Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in kac_print #26

Open
khang06 opened this issue May 28, 2018 · 4 comments
Open

heap-buffer-overflow in kac_print #26

khang06 opened this issue May 28, 2018 · 4 comments

Comments

@khang06
Copy link

khang06 commented May 28, 2018

ASAN log: https://hastebin.com/fajijidacu.go
crashing sample: heapoverflownpdm.zip
found through afl-fuzz

@SciresM
Copy link
Owner

SciresM commented May 29, 2018

The NPDM provided has malformed input -- the ACI0 appears to have been shifted one byte to start at 0x4A3 instead of 0x4A4, where it should.

I'm not entirely certain that this is reasonably addressable -- the ACI/KAC format specifies the size for the KAC, and by shifting the format you're causing it to decide the KAC is enormous, so it will crash while trying to parse KAC entries in uninitialized memory.

I don't know that it's within scope to guard against deliberately malicious input.

Thoughts?

@khang06
Copy link
Author

khang06 commented May 29, 2018

if you do plan to patch out exploits in hactool, then i'll probably fuzz it some more (so far i found 2 heap overflows and a stack overflow in the romfs parser)

@grandnew
Copy link

Has this issue been solved? @SciresM
What is the command? @khang06
Thanks!

@khang06
Copy link
Author

khang06 commented Jul 14, 2018

I saw your previous message about compiling with ASAN. You need -fsanitize=address in the linker flags, too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants