libelf 0.8.12 Stack-based buffer overflow in gmo2msg (libelf) via unbounded sprintf of lang argument

[Ron E <ronaldjedgerson () gmail com>]

gmo2msg in libelf contains a stack-based buffer overflow in po/gmo2msg.c
when constructing filenames from the first program argument (lang). The
program uses a fixed-size local buffer (char buf[1024]) and writes into it
using sprintf(buf, "%s.gmo", lang) and sprintf(buf, "%s.msg", lang) without
validating the length of lang. Supplying a sufficiently long lang argument
(e.g., ~1200 bytes) causes sprintf to write past the end of buf, leading to
a stack-buffer-overflow that crashes the process and may enable code
execution under favorable conditions.

*Impact:*

   -

   Immediate, reproducible crash when passing a long lang argument.
   -

   If the binary is executed in a privileged context (e.g., run by a
   privileged service, installed setuid, package scripts), or on targets with
   downgraded exploit mitigations, a reliable exploit may be feasible.
   -

   Memory corruption could be used as a primitive in a larger exploit chain.


*Proof of Concept:*

./gmo2msg "$(python3 -c 'print("A"*1200)')"


*Output:*

=================================================================
==11304==ERROR: AddressSanitizer: stack-buffer-overflow on address ...
WRITE of size 1205 at ...
    #0 0x... in vsprintf (...)
    #1 0x... in sprintf (...)
    #2 0x... in main /root/libelf/./po/gmo2msg.c:64:5
...
This frame has 1 object(s):
  [32, 1056) 'buf' (line 40) <== Memory access at offset 1056 overflows
this variable
SUMMARY: AddressSanitizer: stack-buffer-overflow ... in vsprintf
==11304==ABORTING
Aborted
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/