[crash] stack-overflow occurs when using packETHcli with snort rules #41
Description
In the function readSnortRules(), the buffer new_content is allocated a space of 2048 bytes, but the write to it is without boundary checking, resulting in a stack-overflow.
Additionally, if there are rules in the Snort rule file in the format of "content: haha," the program will attempt to write to a null pointer. Refer to the crash1 example in the PoC.
// <- bug: `result` may be nullptr in this context, which could lead to a strdup(NULL)
if ((temp = strdup(result)) == NULL) {
fprintf(stderr, "[%s:%d] Reading content failed\n",
__FUNCTION__, __LINE__);
exit(EXIT_FAILURE);
}
len_temp = strlen(temp);
memset(new_content, 0, MAX_CONTENT);
// new_content: char[2048]
// It is possible that len_temp > 2048
for (j = 0; j < len_temp; j++) {
if (temp[j] == '|') {
if (flag == false) {
flag = true;
continue;
} else if (flag == true) {
flag = false;
continue;
}
}
if (flag == true) {
if (temp[j] == ' ')
continue;
memset(hex, 0, 5);
strcpy(hex, "0x");
ox[0] = temp[j];
ox[1] = temp[j + 1];
strncat(hex, ox, 2);
sscanf(hex, "0x%2X", &hex_num);
new_content[loc] = hex_num; // <- bug: out-of-bound write here
loc++;
j++;
} else if (flag == false) {
new_content[loc] = temp[j]; // <- bug: out-of-bound write here
loc++;
}
}Reproduce
PoC: snort_poc.zip
./packETHcli -i lo -m 5 -f crash1 -B 10 -t 60 -S1000 -a 2
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3980135==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5555556299f0 bp 0x7ffffffedb30 sp 0x7ffffffed2e8 T0)
==3980135==The signal is caused by a READ memory access.
==3980135==Hint: address points to the zero page.
#0 0x5555556299f0 in __sanitizer::internal_strlen(char const*) (/work/programs/packeth/src/cli/packETHcli+0xd59f0) (BuildId: 5e72ba3293693b9505053f30d2f7dfe0320c517c)
#1 0x5555555fbd22 in strdup (/work/programs/packeth/src/cli/packETHcli+0xa7d22) (BuildId: 5e72ba3293693b9505053f30d2f7dfe0320c517c)
#2 0x555555657265 in readSnortRules /work/programs/packeth/src/cli/parse_snort_rules.c:98:16
#3 0x555555651a1f in send_ids_mode /work/programs/packeth/src/cli/cli_send.c:2046:25
#4 0x55555564e62b in main /work/programs/packeth/src/cli/cli_send.c:436:13
#5 0x7ffff7cea6c9 (/lib/x86_64-linux-gnu/libc.so.6+0x276c9) (BuildId: 8a1bf172e710f8ca0c1576912c057b45f90d90d8)
#6 0x7ffff7cea784 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x27784) (BuildId: 8a1bf172e710f8ca0c1576912c057b45f90d90d8)
#7 0x5555555773c0 in _start (/work/programs/packeth/src/cli/packETHcli+0x233c0) (BuildId: 5e72ba3293693b9505053f30d2f7dfe0320c517c)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/work/programs/packeth/src/cli/packETHcli+0xd59f0) (BuildId: 5e72ba3293693b9505053f30d2f7dfe0320c517c) in __sanitizer::internal_strlen(char const*)
==3980135==ABORTING
./packETHcli -i lo -m 5 -f crash3 -B 10 -t 60 -S1000 -a 2
=================================================================
==3980177==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffff66018c0 at pc 0x555555657687 bp 0x7ffffffedb30 sp 0x7ffffffedb28
WRITE of size 1 at 0x7ffff66018c0 thread T0
#0 0x555555657686 in readSnortRules /work/programs/packeth/src/cli/parse_snort_rules.c:127:23
#1 0x555555651a1f in send_ids_mode /work/programs/packeth/src/cli/cli_send.c:2046:25
#2 0x55555564e62b in main /work/programs/packeth/src/cli/cli_send.c:436:13
#3 0x7ffff7cea6c9 (/lib/x86_64-linux-gnu/libc.so.6+0x276c9) (BuildId: 8a1bf172e710f8ca0c1576912c057b45f90d90d8)
#4 0x7ffff7cea784 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x27784) (BuildId: 8a1bf172e710f8ca0c1576912c057b45f90d90d8)
#5 0x5555555773c0 in _start (/work/programs/packeth/src/cli/packETHcli+0x233c0) (BuildId: 5e72ba3293693b9505053f30d2f7dfe0320c517c)
Address 0x7ffff66018c0 is located in stack of thread T0 at offset 6336 in frame
#0 0x555555656b8f in readSnortRules /work/programs/packeth/src/cli/parse_snort_rules.c:26
This frame has 6 object(s):
[32, 40) 'saveptr' (line 28)
[64, 4160) 'line' (line 29)
[4288, 6336) 'new_content' (line 29) <== Memory access at offset 6336 overflows this variable
[6464, 6466) 'ox' (line 29)
[6480, 6484) 'hex_num' (line 30)
[6496, 6502) 'hex' (line 31)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /work/programs/packeth/src/cli/parse_snort_rules.c:127:23 in readSnortRules
Shadow bytes around the buggy address:
0x7ffff6601600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ffff6601680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ffff6601700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ffff6601780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ffff6601800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x7ffff6601880: 00 00 00 00 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2
0x7ffff6601900: f2 f2 f2 f2 f2 f2 f2 f2 02 f2 04 f2 06 f3 f3 f3
0x7ffff6601980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ffff6601a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ffff6601a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ffff6601b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3980177==ABORTING
Possible fix
Add some checks.