API tools faq
paste
emin_int11

The attack surface of PERL

emin_int11
Aug 25th, 2016
383
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 13.33 KB | None | 0 0
raw download clone embed print report
  1. ┌─ process timing ─────────────────────────────────────┬─ overall results ─────┐
  2. │ run time : 2 days, 1 hrs, 55 min, 13 sec │ cycles done : 9 │
  3. │ last new path : 0 days, 0 hrs, 1 min, 47 sec │ total paths : 18.4k │
  4. │ last uniq crash : 0 days, 3 hrs, 0 min, 53 sec │ uniq crashes : 23 │ after 2 days, I've 23 unique crashes
  5. │ last uniq hang : 1 days, 11 hrs, 26 min, 39 sec │ uniq hangs : 500+ │
  6. ├──────────────────────────────────────────────────────┴───────────────────────┤
  7. ASAN output:
  8.  
  9. =================================================================
  10. ==24483==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000d85a at pc 0x473376 bp 0x7ffd8e096950 sp 0x7ffd8e096928
  11. READ of size 11 at 0x60200000d85a thread T0
  12. ==24483==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
  13. #0 0x473375 (/home/ownager/perl/perl+0x473375)
  14. #1 0x190b202 (/home/ownager/perl/perl+0x190b202)
  15. #2 0x190a118 (/home/ownager/perl/perl+0x190a118)
  16. #3 0x11bcb21 (/home/ownager/perl/perl+0x11bcb21)
  17. #4 0xff1ac8 (/home/ownager/perl/perl+0xff1ac8)
  18. #5 0xfe8a7f (/home/ownager/perl/perl+0xfe8a7f)
  19. #6 0x122e865 (/home/ownager/perl/perl+0x122e865)
  20. #7 0x122dbe4 (/home/ownager/perl/perl+0x122dbe4)
  21. #8 0xce7c76 (/home/ownager/perl/perl+0xce7c76)
  22. #9 0x6b58b9 (/home/ownager/perl/perl+0x6b58b9)
  23. #10 0x498503 (/home/ownager/perl/perl+0x498503)
  24. #11 0x7f0d825b3ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
  25. #12 0x497fac (/home/ownager/perl/perl+0x497fac)
  26.  
  27. 0x60200000d85a is located 0 bytes to the right of 10-byte region [0x60200000d850,0x60200000d85a)
  28. allocated by thread T0 here:
  29. #0 0x481ec9 (/home/ownager/perl/perl+0x481ec9)
  30. #1 0xcf34db (/home/ownager/perl/perl+0xcf34db)
  31.  
  32. SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
  33. Shadow bytes around the buggy address:
  34. 0x0c047fff9ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  35. 0x0c047fff9ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  36. 0x0c047fff9ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  37. 0x0c047fff9ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  38. 0x0c047fff9af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  39. =>0x0c047fff9b00: fa fa fa fa fa fa fa fa fa fa 00[02]fa fa 00 02
  40. 0x0c047fff9b10: fa fa 00 02 fa fa fd fd fa fa fd fd fa fa fd fd
  41. 0x0c047fff9b20: fa fa 00 02 fa fa fd fd fa fa fd fd fa fa 07 fa
  42. 0x0c047fff9b30: fa fa 02 fa fa fa 00 04 fa fa 00 fa fa fa 00 05
  43. 0x0c047fff9b40: fa fa 00 03 fa fa 00 02 fa fa 00 07 fa fa 00 06
  44. 0x0c047fff9b50: fa fa 00 02 fa fa 00 fa fa fa 00 05 fa fa 00 02
  45. Shadow byte legend (one shadow byte represents 8 application bytes):
  46. Addressable: 00
  47. Partially addressable: 01 02 03 04 05 06 07
  48. Heap left redzone: fa
  49. Heap right redzone: fb
  50. Freed heap region: fd
  51. Stack left redzone: f1
  52. Stack mid redzone: f2
  53. Stack right redzone: f3
  54. Stack partial redzone: f4
  55. Stack after return: f5
  56. Stack use after scope: f8
  57. Global redzone: f9
  58. Global init order: f6
  59. Poisoned by user: f7
  60. ASan internal: fe
  61. ownager-VirtualBox crashes #
  62.  
  63.  
  64. =================================================================
  65. ==26762==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300000e170 at pc 0x95e3b7 bp 0x7ffd4e982140 sp 0x7ffd4e982138
  66. READ of size 1 at 0x60300000e170 thread T0
  67. ==26762==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
  68. #0 0x95e3b6 (/home/ownager/perl/perl+0x95e3b6)
  69. #1 0x90bed7 (/home/ownager/perl/perl+0x90bed7)
  70. #2 0x97846d (/home/ownager/perl/perl+0x97846d)
  71. #3 0x6a474f (/home/ownager/perl/perl+0x6a474f)
  72. #4 0x68c023 (/home/ownager/perl/perl+0x68c023)
  73. #5 0x498462 (/home/ownager/perl/perl+0x498462)
  74. #6 0x7fead7328ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
  75. #7 0x497fac (/home/ownager/perl/perl+0x497fac)
  76.  
  77. 0x60300000e170 is located 0 bytes inside of 24-byte region [0x60300000e170,0x60300000e188)
  78. freed by thread T0 here:
  79. #0 0x481d49 (/home/ownager/perl/perl+0x481d49)
  80. #1 0xcf5c81 (/home/ownager/perl/perl+0xcf5c81)
  81. #2 0x10e443e (/home/ownager/perl/perl+0x10e443e)
  82.  
  83. previously allocated by thread T0 here:
  84. #0 0x4820c3 (/home/ownager/perl/perl+0x4820c3)
  85. #1 0xcf484a (/home/ownager/perl/perl+0xcf484a)
  86.  
  87. SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??
  88. Shadow bytes around the buggy address:
  89. 0x0c067fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  90. 0x0c067fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  91. 0x0c067fff9bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  92. 0x0c067fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  93. 0x0c067fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  94. =>0x0c067fff9c20: fa fa fa fa fa fa fa fa fd fd fd fd fa fa[fd]fd
  95. 0x0c067fff9c30: fd fa fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa
  96. 0x0c067fff9c40: 00 00 00 03 fa fa 00 00 04 fa fa fa 00 00 00 01
  97. 0x0c067fff9c50: fa fa 00 00 04 fa fa fa 00 00 03 fa fa fa 00 00
  98. 0x0c067fff9c60: 00 fa fa fa 00 00 00 01 fa fa 00 00 02 fa fa fa
  99. 0x0c067fff9c70: 00 00 01 fa fa fa 00 00 02 fa fa fa 00 00 00 00
  100. Shadow byte legend (one shadow byte represents 8 application bytes):
  101. Addressable: 00
  102. Partially addressable: 01 02 03 04 05 06 07
  103. Heap left redzone: fa
  104. Heap right redzone: fb
  105. Freed heap region: fd
  106. Stack left redzone: f1
  107. Stack mid redzone: f2
  108. Stack right redzone: f3
  109. Stack partial redzone: f4
  110. Stack after return: f5
  111. Stack use after scope: f8
  112. Global redzone: f9
  113. Global init order: f6
  114. Poisoned by user: f7
  115. ASan internal: f
  116.  
  117.  
  118.  
  119. =================================================================
  120. ==30729==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000d7fa at pc 0x473376 bp 0x7ffffb113460 sp 0x7ffffb113438
  121. READ of size 11 at 0x60200000d7fa thread T0
  122. ==30729==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
  123. #0 0x473375 (/home/ownager/perl/perl+0x473375)
  124. #1 0x190b202 (/home/ownager/perl/perl+0x190b202)
  125. #2 0x190a118 (/home/ownager/perl/perl+0x190a118)
  126. #3 0x11bcb21 (/home/ownager/perl/perl+0x11bcb21)
  127. #4 0xff1ac8 (/home/ownager/perl/perl+0xff1ac8)
  128. #5 0xffd102 (/home/ownager/perl/perl+0xffd102)
  129. #6 0x123aab4 (/home/ownager/perl/perl+0x123aab4)
  130. #7 0xce7c76 (/home/ownager/perl/perl+0xce7c76)
  131. #8 0x527eae (/home/ownager/perl/perl+0x527eae)
  132. #9 0x4f3de0 (/home/ownager/perl/perl+0x4f3de0)
  133. #10 0x986290 (/home/ownager/perl/perl+0x986290)
  134. #11 0x6a474f (/home/ownager/perl/perl+0x6a474f)
  135. #12 0x68c023 (/home/ownager/perl/perl+0x68c023)
  136. #13 0x498462 (/home/ownager/perl/perl+0x498462)
  137. #14 0x7fbfb440eec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
  138. #15 0x497fac (/home/ownager/perl/perl+0x497fac)
  139.  
  140. 0x60200000d7fa is located 0 bytes to the right of 10-byte region [0x60200000d7f0,0x60200000d7fa)
  141. allocated by thread T0 here:
  142. #0 0x481ec9 (/home/ownager/perl/perl+0x481ec9)
  143. #1 0xcf34db (/home/ownager/perl/perl+0xcf34db)
  144.  
  145. SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
  146. Shadow bytes around the buggy address:
  147. 0x0c047fff9aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  148. 0x0c047fff9ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  149. 0x0c047fff9ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  150. 0x0c047fff9ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  151. 0x0c047fff9ae0: fa fa fa fa fa fa 00 02 fa fa fd fd fa fa fd fd
  152. =>0x0c047fff9af0: fa fa 00 02 fa fa fd fd fa fa 00 02 fa fa 00[02]
  153. 0x0c047fff9b00: fa fa fd fd fa fa fd fd fa fa fd fd fa fa 00 02
  154. 0x0c047fff9b10: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  155. 0x0c047fff9b20: fa fa 00 02 fa fa fd fd fa fa 00 04 fa fa 07 fa
  156. 0x0c047fff9b30: fa fa 02 fa fa fa 00 04 fa fa 00 fa fa fa 00 05
  157. 0x0c047fff9b40: fa fa 00 03 fa fa 00 02 fa fa 00 07 fa fa 00 06
  158. Shadow byte legend (one shadow byte represents 8 application bytes):
  159. Addressable: 00
  160. Partially addressable: 01 02 03 04 05 06 07
  161. Heap left redzone: fa
  162. Heap right redzone: fb
  163. Freed heap region: fd
  164. Stack left redzone: f1
  165. Stack mid redzone: f2
  166. Stack right redzone: f3
  167. Stack partial redzone: f4
  168. Stack after return: f5
  169. Stack use after scope: f8
  170. Global redzone: f9
  171. Global init order: f6
  172. Poisoned by user: f7
  173. ASan internal: fe
  174.  
  175.  
  176. =================================================================
  177. ==31485==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000007913 at pc 0x520927 bp 0x7ffe690f2c70 sp 0x7ffe690f2c68
  178. READ of size 1 at 0x625000007913 thread T0
  179. ==31485==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
  180. #0 0x520926 (/home/ownager/perl/perl+0x520926)
  181. #1 0x98a95b (/home/ownager/perl/perl+0x98a95b)
  182. #2 0x6a474f (/home/ownager/perl/perl+0x6a474f)
  183. #3 0x68c023 (/home/ownager/perl/perl+0x68c023)
  184. #4 0x498462 (/home/ownager/perl/perl+0x498462)
  185. #5 0x7f5a562d2ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
  186. #6 0x497fac (/home/ownager/perl/perl+0x497fac)
  187.  
  188. 0x625000007913 is located 19 bytes inside of 8200-byte region [0x625000007900,0x625000009908)
  189. freed by thread T0 here:
  190. #0 0x4820c3 (/home/ownager/perl/perl+0x4820c3)
  191. #1 0xcf484a (/home/ownager/perl/perl+0xcf484a)
  192.  
  193. previously allocated by thread T0 here:
  194. #0 0x4820c3 (/home/ownager/perl/perl+0x4820c3)
  195. #1 0xcf484a (/home/ownager/perl/perl+0xcf484a)
  196.  
  197. SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??
  198. Shadow bytes around the buggy address:
  199. 0x0c4a7fff8ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  200. 0x0c4a7fff8ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  201. 0x0c4a7fff8ef0: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
  202. 0x0c4a7fff8f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  203. 0x0c4a7fff8f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  204. =>0x0c4a7fff8f20: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
  205. 0x0c4a7fff8f30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  206. 0x0c4a7fff8f40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  207. 0x0c4a7fff8f50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  208. 0x0c4a7fff8f60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  209. 0x0c4a7fff8f70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  210. Shadow byte legend (one shadow byte represents 8 application bytes):
  211. Addressable: 00
  212. Partially addressable: 01 02 03 04 05 06 07
  213. Heap left redzone: fa
  214. Heap right redzone: fb
  215. Freed heap region: fd
  216. Stack left redzone: f1
  217. Stack mid redzone: f2
  218. Stack right redzone: f3
  219. Stack partial redzone: f4
  220. Stack after return: f5
  221. Stack use after scope: f8
  222. Global redzone: f9
  223. Global init order: f6
  224. Poisoned by user: f7
  225. ASan internal: fe
  226.  
  227. Then I run the script under GDB that the output will look something like this:
  228. /ownager/perl/perl /tmp/vuln.pl
  229.  
  230. Program received signal SIGSEGV, Segmentation fault.
  231. ──[registers]──
  232. $rax 0x3e352c4c4c475047 $rbx 0x000062100001bd00 $rcx 0x0000000000000047 $rdx 0x0000000000665a00 $rsp 0x00007fffffffd438
  233. $rbp 0x00007fffffffd470 $rsi 0x0000000000000000 $rdi 0x3e352c4c4c475047 $rip 0x00007ffff6d1faea $r8 0x0000000000000000
  234. $r9 0x00000ffffffffad4 $r10 0xfffffffffffffffc $r11 0x00007fffffffd6a0 $r12 0x3e352c4c4c475047 $r13 0x000000000000000e
  235. $r14 0x3e352c4c4c475047 $r15 0x0000000000000000 $cs 0x0000000000000033 $ss 0x000000000000002b $ds 0x0000000000000000
  236. $es 0x0000000000000000 $fs 0x0000000000000000 $gs 0x0000000000000000 $eflags [ CF PF AF SF IF RF ]
  237. Flags: [ CARRY PARITY ADJUST zero SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification ]
  238. ──[stack]──
  239. 0x00007fffffffd438│+0x00: 0x0000000000473297 → <strlen+55>: mov r14,rax ← $sp
  240. 0x00007fffffffd440│+0x08: 0x00007fffffffdb00 → 0x000060200000d752 → 0xbebebebebebe00
  241. 0x00007fffffffd448│+0x10: "[...]"
  242. 0x00007fffffffd450│+0x18: 0x000062100001bd68 → 0x0
  243. 0x00007fffffffd458│+0x20: -0x4
  244. 0x00007fffffffd460│+0x28: "GPGLL,5>"
  245. 0x00007fffffffd468│+0x30: 0x0
  246. 0x00007fffffffd470│+0x38: 0x00007fffffffdae0 → 0x00007fffffffdba0 → 0x00007fffffffdc20 → 0x00007fffffffdd90 → 0x00007fffffffde10 → 0x0
  247. ──[code:i386:x86-64]──
  248. 0x7ffff6d1fad7 <strlen+23> mov rcx,rdi
  249. 0x7ffff6d1fada <strlen+26> and rcx,0xfff
  250. 0x7ffff6d1fae1 <strlen+33> cmp rcx,0xfcf
  251. 0x7ffff6d1fae8 <strlen+40> ja 0x7ffff6d1fb50 <strlen+144>
  252. 0x7ffff6d1faea <strlen+42> movdqu xmm12,XMMWORD PTR [rax] ← $pc
  253. 0x7ffff6d1faef <strlen+47> pcmpeqb xmm12,xmm8
  254. 0x7ffff6d1faf4 <strlen+52> pmovmskb edx,xmm12
  255. 0x7ffff6d1faf9 <strlen+57> test edx,edx
  256. 0x7ffff6d1fafb <strlen+59> je 0x7ffff6d1fb01 <strlen+65>
  257. ───────────────────────────────────────────────────────────────────────────
  258.  
  259. #kayfadavam
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!