wangf1978/DumpTS

buffer-overflow in function PushTSBuf() at src/PayloadBuf.cpp:706

Opened this issue · 0 comments

Describe:
A heap-buffer-overflow was discovered in DumpTS v0.1.0-nightly. The issue is being triggered in function PushTSBuf() at src/PayloadBuf.cpp:706.Attackers may exploit this vulnerability to execute and cause a DOS attack.

Reproduce:

Tested in Ubuntu 22.04
Compile the program with address sanitizer with this:
first add the command in makefile as follows:

image

Then:
gdb --args ./DumpTS /home/DumpTS/fuzz_out2/default/crashes/id:000003,sig:06,src:000015+000006,time:134707,execs:46267,op:splice,rep:11 --showinfo --removebox='unkn'
(gdb) set logging on
(gdb) set logging file out.txt
(gdb) set logging redirect on
(gdb) break main
(gdb) run
(gdb) step
(gdb) print argc
(gdb) print argv
(gdb) continue
(gdb) info signals
(gdb) backtrace

GDB Reports:

(gdb) backtrace 
#0  0x00007f29f214a03f in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x0000557574249cdb in CPayloadBuf::PushTSBuf (this=0x557574c02520, idxTSPack=0, pBuf=0x7fffebdc3240 "", offStart=239 '\357', offEnd=192 '\300') at ../../src/PayloadBuf.cpp:706
#2  0x000055757433d8c6 in DumpOneStream () at ../../src/DumpStream.cpp:2884
#3  0x000055757435cd52 in main (argc=4, argv=0x7fffebdc4728) at ../../src/DumpTS.cpp:1312

and this is the command at the bug address:
image

Poc

Poc file is here

Fuzzer
Fuzzer is AFL.