hactool icon indicating copy to clipboard operation
hactool copied to clipboard

Published 20 hours ago verified publisher icon SciresM

heap-buffer-overflow in kac_print

Open khang06 opened this issue 6 years ago • 4 comments

ASAN log: https://hastebin.com/fajijidacu.go crashing sample: heapoverflownpdm.zip found through afl-fuzz

khang06 avatar May 28 '18 15:05 khang06

The NPDM provided has malformed input -- the ACI0 appears to have been shifted one byte to start at 0x4A3 instead of 0x4A4, where it should.

I'm not entirely certain that this is reasonably addressable -- the ACI/KAC format specifies the size for the KAC, and by shifting the format you're causing it to decide the KAC is enormous, so it will crash while trying to parse KAC entries in uninitialized memory.

I don't know that it's within scope to guard against deliberately malicious input.

Thoughts?

SciresM avatar May 29 '18 01:05 SciresM

if you do plan to patch out exploits in hactool, then i'll probably fuzz it some more (so far i found 2 heap overflows and a stack overflow in the romfs parser)

khang06 avatar May 29 '18 16:05 khang06

Has this issue been solved? @SciresM What is the command? @khang06 Thanks!

grandnew avatar Jul 10 '18 03:07 grandnew

I saw your previous message about compiling with ASAN. You need -fsanitize=address in the linker flags, too.

khang06 avatar Jul 14 '18 11:07 khang06