Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAFkTriK-q3LdYd31Wj1VwV5d=Y5Qu=yP4tjpkSOKP2wu-C8XZA@mail.gmail.com>
Date: Tue, 28 Jun 2016 14:50:14 +0800
From: Marco Grassi <marco.gra@...il.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Apache Xerces getLastExtEntityInfo Use-After-Free

Hi,

the attached xml will trigger a UAF in xerces-c version 3.1.3 and the trunk
version


➜  xml cat xerces_uaf | xerces-c-3.1.3/samples/StdInParse
=================================================================
==16010==ERROR: AddressSanitizer: heap-use-after-free on address 0xf4a0dfcc
at pc 0x0836c7f4 bp 0xfff9a198 sp 0xfff9a188
READ of size 1 at 0xf4a0dfcc thread T0
    #0 0x836c7f3 in
xercesc_3_1::ReaderMgr::getLastExtEntityInfo(xercesc_3_1::ReaderMgr::LastExtEntityInfo&)
const xercesc/internal/ReaderMgr.cpp:833
    #1 0x83a42d4 in
xercesc_3_1::XMLScanner::emitError(xercesc_3_1::XMLErrs::Codes,
xercesc_3_1::XMLExcepts::Codes, unsigned short const*, unsigned short
const*, unsigned short const*, unsigned short const*)
xercesc/internal/XMLScanner.cpp:927
    #2 0x8e40963 in
xercesc_3_1::IGXMLScanner::scanDocument(xercesc_3_1::InputSource const&)
xercesc/internal/IGXMLScanner.cpp:276
    #3 0x84b4cca in xercesc_3_1::SAXParser::parse(xercesc_3_1::InputSource
const&) xercesc/parsers/SAXParser.cpp:575
    #4 0x80533d6 in main src/StdInParse/StdInParse.cpp:186
    #5 0xf6dd5636 in __libc_start_main (/lib32/libc.so.6+0x18636)
    #6 0x80624f1
 (/home/bob/VulnResearch/misc/xml/xerces-c-3.1.3/samples/StdInParse+0x80624f1)

0xf4a0dfcc is located 44 bytes inside of 56-byte region
[0xf4a0dfa0,0xf4a0dfd8)
freed by thread T0 here:
    #0 0xf7228034 in operator delete(void*)
(/usr/lib32/libasan.so.3+0xc5034)
    #1 0x80992df in xercesc_3_1::XMemory::operator delete(void*)
xercesc/util/XMemory.cpp:89

previously allocated by thread T0 here:
    #0 0xf72279b4 in operator new(unsigned int)
(/usr/lib32/libasan.so.3+0xc49b4)
    #1 0x8357ad9 in xercesc_3_1::MemoryManagerImpl::allocate(unsigned int)
xercesc/internal/MemoryManagerImpl.cpp:40
    #2 0x8099042 in xercesc_3_1::XMemory::operator new(unsigned int,
xercesc_3_1::MemoryManager*) xercesc/util/XMemory.cpp:68

SUMMARY: AddressSanitizer: heap-use-after-free
xercesc/internal/ReaderMgr.cpp:833 in
xercesc_3_1::ReaderMgr::getLastExtEntityInfo(xercesc_3_1::ReaderMgr::LastExtEntityInfo&)
const
Shadow bytes around the buggy address:
  0x3e941ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e941bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e941bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e941bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e941be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x3e941bf0: fa fa fa fa fd fd fd fd fd[fd]fd fa fa fa fa fa
  0x3e941c00: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
  0x3e941c10: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x3e941c20: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x3e941c30: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
  0x3e941c40: 00 00 04 fa fa fa fa fa 00 00 00 00 00 00 04 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==16010==ABORTING



Marco

https://marcograss.github.io/

Content of type "text/html" skipped

Download attachment "xerces_uaf" of type "application/octet-stream" (39 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.