fix heap-buffer-overflow issues #26

hititou · 2021-02-26T07:15:41Z

file : NeutrinoRDP/libfreerdp-core/credssp.c
function : credssp_write_ts_password_creds , credssp_sizeof_ts_password_creds

issues causes:
length*2 will cause memory out of bounds, unicode.c:118-> malloc 28byte（wchar, include the terminator）, but read 52byte, read memory out of bounds, it should not be length *2.

function code:
int credssp_sizeof_ts_password_creds(rdpCredssp* credssp)
{
int length = 0;

  /*
length += ber_sizeof_sequence_octet_string(credssp->ntlmssp->domain.length * 2);
length += ber_sizeof_sequence_octet_string(credssp->ntlmssp->username.length * 2);
length += ber_sizeof_sequence_octet_string(credssp->ntlmssp->password.length * 2);
  */
length += ber_sizeof_sequence_octet_string(credssp->ntlmssp->domain.length);
length += ber_sizeof_sequence_octet_string(credssp->ntlmssp->username.length);
length += ber_sizeof_sequence_octet_string(credssp->ntlmssp->password.length);


return length;

}
int credssp_write_ts_password_creds(rdpCredssp* credssp, STREAM* s)
{
int size = 0;
int innerSize = credssp_sizeof_ts_password_creds(credssp);

if (innerSize > stream_get_left(s))
{
	printf("\033[91m[ ERROR ] Not enough space allocated for ts_password_creds\033[0m");
}

/* TSPasswordCreds (SEQUENCE) */
size += ber_write_sequence_tag(s, innerSize);

/* [0] domainName (OCTET STRING) */
//size += ber_write_sequence_octet_string(s, 0, credssp->ntlmssp->domain.data, credssp->ntlmssp->domain.length * 2);
    size += ber_write_sequence_octet_string(s, 0, credssp->ntlmssp->domain.data, credssp->ntlmssp->domain.length);

/* [1] userName (OCTET STRING) */
//size += ber_write_sequence_octet_string(s, 1, credssp->ntlmssp->username.data, credssp->ntlmssp->username.length * 2);
    size += ber_write_sequence_octet_string(s, 1, credssp->ntlmssp->username.data, credssp->ntlmssp->username.length);

/* [2] password (OCTET STRING) */
//size += ber_write_sequence_octet_string(s, 2, credssp->ntlmssp->password.data, credssp->ntlmssp->password.length * 2);
    size += ber_write_sequence_octet_string(s, 2, credssp->ntlmssp->password.data, credssp->ntlmssp->password.length);

return size;

}

analyze:
==9541==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300007733c at pc 0x7ffff6e91733 bp 0x7ffff21630c0 sp 0x7ffff2162868
READ of size 52 at 0x60300007733c thread T1
#0 0x7ffff6e91732 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732)
#1 0x7fffed1ba209 in ber_write_octet_string /NeutrinoRDP/libfreerdp-core/ber.c:350
#2 0x7fffed1c6cf6 in credssp_write_ts_password_creds /NeutrinoRDP/libfreerdp-core/credssp.c:361
#3 0x7fffed1c6eb7 in credssp_write_ts_credentials /NeutrinoRDP/libfreerdp-core/credssp.c:397
#4 0x7fffed1c6f40 in credssp_encode_ts_credentials /NeutrinoRDP/libfreerdp-core/credssp.c:417
#5 0x7fffed1c6848 in credssp_authenticate /NeutrinoRDP/libfreerdp-core/credssp.c:213
#6 0x7fffed1e7a6f in transport_connect_nla /NeutrinoRDP/libfreerdp-core/transport.c:211
#7 0x7fffed1de250 in rdp_client_connect /NeutrinoRDP/libfreerdp-core/connection.c:98
#8 0x7fffed1d5669 in freerdp_connect /NeutrinoRDP/libfreerdp-core/freerdp.c:48

0x60300007733c is located 0 bytes to the right of 28-byte region [0x603000077320,0x60300007733c)
allocated by thread T1 here:
#0 0x7ffff6ef6b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
#1 0x7ffff4dcf822 in xmalloc /NeutrinoRDP/libfreerdp-utils/memory.c:55
#2 0x7ffff4dd2f3a in freerdp_uniconv_out /NeutrinoRDP/libfreerdp-utils/unicode.c:118
#3 0x7fffed1c77ad in ntlmssp_set_username /NeutrinoRDP/libfreerdp-core/ntlmssp.c:166
#4 0x7fffed1c6470 in credssp_ntlmssp_init /NeutrinoRDP/libfreerdp-core/credssp.c:103
#5 0x7fffed1c65ea in credssp_authenticate /NeutrinoRDP/libfreerdp-core/credssp.c:166
#6 0x7fffed1e7a6f in transport_connect_nla /NeutrinoRDP/libfreerdp-core/transport.c:211
#7 0x7fffed1de250 in rdp_client_connect /NeutrinoRDP/libfreerdp-core/connection.c:98
#8 0x7fffed1d5669 in freerdp_connect /NeutrinoRDP/libfreerdp-core/freerdp.c:48

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732)
Shadow bytes around the buggy address:
0x0c0680006e10: fd fd fd fa fa fa fd fd fd fd fa fa fd fd fd fd
0x0c0680006e20: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
0x0c0680006e30: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
0x0c0680006e40: fd fd fd fd fa fa fd fd fd fa fa fa fd fd fd fa
0x0c0680006e50: fa fa fd fd fd fa fa fa fd fd fd fa fa fa 00 00
=>0x0c0680006e60: 00 fa fa fa 00 00 00[04]fa fa 00 00 00 00 fa fa
0x0c0680006e70: fd fd fd fa fa fa 00 00 00 fa fa fa 00 00 00 06
0x0c0680006e80: fa fa fd fd fd fd fa fa 00 00 00 fa fa fa fd fd
0x0c0680006e90: fd fd fa fa fd fd fd fa fa fa 00 00 00 fa fa fa
0x0c0680006ea0: 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0680006eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb

The text was updated successfully, but these errors were encountered:

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix heap-buffer-overflow issues #26

fix heap-buffer-overflow issues #26

hititou commented Feb 26, 2021 •

edited

Loading

fix heap-buffer-overflow issues #26

fix heap-buffer-overflow issues #26

Comments

hititou commented Feb 26, 2021 • edited Loading

hititou commented Feb 26, 2021 •

edited

Loading