Libsass: sassc์˜ ์Šคํƒ ์˜ค๋ฒ„ํ”Œ๋กœ

์— ๋งŒ๋“  2019๋…„ 10์›” 07์ผ  ยท  4์ฝ”๋ฉ˜ํŠธ  ยท  ์ถœ์ฒ˜: sass/libsass

์šฐ๋ฆฌ๋Š” sassc ๋ฐ”์ด๋„ˆ๋ฆฌ์—์„œ ์Šคํƒ ์˜ค๋ฒ„ํ”Œ๋กœ๋ฅผ ๋ฐœ๊ฒฌํ–ˆ์œผ๋ฉฐ sassc๋Š” ASAN์„ ํ™œ์„ฑํ™”ํ•˜๋Š” clang์„ ์ค€์ˆ˜ํ•ฉ๋‹ˆ๋‹ค.

๊ธฐ๊ณ„ ์„ค์ •

Machine : Ubuntu 16.04.3 LTS
gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.11)
Commit : 4da7c4b
Command : sassc POC

์ปดํŒŒ์ผ: CC=afl-clang-fast CXX=afl-clang-fast++ AFL_USE_ASAN =1 make -C sassc -j4
POC : POC.scss.zip

์•„์‚ฐ ์ถœ๋ ฅ

fuzzer<strong i="17">@fuzzer</strong>:~/victim/libsass/sassc/bin$ ./sassc -v
sassc: 3.6.1-5-g507f0
libsass: 3.6.2
sass2scss: 1.1.1
sass: 3.5
fuzzer<strong i="18">@fuzzer</strong>:~/victim/libsass/sassc/bin$

fuzzer<strong i="19">@fuzzer</strong>:~/victim/libsass/sassc/bin$ ./sassc in/POC.scss
ASAN:DEADLYSIGNAL
=================================================================
==23322==ERROR: AddressSanitizer: stack-overflow on address 0x7ffdfae50e58 (pc 0x00000049382c bp 0x7ffdfae516b0 sp 0x7ffdfae50e30 T0)
    #0 0x49382b in __interceptor_strcmp.part.24 (/home/fuzzer/victim/libsass/sassc/bin/sassc+0x49382b)
    #1 0x9d6aed in std::type_info::operator==(std::type_info const&) const /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/typeinfo:124:5
    #2 0x9d6aed in Sass::Variable* Sass::Cast<Sass::Variable>(Sass::AST_Node*) /home/fuzzer/victim/libsass/src/ast.hpp:114
    #3 0x9d6aed in Sass::Eval::operator()(Sass::Binary_Expression*) /home/fuzzer/victim/libsass/src/eval.cpp:570
    #4 0x9d7a5e in Sass::Eval::operator()(Sass::Binary_Expression*) /home/fuzzer/victim/libsass/src/eval.cpp:582:13
    #5 0x9d7a5e in Sass::Eval::operator()(Sass::Binary_Expression*) /home/fuzzer/victim/libsass/src/eval.cpp:582:13
    #6 0x9d7a5e in Sass::Eval::operator()(Sass::Binary_Expression*) /home/fuzzer/victim/libsass/src/eval.cpp:582:13
    #7 0x9d7a5e in Sass::Eval::operator()(Sass::Binary_Expression*) /home/fuzzer/victim/libsass/src/eval.cpp:582:13
    #8 0x9d7a5e in Sass::Eval::operator()(Sass::Binary_Expression*) /home/fuzzer/victim/libsass/src/eval.cpp:582:13

// SNIPPED //

    #252 0x9d7a5e in Sass::Eval::operator()(Sass::Binary_Expression*) /home/fuzzer/victim/libsass/src/eval.cpp:582:13
    #253 0x9d7a5e in Sass::Eval::operator()(Sass::Binary_Expression*) /home/fuzzer/victim/libsass/src/eval.cpp:582:13

SUMMARY: AddressSanitizer: stack-overflow (/home/fuzzer/victim/libsass/sassc/bin/sassc+0x49382b) in __interceptor_strcmp.part.24
==23322==ABORTING
fuzzer<strong i="20">@fuzzer</strong>:~/victim/libsass/sassc/bin$
Fuzzy Invalid - Not Reproducible
์ถœ์ฒ˜
picture c0d3xpl0it

๊ฐ€์žฅ ์œ ์šฉํ•œ ๋Œ“๊ธ€

@NicoleG25๋‹˜ , ํ˜„์žฌ ์Šคํƒ ์˜ค๋ฒ„ํ”Œ๋กœ๋ฅผ ํ•ด๊ฒฐํ•˜์ง€ ์•Š์Šต๋‹ˆ๋‹ค. ๊ดœ์ฐฎ์€ OS์—์„œ๋Š” ์ถฉ๋Œ์ด ๋ฐœ์ƒํ•˜๊ธฐ ๋•Œ๋ฌธ์ž…๋‹ˆ๋‹ค. ๋ชจ๋“  ํ™˜๊ฒฝ์—์„œ ์žฌ๊ท€ ํŒŒ์„œ๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ์ด๊ฒƒ์„ ํ”ผํ•˜๋Š” ๋ฐฉ๋ฒ•์„ ์•Œ๋ ค์ฃผ์‹ค ์ˆ˜ ์žˆ๋‹ค๋ฉด ์ €๋Š” ๊ท€๋ฅผ ๊ธฐ์šธ์ด๊ฒ ์Šต๋‹ˆ๋‹ค. ์ด๋Š” ๋„ˆ๋ฌด ํฐ ์†Œ์Šค ํŒŒ์ผ์„ GCC/Clang ๋˜๋Š” ๋‹ค๋ฅธ ์ปดํŒŒ์ผ๋Ÿฌ์— ์ œ๊ณตํ•  ๋•Œ์™€ ์œ ์‚ฌํ•ฉ๋‹ˆ๋‹ค. LibSass๋Š” ๊ทธ๋Ÿฐ ์ ์—์„œ ๋‹ค๋ฅด์ง€ ์•Š์œผ๋ฉฐ ์ปดํŒŒ์ผํ•˜๋Š” ๋™์•ˆ ์ œ๊ณตํ•˜๋Š” ์Šคํƒ ๊ณต๊ฐ„์— ๋”ฐ๋ผ ๋‹ค๋ฆ…๋‹ˆ๋‹ค. ํŠน์ • OS์—์„œ ์ด๋ฅผ ๊ฐœ์„ ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. Windows์—์„œ ๊ตฌ์กฐ์  ์˜ˆ์™ธ๋ฅผ ์žก๊ฑฐ๋‚˜ Linux์—์„œ rlimit ๋˜๋Š” SIGSEGV๋ฅผ ์„ค์ •ํ•ฉ๋‹ˆ๋‹ค. ๊ทธ๋Ÿฌ๋‚˜ ์šฐ๋ฆฌ๋Š” ๋ชจ๋“  ์‹œ์Šคํ…œ์„ ์™„์ „ํžˆ ์ €์žฅํ•˜์ง€๋Š” ์•Š์„ ๊ฒƒ์ž…๋‹ˆ๋‹ค.

picture mgreter ์— 2020๋…„ 05์›” 29์ผ
👍2

๋ชจ๋“  4 ๋Œ“๊ธ€

CVE-2019-18797 ๋กœ ์ถ”์  ์ค‘์ž…๋‹ˆ๋‹ค.

nluedtke picture nluedtke ์— 2019๋…„ 11์›” 12์ผ

์ด๊ฒƒ์€ ๋‚˜์—๊ฒŒ ์ž˜ ์ž‘๋™ํ•ฉ๋‹ˆ๋‹ค. sassc์— ์–ด๋–ค ์Šคํƒ ํฌ๊ธฐ๋ฅผ ์ฃผ์—ˆ์Šต๋‹ˆ๊นŒ?

Error: Stack depth exceeded max of 1024
        on line 1:23494 of test.scss

ASAN์—์„œ ์™„์ „ํžˆ ํ…Œ์ŠคํŠธํ•˜์ง€ ์•Š์•˜๊ธฐ ๋•Œ๋ฌธ์— ์—ด์–ด ๋‘๊ฒ ์Šต๋‹ˆ๋‹ค.
๊ทธ๋Ÿฌ๋‚˜ ์Šคํƒ ํฌ๊ธฐ๊ฐ€ ๋‹จ์ˆœํžˆ ์ž‘์€ ๊ฒƒ ๊ฐ™์Šต๋‹ˆ๋‹ค.

mgreter picture mgreter ์— 2020๋…„ 05์›” 01์ผ

@mgreter ์ด ๋ฌธ์ œ๊ฐ€ ํ•ด๊ฒฐ๋œ ์ ์ด ์žˆ์Šต๋‹ˆ๊นŒ?
์œ„์—์„œ ์žฌํ˜„ํ•  ์ˆ˜ ์—†๋‹ค๊ณ  ๋ง์”€ํ•˜์…จ์ง€๋งŒ ์•„์ง ์ด ๋ฌธ์ œ์— ๋Œ€ํ•ด CVE๊ฐ€ ํ™œ์„ฑํ™”๋˜์–ด ์žˆ์Šต๋‹ˆ๋‹ค.
๋‹น์‹ ์€ ๊ทธ๊ฒƒ์— ๋Œ€ํ•ด ๋…ผ์Ÿํ•˜๋Š” ๊ฒƒ์„ ๊ณ ๋ คํ•˜๊ณ  ์žˆ์Šต๋‹ˆ๊นŒ?
๋ฏธ๋ฆฌ ๊ฐ์‚ฌ๋“œ๋ฆฝ๋‹ˆ๋‹ค!

NicoleG25 picture NicoleG25 ์— 2020๋…„ 05์›” 27์ผ
👍1

@NicoleG25๋‹˜ , ํ˜„์žฌ ์Šคํƒ ์˜ค๋ฒ„ํ”Œ๋กœ๋ฅผ ํ•ด๊ฒฐํ•˜์ง€ ์•Š์Šต๋‹ˆ๋‹ค. ๊ดœ์ฐฎ์€ OS์—์„œ๋Š” ์ถฉ๋Œ์ด ๋ฐœ์ƒํ•˜๊ธฐ ๋•Œ๋ฌธ์ž…๋‹ˆ๋‹ค. ๋ชจ๋“  ํ™˜๊ฒฝ์—์„œ ์žฌ๊ท€ ํŒŒ์„œ๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ์ด๊ฒƒ์„ ํ”ผํ•˜๋Š” ๋ฐฉ๋ฒ•์„ ์•Œ๋ ค์ฃผ์‹ค ์ˆ˜ ์žˆ๋‹ค๋ฉด ์ €๋Š” ๊ท€๋ฅผ ๊ธฐ์šธ์ด๊ฒ ์Šต๋‹ˆ๋‹ค. ์ด๋Š” ๋„ˆ๋ฌด ํฐ ์†Œ์Šค ํŒŒ์ผ์„ GCC/Clang ๋˜๋Š” ๋‹ค๋ฅธ ์ปดํŒŒ์ผ๋Ÿฌ์— ์ œ๊ณตํ•  ๋•Œ์™€ ์œ ์‚ฌํ•ฉ๋‹ˆ๋‹ค. LibSass๋Š” ๊ทธ๋Ÿฐ ์ ์—์„œ ๋‹ค๋ฅด์ง€ ์•Š์œผ๋ฉฐ ์ปดํŒŒ์ผํ•˜๋Š” ๋™์•ˆ ์ œ๊ณตํ•˜๋Š” ์Šคํƒ ๊ณต๊ฐ„์— ๋”ฐ๋ผ ๋‹ค๋ฆ…๋‹ˆ๋‹ค. ํŠน์ • OS์—์„œ ์ด๋ฅผ ๊ฐœ์„ ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. Windows์—์„œ ๊ตฌ์กฐ์  ์˜ˆ์™ธ๋ฅผ ์žก๊ฑฐ๋‚˜ Linux์—์„œ rlimit ๋˜๋Š” SIGSEGV๋ฅผ ์„ค์ •ํ•ฉ๋‹ˆ๋‹ค. ๊ทธ๋Ÿฌ๋‚˜ ์šฐ๋ฆฌ๋Š” ๋ชจ๋“  ์‹œ์Šคํ…œ์„ ์™„์ „ํžˆ ์ €์žฅํ•˜์ง€๋Š” ์•Š์„ ๊ฒƒ์ž…๋‹ˆ๋‹ค.

mgreter picture mgreter ์— 2020๋…„ 05์›” 29์ผ
👍2
์ด ํŽ˜์ด์ง€๊ฐ€ ๋„์›€์ด ๋˜์—ˆ๋‚˜์š”?
0 / 5 - 0 ๋“ฑ๊ธ‰

๊ด€๋ จ ๋ฌธ์ œ

Hint-ru picture Hint-ru  ยท  5์ฝ”๋ฉ˜ํŠธ
bdkjones picture bdkjones  ยท  6์ฝ”๋ฉ˜ํŠธ
bertusgroenewegen picture bertusgroenewegen  ยท  6์ฝ”๋ฉ˜ํŠธ
luiscla27 picture luiscla27  ยท  10์ฝ”๋ฉ˜ํŠธ
ashleykolodziej picture ashleykolodziej  ยท  3์ฝ”๋ฉ˜ํŠธ