[Secure-testing-team] Bug#850017: Exploitable crash in wrestool

Choongwoo Han cwhan.tunz at gmail.com
Thu Dec 29 08:55:33 UTC 2016 

Package: icoutils
Version: 0.31.0-2
Severity: grave
Tags: security upstream

Calling ``wrestool -x [filename]`` with the attached file
makes an exploitable crash. We can control register and control flow.

-----------------------------------------
Reading symbols from wrestool...(no debugging symbols found)...done.
(gdb) r
Starting program: /usr/bin/wrestool -x ./test2

Program received signal SIGSEGV, Segmentation fault.
0xb7f3d1f6 in _IO_old_file_close_it (fp=fp at entry=0x8054860)
    at oldfileops.c:155
(gdb) x/i $pc
=> 0xb7f3d1f6 <_IO_old_file_close_it+198>:	call   *0x44(%eax)
(gdb) i r eax
eax            0x41414141	1094795585
(gdb) bt
#0  0xb7f3d1f6 in _IO_old_file_close_it (fp=fp at entry=0x8054860)
    at oldfileops.c:155
#1  0xb7f3b998 in _IO_old_fclose (fp=fp at entry=0x8054860) at oldiofclose.c:55
#2  0xb7e78cc8 in _IO_new_fclose (fp=0x8054860) at iofclose.c:50
#3  0x0804940c in ?? ()
#4  0xb7e2fa63 in __libc_start_main (main=0x8048df0, argc=3, 
    argv=0xbffff4c4, init=0x804e770, fini=0x804e7e0, 
    rtld_fini=0xb7fedc50 <_dl_fini>, stack_end=0xbffff4bc)
    at libc-start.c:287
#5  0x080496f0 in ?? ()
(gdb) q
A debugging session is active.

	Inferior 1 [process 9302] will be killed.

Quit anyway? (y or n) 
-------------------------------------------


-- System Information:
Debian Release: 8.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.16.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages icoutils depends on:
ii  libc6        2.19-18+deb8u6
ii  libpng12-0   1.2.50-2+deb8u2
ii  libwww-perl  6.08-1
ii  perl         5.20.2-3+deb8u6
ii  zlib1g       1:1.2.8.dfsg-2+b1

icoutils recommends no packages.

Versions of packages icoutils suggests:
pn  libterm-readline-gnu-perl | libterm-readline-perl-perl  <none>

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: crash.zip
Type: application/zip
Size: 21040 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20161229/1bee1ed3/attachment-0001.zip>

More information about the Secure-testing-team mailing list