https://arzedlab.github.io/tags/heap-overflow/Recent content in Heap-Overflow on Arzedlab 🪵Hugoen-us© RavshanFri, 05 Apr 2024 00:00:00 +0000https://arzedlab.github.io/posts/heap-overflow-%236019-1cc3648c0bf480caa958ecd9ef36c0f4/Fri, 05 Apr 2024 00:00:00 +0000https://arzedlab.github.io/posts/heap-overflow-%236019-1cc3648c0bf480caa958ecd9ef36c0f4/<h1 id="heap-overflow-6019">Heap Overflow #6019</h1> <h2 id="bug-heap-based-buffer-overflow-in-ai_md5_parse_string_in_quotation"><strong>Bug: Heap-based Buffer Overflow in AI_MD5_PARSE_STRING_IN_QUOTATION</strong></h2> <p>Source: <a href="https://github.com/assimp/assimp/issues/6019">https://github.com/assimp/assimp/issues/6019</a></p> <h3 id="summary">Summary</h3> <p>heap buffer overflow in <code>AI_MD5_PARSE_STRING_IN_QUOTATION</code>. An attacker could potentially exploit the vulnerability to cause a remote code execution, if they can trick the victim into running assimp on a malformed MD5 file.</p> <p>Heap Overflow was caused by function <code>memcpy</code></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-diff" data-lang="diff"><span style="display:flex;"><span>MEMCPY(3) Linux Programmer&#39;s Manual MEMCPY(3) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>NAME </span></span><span style="display:flex;"><span> memcpy - copy memory area </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>SYNOPSIS </span></span><span style="display:flex;"><span> #include &lt;string.h&gt; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> void *memcpy(void *dest, const void *src, size_t n); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>DESCRIPTION </span></span><span style="display:flex;"><span> The memcpy() function copies n bytes from memory area src to memory area dest. The memory areas must not overlap. Use memmove(3) if the memory areas do overlap. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>RETURN VALUE </span></span><span style="display:flex;"><span> The memcpy() function returns a pointer to dest. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>ATTRIBUTES </span></span><span style="display:flex;"><span> For an explanation of the terms used in this section, see attributes(7). </span></span></code></pre></div><h3 id="acid-flow">ACID FLOW</h3> <p>ASAN giving heap overflow error in fucntion AI_MD5_PARSE_STRING_IN_QUOTATION</p>