Monday, 18 March 2019

OpenBIOS ELF Loader Buffer Overflow

Continuing to look at OpenBIOS. Here is a classic integer overflow leading to a heap based buffer overflow. nhdr->n_descsz is 32-bits. So we on x86 (32-bit), if we make it UINT_MAX, we cause ob_malloc to allocate 0 bytes. This returns a pointer. The memcpy causes memory corruption. Even if ob_calloc returned NULL, there is no error checking. 
            if (nhdr->n_namesz==sizeof(ELF_NOTE_BOOT)
                    && memcmp(name, ELF_NOTE_BOOT, sizeof(ELF_NOTE_BOOT))==0) {
                if (nhdr->n_type == EIN_PROGRAM_NAME) {
                    image_name = ob_calloc(1, nhdr->n_descsz + 1);
                    memcpy(image_name, desc, nhdr->n_descsz);
                }
And to see what ob_calloc does: 
static void *ob_calloc(size_t nmemb, size_t size)
{
    size_t alloc_size = nmemb * size;
    void *mem;

    if (alloc_size < nmemb || alloc_size < size) {
        printf("calloc overflow: %u, %u\n", nmemb, size);
        return NULL;
    }

    mem = malloc(alloc_size);
    memset(mem, 0, alloc_size);

    return mem;
}
And to verify that malloc(0) returns a pointer, we have: 
void *malloc(int size)
{
        void *ret=(void *)0;
        if(memsize>=size) {
                memsize-=size;
                ret=memptr;
                memptr = (void *)((unsigned long)memptr + size);
        }
        return ret;
}
at

Exploiting the Lorex 2K Indoor Wifi at Pwn2Own Ireland

Introduction In October InfoSect participated in Pwn2Own Ireland 2024 and successfully exploited the Sonos Era 300 smart speaker and Lor...