Heap buffer overlow

hosein askari Sun, 18 Jul 2021 23:33:11 -0700

To whom it may concern,

I really appreciate your cooperation for your dedicated time to my report.
The PoC is attached to this email.


# ./memcached --auth-file=input/a.txt  -u root -m 1024 -p 11211

=================================================================
==1061115==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x60200000009e at pc 0x7fae5a305f9d bp 0x7ffee16f4fd0 sp 0x7ffee16f4778
WRITE of size 15 at 0x60200000009e thread T0
    #0 0x7fae5a305f9c  (/lib/x86_64-linux-gnu/libasan.so.5+0x53f9c)
    #1 0x55bca5ccaf23 in fgets 
/usr/include/x86_64-linux-gnu/bits/stdio2.h:265
    #2 0x55bca5ccaf23 in authfile_load 
/home/constantine/test/memcached/authfile.c:50
    #3 0x55bca5c3ffb5 in main 
/home/constantine/test/memcached/memcached.c:5639
    #4 0x7fae597010b2 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #5 0x55bca5c45d9d in _start 
(/home/constantine/test/memcached/memcached+0x26d9d)

0x60200000009e is located 0 bytes to the right of 14-byte region 
[0x602000000090,0x60200000009e)
allocated by thread T0 here:
    #0 0x7fae5a3bfdc6 in calloc 
(/lib/x86_64-linux-gnu/libasan.so.5+0x10ddc6)
    #1 0x55bca5ccaedd in authfile_load 
/home/constantine/test/memcached/authfile.c:44

SUMMARY: AddressSanitizer: heap-buffer-overflow 
(/lib/x86_64-linux-gnu/libasan.so.5+0x53f9c) 
Shadow bytes around the buggy address:
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa 00 04 fa fa 00 00 fa fa 00 00 fa fa 00 00
=>0x0c047fff8010: fa fa 00[06]fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1061115==ABORTING

I am looking forward to hearing from you in the earliest convenience.

Sincerely,
Mohammad Hosein Askari

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"memcached" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to memcached+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/memcached/3af99054-6bd5-4ec7-adb9-e963cdb37c79n%40googlegroups.com.

\0\0\0:````\n

Heap buffer overlow

Reply via email to