Bug 1464692 - There was a stack overflow caused by format string vulnerability in fmt_entry function of ncurses tool with latest verison(6.0). Crafted input could lead to arbitrary code execution.
There was a stack overflow caused by format string vulnerability in fmt_entry...
Status: CLOSED DUPLICATE of bug 1464687
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ncurses (Show other bugs)
7.5-Alt
x86_64 Linux
unspecified Severity urgent
: rc
: ---
Assigned To: Miroslav Lichvar
BaseOS QE - Apps
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-24 10:47 EDT by owl337
Modified: 2017-06-29 03:58 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-06-29 03:58:20 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Triggered by "infotocp POC6" (183 bytes, application/x-rar)
2017-06-24 10:47 EDT, owl337
no flags Details

  None (edit)
Description owl337 2017-06-24 10:47:58 EDT
Created attachment 1291519 [details]
Triggered by  "infotocp POC6"

Description of problem:

In the fmt_entry function  line 835, the sprintf function was called for copy some values related to input for the buffer that  exceeding  the length of MAX_TERMINFO_LENGTH + EXTRA_CAP bytes. The buffer out of bound written led to the return address of fmt_entry function was covered.

Version-Release number of selected component (if applicable):

<=6.0

How reproducible:

infotocap $POC

Steps to Reproduce:
1. gdb infotocap
2. set breakpoint for fmt_entry return address before calling sprintf and after calling sprintf
3. check the ret address be covered

Actual results:

the fmt_entry  ret address be covered
crash

Expected results:

the fmt_entry  ret address be covered
crash


Additional info:

Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer coll AFL. Please contact ganshuitao@gmail.com  and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.
Comment 2 Thomas E. Dickey 2017-06-27 20:14:34 EDT
This appears to be a duplicate, because once POC1-POC3 are addressed this is no longer reproducible.
Comment 3 Miroslav Lichvar 2017-06-29 03:58:20 EDT

*** This bug has been marked as a duplicate of bug 1464687 ***

Note You need to log in before you can comment on or make changes to this bug.