Source: 4ti2 Severity: normal Dear Maintainer,
I apologise if this is a redundant email. I had sent a previous bug report. However, in that bug report, the mail address was jake@Jarvis which is not my email address. Hence, I am sending the same report with the corrected email address which is : jkrshnme...@gmail.com As a part of an academic project, we have discovered two buffer overflow vulnerabilities in the `gensymm` binary which is a part of the 4ti2 package. The first vulnerability occurs in gensymm_main @ src/util/gensymm.c: 146 where user input, which is provided via the command-line argument, is copied without bounds checking to a buffer named `fileName` of a fixed size. This buffer, on my 64 bit Ubuntu 16.04, is of size 4096 bytes. The second vulnerability occurs in the gensymm_main @ src/util/gensymm.c: 173 where the contents of the buffer is appended with the string ".sym" without checking the size of the buffer. This buffer is of a fixed size and is 4096 bytes on my system. If the argument provided by the user is of size 4096 bytes, a total of 4096+4 bytes will be written to the buffer named `outFileName` which results in an out of bound memory corruption. Due to compiler enforced protections, these bugs may not be exploitable. However, on older systems, the compiler may not enforce these protection mechanisms by default and hence these vulnerabilities can be easily exploited to gain arbitrary code execution. The first vulnerability can be replicated by using the following command: `./gensymm 1 2 3 4 $(python -c 'print "A"*0x2000')` Running this command results in the following output : ------------------------------------------------- 4ti2 version 1.6.9 Copyright 1998, 2002, 2006, 2015 4ti2 team. 4ti2 comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. For details, see the file COPYING. ------------------------------------------------- *** buffer overflow detected ***: ./gensymm terminated ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f7dd6f907e5] /lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7f7dd703215c] /lib/x86_64-linux-gnu/libc.so.6(+0x117160)[0x7f7dd7030160] /lib/x86_64-linux-gnu/libc.so.6(+0x116405)[0x7f7dd702f405] ./gensymm[0x400dcc] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f7dd6f39830] ./gensymm[0x400ba9] . . . Aborted (core dumped) Some of the output has been omitted for brevity. The second vulnerability can be replicated by using the following command: `./gensymm 1 2 3 4 $(python -c 'print "A"*0xfff')` Running this command results in the following output: ------------------------------------------------- 4ti2 version 1.6.9 Copyright 1998, 2002, 2006, 2015 4ti2 team. 4ti2 comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. For details, see the file COPYING. ------------------------------------------------- Error opening generator file for output. Here the binary does not crash since the saved return address has not been overwritten. However, this depends upon the compiler and may not always be unexploitable. These vulnerabilities can easily fixed by using the secure versions of these library functions. Such as `strncpy` instead of `strcpy` and `strncat` instead of `strcat`. Please investigate this issue. -- System Information: Debian Release: stretch/sid APT prefers xenial-updates APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500, 'xenial'), (100, 'xenial-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.4.0-139-generic (SMP w/4 CPU cores) Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)