rizin icon indicating copy to clipboard operation
rizin copied to clipboard

Published 20 hours ago verified publisher icon rizinorg

UAF when trying to use obr to rebase a binary

Open s1gse9v opened this issue 9 months ago • 2 comments

When trying to use obr to rebase a binary, a heap-use-after-free occurs. This happens with various binaries and offsets.

Work environment

Questions Answers
OS/arch/bits (mandatory) Archlinux x86-64
File format of the file you reverse (mandatory) ELF
Architecture/bits of the file (mandatory) x86/64
rizin -v full output, not truncated (mandatory) rizin 0.8.0 @ linux-x86-64, built with asan from dev (6e4ea01a97e4f4e21030c01eab54024117f1e744)

Expected behavior

obr should rebase the program to the given address.

Actual behavior

A heap-use-after-free occurs, leading to a segmentation fault.

Steps to reproduce the behavior

  • the uaf occurs with various binaries, a recent cat is attached as a poc: cat.zip 
rizin /bin/cat -c 'obr 0x555555554000'

Asan output

./bin/rizin -c 'obr 0x555555554000' /bin/cat
WARNING: Neither hash nor gnu_hash exist. Falling back to heuristics for deducing the number of dynamic symbols...
WARNING: Neither hash nor gnu_hash exist. Falling back to heuristics for deducing the number of dynamic symbols...
WARNING: Neither hash nor gnu_hash exist. Falling back to heuristics for deducing the number of dynamic symbols...
=================================================================
==62838==ERROR: AddressSanitizer: heap-use-after-free on address 0x5030000f1518 at pc 0x7f31ce5a65f3 bp 0x7ffc92b62e60 sp 0x7ffc92b62e50
READ of size 8 at 0x5030000f1518 thread T0
    #0 0x7f31ce5a65f2 in vf_read ../librz/core/cvfile.c:92
    #1 0x7f31d20ca9b9 in rz_io_plugin_read ../librz/io/io_plugin.c:89
    #2 0x7f31d20c8a27 in rz_io_desc_read ../librz/io/io_desc.c:208
    #3 0x7f31d20c9c2a in rz_io_desc_read_at ../librz/io/io_desc.c:354
    #4 0x7f31d20c0c92 in rz_io_fd_read_at ../librz/io/io_fd.c:76
    #5 0x7f31d20bcc4e in fd_read_at_wrap ../librz/io/io.c:18
    #6 0x7f31d20bd200 in on_map_skyline ../librz/io/io.c:75
    #7 0x7f31d20be217 in rz_io_vread_at_mapped ../librz/io/io.c:285
    #8 0x7f31d20be344 in rz_io_read_at ../librz/io/io.c:303
    #9 0x7f31ce56d9c0 in rz_core_block_read ../librz/core/cio.c:247
    #10 0x7f31ce6487da in rz_core_seek ../librz/core/seek.c:119
    #11 0x7f31ce732f0c in handle_ts_tmp_seek_stmt_internal ../librz/core/cmd/cmd.c:3909
    #12 0x7f31ce7328f5 in handle_ts_tmp_seek_stmt ../librz/core/cmd/cmd.c:3889
    #13 0x7f31ce7449fa in handle_ts_stmt ../librz/core/cmd/cmd.c:5117
    #14 0x7f31ce7455d7 in handle_ts_statements_internal ../librz/core/cmd/cmd.c:5174
    #15 0x7f31ce744e3d in handle_ts_statements ../librz/core/cmd/cmd.c:5139
    #16 0x7f31ce746377 in core_cmd_tsrzcmd ../librz/core/cmd/cmd.c:5286
    #17 0x7f31ce746829 in rz_core_cmd ../librz/core/cmd/cmd.c:5334
    #18 0x7f31ce746dfd in rz_core_cmdf ../librz/core/cmd/cmd.c:5424
    #19 0x7f31ce4f951c in rz_core_bin_apply_sections ../librz/core/cbin.c:1009
    #20 0x7f31ce4f3250 in rz_core_bin_apply_info ../librz/core/cbin.c:269
    #21 0x7f31ce4f3802 in rz_core_bin_apply_all_info ../librz/core/cbin.c:313
    #22 0x7f31ce77babf in rz_open_binary_rebase_handler ../librz/core/cmd/cmd_open.c:760
    #23 0x7f31ce74e1da in argv_call_cb ../librz/core/cmd/cmd_api.c:739
    #24 0x7f31ce74e945 in call_cd ../librz/core/cmd/cmd_api.c:798
    #25 0x7f31ce74eaad in rz_cmd_call_parsed_args ../librz/core/cmd/cmd_api.c:816
    #26 0x7f31ce72e8cc in handle_ts_arged_stmt_internal ../librz/core/cmd/cmd.c:3559
    #27 0x7f31ce72daf0 in handle_ts_arged_stmt ../librz/core/cmd/cmd.c:3507
    #28 0x7f31ce7449fa in handle_ts_stmt ../librz/core/cmd/cmd.c:5117
    #29 0x7f31ce7455d7 in handle_ts_statements_internal ../librz/core/cmd/cmd.c:5174
    #30 0x7f31ce744e3d in handle_ts_statements ../librz/core/cmd/cmd.c:5139
    #31 0x7f31ce746377 in core_cmd_tsrzcmd ../librz/core/cmd/cmd.c:5286
    #32 0x7f31ce746888 in rz_core_cmd_lines ../librz/core/cmd/cmd.c:5342
    #33 0x7f31d380a4cf in run_commands ../librz/main/rizin.c:339
    #34 0x7f31d3811ff7 in rz_main_rizin ../librz/main/rizin.c:1413
    #35 0x556d340cc8a4 in main ../binrz/rizin/rizin.c:57
    #36 0x7f31d2839c87  (/usr/lib/libc.so.6+0x25c87) (BuildId: 32a656aa5562eece8c59a585f5eacd6cf5e2307b)
    #37 0x7f31d2839d4b in __libc_start_main (/usr/lib/libc.so.6+0x25d4b) (BuildId: 32a656aa5562eece8c59a585f5eacd6cf5e2307b)
    #38 0x556d340cc1a0 in _start (/home/s1gs3gv/Hackery/c/rizin/build_dbg_asan/bin/rizin+0x21a0) (BuildId: d0e8bf9c46eed2653042e9c9a6b28c870e96b0e4)

0x5030000f1518 is located 8 bytes inside of 24-byte region [0x5030000f1510,0x5030000f1528)
freed by thread T0 here:
    #0 0x7f31d30fb422 in free /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52
    #1 0x7f31ced314f2 in rz_bin_virtual_file_free ../librz/bin/bin.c:1039
    #2 0x7f31d2bc5803 in pvector_free_elem ../librz/util/vector.c:371
    #3 0x7f31d2bc3640 in vector_free_elems ../librz/util/vector.c:57
    #4 0x7f31d2bc37c2 in rz_vector_clear ../librz/util/vector.c:73
    #5 0x7f31d2bc3707 in rz_vector_fini ../librz/util/vector.c:66
    #6 0x7f31d2bc5a5a in rz_pvector_free ../librz/util/vector.c:416
    #7 0x7f31ced3e578 in rz_bin_set_and_process_file ../librz/bin/bobj_process_file.c:31
    #8 0x7f31ced3c33a in rz_bin_object_process_plugin_data ../librz/bin/bobj_process.c:150
    #9 0x7f31ce5549e0 in rz_core_bin_rebase ../librz/core/cfile.c:831
    #10 0x7f31ce77ba7d in rz_open_binary_rebase_handler ../librz/core/cmd/cmd_open.c:759
    #11 0x7f31ce74e1da in argv_call_cb ../librz/core/cmd/cmd_api.c:739
    #12 0x7f31ce74e945 in call_cd ../librz/core/cmd/cmd_api.c:798
    #13 0x7f31ce74eaad in rz_cmd_call_parsed_args ../librz/core/cmd/cmd_api.c:816
    #14 0x7f31ce72e8cc in handle_ts_arged_stmt_internal ../librz/core/cmd/cmd.c:3559
    #15 0x7f31ce72daf0 in handle_ts_arged_stmt ../librz/core/cmd/cmd.c:3507
    #16 0x7f31ce7449fa in handle_ts_stmt ../librz/core/cmd/cmd.c:5117
    #17 0x7f31ce7455d7 in handle_ts_statements_internal ../librz/core/cmd/cmd.c:5174
    #18 0x7f31ce744e3d in handle_ts_statements ../librz/core/cmd/cmd.c:5139
    #19 0x7f31ce746377 in core_cmd_tsrzcmd ../librz/core/cmd/cmd.c:5286
    #20 0x7f31ce746888 in rz_core_cmd_lines ../librz/core/cmd/cmd.c:5342
    #21 0x7f31d380a4cf in run_commands ../librz/main/rizin.c:339
    #22 0x7f31d3811ff7 in rz_main_rizin ../librz/main/rizin.c:1413
    #23 0x556d340cc8a4 in main ../binrz/rizin/rizin.c:57
    #24 0x7f31d2839c87  (/usr/lib/libc.so.6+0x25c87) (BuildId: 32a656aa5562eece8c59a585f5eacd6cf5e2307b)
    #25 0x7f31d2839d4b in __libc_start_main (/usr/lib/libc.so.6+0x25d4b) (BuildId: 32a656aa5562eece8c59a585f5eacd6cf5e2307b)
    #26 0x556d340cc1a0 in _start (/home/s1gs3gv/Hackery/c/rizin/build_dbg_asan/bin/rizin+0x21a0) (BuildId: d0e8bf9c46eed2653042e9c9a6b28c870e96b0e4)

previously allocated by thread T0 here:
    #0 0x7f31d30fc34a in calloc /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:77
    #1 0x7f31ced9b43c in virtual_files ../librz/bin/p/bin_elf.inc:1644
    #2 0x7f31ced3e5bb in rz_bin_set_and_process_file ../librz/bin/bobj_process_file.c:32
    #3 0x7f31ced3c33a in rz_bin_object_process_plugin_data ../librz/bin/bobj_process.c:150
    #4 0x7f31ced3862a in rz_bin_object_new ../librz/bin/bobj.c:529
    #5 0x7f31ced2353c in rz_bin_file_new_from_buffer ../librz/bin/bfile.c:139
    #6 0x7f31ced2c274 in rz_bin_open_buf ../librz/bin/bin.c:291
    #7 0x7f31ced2c911 in rz_bin_open_io ../librz/bin/bin.c:349
    #8 0x7f31ce553eec in core_file_do_load_for_io_plugin ../librz/core/cfile.c:729
    #9 0x7f31ce555da3 in rz_core_bin_load ../librz/core/cfile.c:971
    #10 0x7f31d380f7f0 in rz_main_rizin ../librz/main/rizin.c:1148
    #11 0x556d340cc8a4 in main ../binrz/rizin/rizin.c:57
    #12 0x7f31d2839c87  (/usr/lib/libc.so.6+0x25c87) (BuildId: 32a656aa5562eece8c59a585f5eacd6cf5e2307b)
    #13 0x7f31d2839d4b in __libc_start_main (/usr/lib/libc.so.6+0x25d4b) (BuildId: 32a656aa5562eece8c59a585f5eacd6cf5e2307b)
    #14 0x556d340cc1a0 in _start (/home/s1gs3gv/Hackery/c/rizin/build_dbg_asan/bin/rizin+0x21a0) (BuildId: d0e8bf9c46eed2653042e9c9a6b28c870e96b0e4)

SUMMARY: AddressSanitizer: heap-use-after-free ../librz/core/cvfile.c:92 in vf_read
Shadow bytes around the buggy address:
  0x5030000f1280: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x5030000f1300: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
  0x5030000f1380: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x5030000f1400: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x5030000f1480: fd fd fd fd fa fa fd fd fd fa fa fa fd fd fd fd
=>0x5030000f1500: fa fa fd[fd]fd fa fa fa fd fd fd fd fa fa fd fd
  0x5030000f1580: fd fd fa fa fd fd fd fd fa fa fd fd fd fa fa fa
  0x5030000f1600: fd fd fd fa fa fa fd fd fd fd fa fa fd fd fd fa
  0x5030000f1680: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x5030000f1700: fd fa fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x5030000f1780: fd fd fd fa fa fa fd fd fd fa fa fa 00 00 06 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==62838==ABORTING

s1gse9v avatar Jun 01 '24 16:06 s1gse9v