CVE-2019-6250复现

CVE-2019-6250

  • 影响程序:libzmq

  • 漏洞类型:缓冲区溢出

漏洞复现

下载目标软件

1
git clone https://github.com/zeromq/libzmq.git

跳转到有漏洞的版本

1
git reset --hard 7302b9b8d127be5aa1f1ccebb9d01df0800182f3

安装 libtool

1
sudo apt-get install libtool pkg-config build-essential autoconf automake

执行

1
2
3
4
cd libzmq
./autogen.sh
./configure
make && sudo make install

删去v2_decoder.hpp 中51行的private: 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
class v2_decoder_t ZMQ_FINAL
    : public decoder_base_t<v2_decoder_t, shared_message_memory_allocator>
{
  public:
    v2_decoder_t (size_t bufsize_, int64_t maxmsgsize_, bool zero_copy_);
    ~v2_decoder_t ();

    //  i_decoder interface.
    msg_t *msg () { return &_in_progress; }

-  private:
    int flags_ready (unsigned char const *);
    int one_byte_size_ready (unsigned char const *);
    int eight_byte_size_ready (unsigned char const *);
    int message_ready (unsigned char const *);

    int size_ready (uint64_t size_, unsigned char const *);

    unsigned char _tmpbuf[8];
    unsigned char _msg_flags;
    msg_t _in_progress;

    const bool _zero_copy;
    const int64_t _max_msg_size;

    ZMQ_NON_COPYABLE_NOR_MOVABLE (v2_decoder_t)
};

把fuzzer.cc放到当前文件夹下 编译

1
clang++ -g -std=c++11 -fsanitize=address,fuzzer fuzzer.cc -I ./ .libs/libzmq.a -o fuzzer

执行

1
./fuzzer

漏洞分析

漏洞原因:如果msg_size很大,溢出read_pos_指针范围,绕过检测 并且可以写入msg_size这么多数据

1
2
3
4
5
6
7
8
9
//src/v2_decoder.cpp
85 int zmq::v2_decoder_t::eight_byte_size_ready (unsigned char const *read_from_)
86 {
87     //  The payload size is encoded as 64-bit unsigned integer.
88     //  The most significant byte comes first.
89     const uint64_t msg_size = get_uint64 (_tmpbuf);
90 
91     return size_ready (msg_size, read_from_);
92 }
1
2
3
4
// src/v2_decoder.cpp zmq::v2_decoder_t::size_ready()
117     if (unlikely (!_zero_copy
118                   || ((unsigned char *) read_pos_ + msg_size_
119                       > (allocator.data () + allocator.size ())))) {

溢出块的后方紧接着,其中ffn为函数指针,参数为data和hint 可改写,执行任意函数

1
2
3
4
5
6
7
8
67     struct content_t
68     {
69         void *data;
70         size_t size;
71         msg_free_fn *ffn;
72         void *hint;
73         zmq::atomic_counter_t refcnt;
74     };

漏洞修复

1
2
3
4
    if (unlikely (!_zero_copy
-                  || ((unsigned char *) read_pos_ + msg_size_
-                      > (allocator.data () + allocator.size ())))) {
+                  || msg_size_ > allocator.data () + allocator.size () - read_pos_ )) {

引用: https://github.com/zeromq/libzmq/issues/3351

本博客采用 知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议(CC BY-NC-SA 4.0) 发布.
⬆︎TOP