I would like to update the contents of 'Attack Scenario'.

from:
$ python -c "print('A' * 0xFFFFFFFF + ' : ' + 'B')" > /var/crash/fake.crash

to:
$ python -c "print('A' * 0xFFFFFFFE + ' : ' + 'B')" > /var/crash/fake.crash

Segfault can arise when the following requirements are met, as I mentioned 
above.
- length of ‘value’ in .crash file => 0 < {length of ‘value’} < 1024
- length of ‘key’ in .crash file => UINT32_MAX - {length of ‘value’} - 7 < 
{length of ‘key’} < UINT32_MAX

Please check this issue.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to whoopsie in Ubuntu.
https://bugs.launchpad.net/bugs/1872560

Title:
  heap-based buffer overflow in bson.c

Status in whoopsie package in Ubuntu:
  New

Bug description:
  Hi,

  I have found a security issue on whoopsie 0.2.69 and earlier.

  ## Vulnerability in whoopsie
  - whoopsie 0.2.69 and earlier have a heap-based buffer overflow 
vulnerability. 
  - An attacker can cause a denial of service (memory corruption and 
application crash) via a crafted .crash file.

  
  ## Basic
  When a program has been crashed, Linux system tries to create a '.crash' file 
on '/var/crash/' directory with python script located in 
'/usr/share/apport/apport'. 
  The file contains a series of system crash information including core dump, 
syslog, stack trace, memory map info, etc.
  After the creation of '.crash' file, whoopsie extracts the above information 
from the '.crash' file and encodes it into binary json (bson) format.
  Lastly, whoopsie forwards the data to a remotely connected Ubuntu Error 
Report system.

   
  ## Vulnerability
  Unfortunately, we have found a heap-based buffer overflow vulnerability 
during the encoding, when whoopsie attempts to bsonify with crafted crash file.
  The data in '.crash' file is stored in key-value form and the whoopsie 
separately measures the length of 'key' and 'value' to allocate memory region 
during the encoding. 
  A heap-based buffer overflow can occur when an integer overflow happens on a 
variable that contains length of 'key'. 
  FYI, a issue to that raised by 'value' is well covered by performing 
exception handling.

  
@[bson.c:663][https://git.launchpad.net/ubuntu/+source/whoopsie/tree/lib/bson/bson.c?h=applied/0.2.69#n663]

  const uint32_t len = strlen( name ) + 1;

  - Integer overflow occurs when length of ‘name’ exceeds INT32_MAX value. 
  - Here, ‘name’ indicates the ‘key’ data in ‘.crash’ file.                

  
@[bson.c:627][https://git.launchpad.net/ubuntu/+source/whoopsie/tree/lib/bson/bson.c?h=applied/0.2.69#n627]

  b->data = bson_realloc( b->data, new_size );

  - Unexpected small memory region is allocated due to above integer
  overflow.

  
@[bson.c:680][https://git.launchpad.net/ubuntu/+source/whoopsie/tree/lib/bson/bson.c?h=applied/0.2.69#n680]

  bson_append( b, name, len );

  - Memory corruption happens when unexpected small memory region is
  allocated.

  
  ## Attack Scenario
  1) Create a fake.crash file
  - '.crash' file is composed of the following format: 'key : value'.
  - To cause the overflow attack, the size of 'key' should be in double amount 
of INT32_MAX.
  - The size of 'value' doesn’t matter, but not zero length.

  $ python -c "print('A' * 0xFFFFFFFF + ' : ' + 'B')" > /var/crash/fake.crash
  $ cat fake.crash
  AAA … AA : B

  
  2) Trigger the whoopsie to read the fake.crash file
  - Just create 'fake.upload' file by touch command.
  - Or launch apport-gtk gui or apport-bug cli application.

  3) Check out the result
  - After a while, the whoopsie has been killed by segmentation fault.

  Sincerely,

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/whoopsie/+bug/1872560/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to