Pageviews

Wednesday, 16 May 2018

Bufferoverflow() in ICU4C

Hi Internet,

This blog is a part of contribution in International Components for Unicode (ICU4C), We have added support for, check bufferoverflow() in ICU4C, (sprintf without bounds)

While going through the source code of nodejs, specifically file pkgdata.cpp#L911-L915

Vulnerable Code:
#else 
         sprintf(libFileNames[LIB_FILE], "%s%s", 
                 pkgDataFlags[LIBPREFIX], 
                 libName); 
#endif 

The above code does not check for buffer overflows() which is CWE-120 a classic buffer overflow. we were still not clear with the attack vector over here but still submitted an issue in nodejs.

With in an hour this issue was mark as `intl` which means this issue is related to i18n implementation i.e  ICU, TextEncoder/TextDecoder.

We started google-ing more about ICU, here is the wiki page and home page for same, so ICU is a package which is used in most of the application apart from nodejs, such as applications developed by google, apple, GNU and much more.... (Whoooaaaa! 😱)

Many thanks to Steven R. Loomis who confirmed this is a bug and dosen't checks for buffer overflow, but their are if's and but's to cause an overflow here.

Steven say's:
  • This code is in tooling - it's used sometimes at build time (may not be hit in a default node build)
  • I don't think there is an option even to node's ./configure that could cause an overflow here. It is at least unlikely.
We confirmed the same in current ICU source.
Actually our best practice is to use C++ objects (std::string or equivalent) and avoid this kind of buffer manipulation entirely.

And he filed an upstream bug in ICU project as well, Thank you Steven 😇 However, We have requested a CVE for this bug and its in process.

Assumption:
The only impact of the issue is that, if a local user chooses to specify long strings containing shellcode when building any package, they can attack themselves by executing arbitrary code in the context of their own user account.

Mention's:

A shoutout to Zubin and Hardik (Teamw00t) we worked together to find this bug, Hope you like the read.



Regards
Dhiraj (Teamw00t)

1 comment:

  1. With more than 10,000 domains under management of PK Domain, we are the one of the most reliable web hosting providers of Pakistan. Our hosting packages are much economical, which are in everybody reach ranging from the Web Hosting in Pakistan for professional websites, business hosting for the small-oriented business circles to professional web hosting for larger organizations. Visit www.pkdomain.com.pk to get information about cheap domain hosting prices.

    ReplyDelete