.zip to reproduce the issue. Normal unpacking or testing the archive with -t argument is enough to trigger the bug. This is the only place that I have reported the issue to.

ASAN:
==13994==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62500000490f at pc 0x7f6f788eb8f9 bp 0x7ffd1c67ec30 sp 0x7ffd1c67e3c0
WRITE of size 8210 at 0x62500000490f thread T0
    #0 0x7f6f788eb8f8 in __interceptor_vsprintf (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x9e8f8)
    #1 0x7f6f788ebc86 in __interceptor_sprintf (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x9ec86)
    #2 0x55b5a10ccc87 in UzpPassword fileio.c:1594
    #3 0x55b5a1097ddb in decrypt crypt.c:513
    #4 0x55b5a10b6f2e in extract_or_test_entrylist extract.c:1284
    #5 0x55b5a10b6f2e in extract_or_test_files extract.c:586
    #6 0x55b5a1101f24 in do_seekable process.c:987
    #7 0x55b5a1108e56 in process_zipfiles process.c:401
    #8 0x55b5a1093566 in unzip unzip.c:1278
    #9 0x7f6f7826db96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #10 0x55b5a108afb9 in _start (/home/user/unzip-asan/unzip-6.0/unzip+0x17fb9)

0x62500000490f is located 0 bytes to the right of 8207-byte region [0x625000002900,0x62500000490f)
allocated by thread T0 here:
    #0 0x7f6f7892bb50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x55b5a10ccbfc in UzpPassword fileio.c:1593

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x9e8f8) in __interceptor_vsprintf
Shadow bytes around the buggy address:
  0x0c4a7fff88d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff88e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff88f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a7fff8920: 00[07]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
  Left alloca redzone: ca
  Right alloca redzone: cb
==13994==ABORTING

GDB:
*** buffer overflow detected ***: /home/user/unzip-dbg/unzip-6.0/unzip terminated

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007ffff7814801 in __GI_abort () at abort.c:79
#2 0x00007ffff785d897 in __libc_message (action=action@entry=(do_abort | do_backtrace),
    fmt=fmt@entry=0x7ffff798a988 "*** %s ***: %s terminated\n") at ../sysdeps/posix/libc_fatal.c:181
#3 0x00007ffff7908cff in __GI___fortify_fail_abort (need_backtrace=need_backtrace@entry=true,
    msg=msg@entry=0x7ffff798a905 "buffer overflow detected") at fortify_fail.c:33
#4 0x00007ffff7908d21 in __GI___fortify_fail (msg=msg@entry=0x7ffff798a905 "buffer overflow detected")
    at fortify_fail.c:44
#5 0x00007ffff7906a10 in __GI___chk_fail () at chk_fail.c:28
#6 0x00007ffff7905f29 in _IO_str_chk_overflow (fp=<optimized out>, c=<optimized out>) at vsprintf_chk.c:31
#7 0x00007ffff7862494 in __GI__IO_default_xsputn (f=0x7fffffffd8b0, data=<optimized out>, n=11)
    at genops.c:417
#8 0x00007ffff782f9aa in _IO_vfprintf_internal (s=s@entry=0x7fffffffd8b0,
    format=format@entry=0x555555578b90 <PasswPrompt> "[%s] %s password: ", ap=ap@entry=0x7fffffffd9f0)
    at vfprintf.c:1674
#9 0x00007ffff7905fcb in ___vsprintf_chk (
    s=0x5555558902e0 "[crash.zip] dri^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G"..., flags=1, slen=8207, format=0x555555578b90 <PasswPrompt> "[%s] %s password: ",
    args=args@entry=0x7fffffffd9f0) at vsprintf_chk.c:82
#10 0x00007ffff7905efa in ___sprintf_chk (
    s=s@entry=0x5555558902e0 "[crash.zip] dri^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G"..., flags=flags@entry=1, slen=slen@entry=8207,
    format=format@entry=0x555555578b90 <PasswPrompt> "[%s] %s password: ") at sprintf_chk.c:31
#11 0x0000555555562c95 in sprintf (__fmt=<synthetic pointer>,
    __s=0x5555558902e0 "[crash.zip] dri^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G^G"...) at /usr/include/x86_64-linux-gnu/bits/stdio2.h:33
#12 UzpPassword (pG=<optimized out>, rcnt=<optimized out>, pwbuf=0x555555890280 '\a' <repeats 88 times>, "! ",
    size=81, zfn=0x5555558715c0 <G+988384> "crash.zip",
    efn=0x555555870420 <G+983872> "dri", '\a' <repeats 197 times>...) at fileio.c:1594
---Type <return> to continue, or q <return> to quit---
#13 0x000055555555adf3 in decrypt (passwrd=<optimized out>) at crypt.c:513
#14 0x000055555555de54 in extract_or_test_entrylist (numchunk=numchunk@entry=1,
    pfilnum=pfilnum@entry=0x7fffffffdc58, pnum_bad_pwd=pnum_bad_pwd@entry=0x7fffffffdc60,
    pold_extra_bytes=pold_extra_bytes@entry=0x7fffffffdc68, pnum_dirs=pnum_dirs@entry=0x7fffffffdc54,
    pdirlist=pdirlist@entry=0x7fffffffdc70, error_in_archive=51) at extract.c:1284
#15 0x0000555555560488 in extract_or_test_files () at extract.c:586
#16 0x00005555555682b2 in do_seekable (lastchance=lastchance@entry=0) at process.c:987
#17 0x00005555555691f7 in process_zipfiles () at process.c:401
#18 0x000055555555a58e in unzip (argc=<optimized out>, argv=<optimized out>) at unzip.c:1278
#19 0x00007ffff77f5b97 in __libc_start_main (main=0x555555558190 <main>, argc=3, argv=0x7fffffffdf28,
    init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdf18)
    at ../csu/libc-start.c:310
#20 0x00005555555581da in _start ()

CVE References

Dikkie Dikker (dikkiedikker) wrote :
Mike Salvatore (mikesalvatore) wrote :

Hi Dikkie,

Is this the same vulnerability as reported in CVE-2018-1000035? This CVE also reports a heap-buffer overflow in the UzpPassword function.

Please see https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000035.html and https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html for more details.

Dikkie Dikker (dikkiedikker) wrote :

Heya Mike,

You are correct, it is the same bug as CVE-2018-1000035.

I have checked out the Debian unstable unzip with the patches from Suse, that fixes this issue.

Sorry for the trouble!

Mike Salvatore (mikesalvatore) wrote :

It's no trouble at all. Thanks!

information type: Private Security → Public Security
Changed in unzip (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers