YetAnotherForum
Welcome Guest Search | Active Topics | Log In | Register

Buffer overflow in v2.2.5 in SQCompiler::Error
kalenz
#1 Posted : Saturday, August 30, 2014 5:07:04 PM(UTC)
Rank: Newbie

Groups: Registered
Joined: 8/30/2014(UTC)
Posts: 2

Thanks: 0 times
Was thanked: 0 time(s) in 0 post(s)
Hi,

While looking at the code of openttd, I found a stack-based buffer overflow in SQCompiler::Error. In this method, a string parameter is put into a 256 bytes stack buffer using sprintf. Most of the code paths leading to this are fine because the string is < 256 chars. However if you look at line 643 in SQCompiler::Factor, an identifier is passed to that function.

To trigger this bug, you need to have a global constant table, and access an invalid member. When I played with the langage, I was not able to create a constant table. However, if the builtins are available, it is possible to pass a table to setconsttable(), and then call compilestring() to trigger another compilation pass on the vulnerable code.

Patching is straightforward, use snprintf instead of sprintf in SQCompiler::Error.

You can find a PoC that crashes the compilation at the following address: http://kalenz.net/squirrel-poc.txt
kalenz
#2 Posted : Sunday, August 31, 2014 2:57:07 PM(UTC)
Rank: Newbie

Groups: Registered
Joined: 8/30/2014(UTC)
Posts: 2

Thanks: 0 times
Was thanked: 0 time(s) in 0 post(s)
Hmm, just looked at squirrel 3.0.6 after seeing http://forum.squirrel-la...aspx?g=posts&t=3720 and it is vulnerable to exactly the same thing except that the variable is declared as SQCompiler::_compileerror[MAX_COMPILER_ERROR_LEN] instead of being on the stack. Right after this buffer in the object layout, you have "jmp_buf _errorjmp;", which is passed to a longjmp call right after overflowing. This should make it rather easy to exploit.

The fix is the same as mentionned above, use snprintf instead of sprintf.
fagiano
#3 Posted : Wednesday, September 3, 2014 3:02:03 PM(UTC)
Rank: Advanced Member

Groups: Registered, Administrators
Joined: 6/11/2005(UTC)
Posts: 1,062

Thanks: 0 times
Was thanked: 80 time(s) in 62 post(s)
will do, thank you.

Alberto
Follow me on Twitter @squirrellang
Users browsing this topic
Guest
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.

Clean Slate theme by Jaben Cargman (Tiny Gecko)
Powered by YAF 1.9.4 | YAF © 2003-2010, Yet Another Forum.NET
This page was generated in 0.542 seconds.