ARGUSBug Unchecked length in ArgusGenerateRecordStruct causes SEGFAULT

Chris Benedict via Argus-info argus-info at lists.andrew.cmu.edu
Fri Aug 19 17:54:50 EDT 2016 

>Description:

   This issue was discovered with AFL (http://lcamtuf.coredump.cx/afl/).

   Within ArgusGenerateRecordStruct() in common/argus_client.c at line 2834 the
   variable 'tlabel->hdr.argus_dsrvl8.len' is not checked. When set to 0 as in
   the sample provided, it causes 'llen' to be set to a negative number. When
   passed to bzero() at line 2836 it causes a segmentation fault and causes the
   application to crash.

   This bug is potentially exploitable. We request an appropriate CVE.

>How-To-Repeat:

   Download sample from:
   https://nfiles.nist.gov/seos/1000/mpd/ui27082016897c598e94f8f9febc4682415276ed88

   Execute with ra:
   ra -r sample

   Please note, the file will only be available until August 26, 2016. If you
   encounter any difficulty please contact me at
c.benedict at prometheuscomputing.com.

>Fix:

   Add bounds checking to the relevant function at around line 2834 such as:

   if (tlabel->hdr.argus_dsrvl8.len <= 0) {
      ArgusLog (LOG_ERR, "ArgusGenerateRecordStruct: pre
ARGUS_LABEL_DSR len is zero");
      break;
   }

>Originator: Chris Benedict, Aurelien Delaitre, NIST SAMATE Project, https://samate.nist.gov
>Organization:
 National Institute of Standards and Technology
>ARGUS support: none
>Release:       argus-3.0
>Product:       ra
>Synopsis:      Unchecked length in ArgusGenerateRecordStruct causes SEGFAULT
>Class:        sw-bug
>Severity:      serious
>Priority:      high

>Environment:   Linux

System:  Linux 4.7.0-1-ARCH #1 SMP PREEMPT Mon Aug 8 22:05:58 CEST
2016 x86_64 GNU/Linux


Paths:    /usr/local/sbin/argus /usr/local/bin/ra /usr/bin/make
/usr/bin/gcc /usr/bin/cc

ARGUS:   Argus Version 3.0.8.2
RA:      Ra Version 3.0.8.2


GCC:     Using built-in specs.
COLLECT_GCC=/usr/bin/gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-pc-linux-gnu/6.1.1/lto-wrapper
Target: x86_64-pc-linux-gnu
Thread model: posix
gcc version 6.1.1 20160802 (GCC)

LIBC:
-rw-r--r-- 1 root root 4769020 Aug  6 05:17 /lib/libc.a
-rw-r--r-- 1 root root 255 Aug  6 05:16 /lib/libc.so
lrwxrwxrwx 1 root root 12 Aug  6 05:17 /lib/libc.so.6 -> libc-2.24.so
-rwxr-xr-x 1 root root 1951744 Aug  6 05:17 /lib/libc-2.24.so
-rw-r--r-- 1 root root 4769020 Aug  6 05:17 /usr/lib/libc.a
-rw-r--r-- 1 root root 255 Aug  6 05:16 /usr/lib/libc.so
lrwxrwxrwx 1 root root 12 Aug  6 05:17 /usr/lib/libc.so.6 -> libc-2.24.so
-rwxr-xr-x 1 root root 1951744 Aug  6 05:17 /usr/lib/libc-2.24.so

More information about the argus mailing list