This repository contains all the artifacts ,writeups and study done regarding some interesting parsing CVEs as outlined below!
https://hackmd.io/@cspl/B1ZkFZv23 Vulnerable version (0.23.90) for linux at: Tarball , Source Zip
STEPS TO Build from source (recommend you just build the docker image instead):
1. Download the source code
2. apt install autoconf autopoint pkg-config libtool gcc make libjpeg-dev imagemagick
libmagickwand-dev libv4l-dev libx11-dev libxv-dev
3. autoreconf -vfi
4. EXPORT CFLAGS="-O0 -g"; ./configure --enable-doc=yes --with-jpeg=yes --with-imagemagick=yes --prefix=/usr
5. make; make install
The Dockerfile can be built and run for installing the vulnerable ZBAR using the following commands:
docker build -t zbar .
docker run -it --name zbar zbar
This will build an image that sets up the environment for zbar & our testing,
install pwndbg and valgrind and install zbar. Once the container runs, the
zbar commands (i.e., zbarimg) should work "out of the box".
If you would like to modify other library files for debugging,
modify the file as you wish, copy it over to the /ZBAR directort in this
repository, then add COPY lines in the Dockerfile to place it in the
appropriate location (check lines 26-27 on the Dockerfile).
The launch.json can be used in vscode , to start debugging using GDB with the ease of use of a GUI!
WARNING: This file will not work outside of the docker container!
Running the Debugger within the container: If you want to use the VSCode interactive debugger within the container,
- Install docker's official extension on vscode
- Run the container on the command line as show above
- On VSCode, open a new window, click on connect to > attach to running container & choose the contianer name from the list shown.
- A new window will pop up, click on open folder and set the directory to
/CVE/. - Open the
qrdec.cfile on VSCode within the container, path is:/CVE/zbar-0.23.90/zbar/qrcode/qrdec.c - Once that file is open, you'll get a prompt to install the C/C++ extension, install it.
- Once the extension is installed, place your breakpoints, click on the run and debug, and the launch.json should be in the appropriate place in the container for the debugger to work without any setting up.
The following command can be used to verify if your qr code is triggering the OOB read bug:
valgrind --leak-check=full --show-leak-kinds=all --track-origins=yes --verbose zbarimg <QR PATH>
If this error pops up , then the QR is confirmed to be triggering the Heap overflow.
Note: this is now automatically done once the docker image is built Add the following before line 3903 of qrdec.c:
printf("VALUE: %c (%u)\n", mark[i], mark[i]);
fflush(stdout);For a detailed writeup about the CVEs please refer to the following documents:
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1630 Vulnerable version (2.13.19.0) at: Tarball
Instructions to build from source (recommend you build the docker image instead): https://github.com/AcademySoftwareFoundation/OpenImageIO/blob/main/INSTALL.md#building-openimageio-on-linux-or-os-x
The Dockerfile can be built and run using the following commands:
docker build -t openimageio .
docker run -it openimageio
You can use OpenImageIO to inspect images using the following command:
iinfo <imagefile>
Doing this with a maliciously crafted BMP image can result in an out of bounds write.