Heap buffer overlow

9 views
Skip to first unread message

hosein askari

unread,
Jul 19, 2021, 2:33:05 AM (11 days ago) Jul 19
to memcached
To whom it may concern,

I really appreciate your cooperation for your dedicated time to my report.
The PoC is attached to this email.

# ./memcached --auth-file=input/a.txt  -u root -m 1024 -p 11211

=================================================================
==1061115==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000009e at pc 0x7fae5a305f9d bp 0x7ffee16f4fd0 sp 0x7ffee16f4778
WRITE of size 15 at 0x60200000009e thread T0
    #0 0x7fae5a305f9c  (/lib/x86_64-linux-gnu/libasan.so.5+0x53f9c)
    #1 0x55bca5ccaf23 in fgets /usr/include/x86_64-linux-gnu/bits/stdio2.h:265
    #2 0x55bca5ccaf23 in authfile_load /home/constantine/test/memcached/authfile.c:50
    #3 0x55bca5c3ffb5 in main /home/constantine/test/memcached/memcached.c:5639
    #4 0x7fae597010b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #5 0x55bca5c45d9d in _start (/home/constantine/test/memcached/memcached+0x26d9d)

0x60200000009e is located 0 bytes to the right of 14-byte region [0x602000000090,0x60200000009e)
allocated by thread T0 here:
    #0 0x7fae5a3bfdc6 in calloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10ddc6)
    #1 0x55bca5ccaedd in authfile_load /home/constantine/test/memcached/authfile.c:44

SUMMARY: AddressSanitizer: heap-buffer-overflow (/lib/x86_64-linux-gnu/libasan.so.5+0x53f9c) 
Shadow bytes around the buggy address:
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa 00 04 fa fa 00 00 fa fa 00 00 fa fa 00 00
=>0x0c047fff8010: fa fa 00[06]fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1061115==ABORTING

I am looking forward to hearing from you in the earliest convenience.

Sincerely,
Mohammad Hosein Askari
a.txt
Reply all
Reply to author
Forward
0 new messages