Bug 1464692 - There was a stack overflow caused by format string vulnerability in fmt_entry function of ncurses tool with latest verison(6.0). Crafted input could lead to arbitrary code execution.
Summary: There was a stack overflow caused by format string vulnerability in fmt_entry...
Status: CLOSED DUPLICATE of bug 1464687
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ncurses
Version: 7.5-Alt
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: rc
: ---
Assignee: Miroslav Lichvar
QA Contact: BaseOS QE - Apps
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-06-24 14:47 UTC by owl337
Modified: 2017-06-29 07:58 UTC (History)
1 user (show)

(edit)
Clone Of:
(edit)
Last Closed: 2017-06-29 07:58:20 UTC


Attachments (Terms of Use)
Triggered by "infotocp POC6" (183 bytes, application/x-rar)
2017-06-24 14:47 UTC, owl337
no flags Details

Description owl337 2017-06-24 14:47:58 UTC
Created attachment 1291519 [details]
Triggered by  "infotocp POC6"

Description of problem:

In the fmt_entry function  line 835, the sprintf function was called for copy some values related to input for the buffer that  exceeding  the length of MAX_TERMINFO_LENGTH + EXTRA_CAP bytes. The buffer out of bound written led to the return address of fmt_entry function was covered.

Version-Release number of selected component (if applicable):

<=6.0

How reproducible:

infotocap $POC

Steps to Reproduce:
1. gdb infotocap
2. set breakpoint for fmt_entry return address before calling sprintf and after calling sprintf
3. check the ret address be covered

Actual results:

the fmt_entry  ret address be covered
crash

Expected results:

the fmt_entry  ret address be covered
crash


Additional info:

Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer coll AFL. Please contact ganshuitao@gmail.com  and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.

Comment 2 Thomas E. Dickey 2017-06-28 00:14:34 UTC
This appears to be a duplicate, because once POC1-POC3 are addressed this is no longer reproducible.

Comment 3 Miroslav Lichvar 2017-06-29 07:58:20 UTC

*** This bug has been marked as a duplicate of bug 1464687 ***


Note You need to log in before you can comment on or make changes to this bug.