buffer-overflow in function PushTSBuf() at src/PayloadBuf.cpp:706
Opened this issue · 0 comments
Describe:
A heap-buffer-overflow was discovered in DumpTS v0.1.0-nightly. The issue is being triggered in function PushTSBuf() at src/PayloadBuf.cpp:706.Attackers may exploit this vulnerability to execute and cause a DOS attack.
Reproduce:
Tested in Ubuntu 22.04
Compile the program with address sanitizer with this:
first add the command in makefile as follows:
Then:
gdb --args ./DumpTS /home/DumpTS/fuzz_out2/default/crashes/id:000003,sig:06,src:000015+000006,time:134707,execs:46267,op:splice,rep:11 --showinfo --removebox='unkn'
(gdb) set logging on
(gdb) set logging file out.txt
(gdb) set logging redirect on
(gdb) break main
(gdb) run
(gdb) step
(gdb) print argc
(gdb) print argv
(gdb) continue
(gdb) info signals
(gdb) backtrace
GDB Reports:
(gdb) backtrace
#0 0x00007f29f214a03f in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x0000557574249cdb in CPayloadBuf::PushTSBuf (this=0x557574c02520, idxTSPack=0, pBuf=0x7fffebdc3240 "", offStart=239 '\357', offEnd=192 '\300') at ../../src/PayloadBuf.cpp:706
#2 0x000055757433d8c6 in DumpOneStream () at ../../src/DumpStream.cpp:2884
#3 0x000055757435cd52 in main (argc=4, argv=0x7fffebdc4728) at ../../src/DumpTS.cpp:1312
and this is the command at the bug address:
Poc
Poc file is here
Fuzzer
Fuzzer is AFL.