Heap-based Buffer Overflow Vulnerability Caused by sscanf function in the ls-config.c

[catbbblack]

Description

This vulnerability exists in the auxiliary utility ls-config of the libconfig project, specifically at line 1249 in the file contrib/ls-config/src/ls-config.c. The root cause is the use of the unsafe sscanf() function to process command-line arguments without performing bounds checking on the input length, leading to a heap-based buffer overflow.

impacted code
Firstly, the program allocates a fixed-size buffer sinp of 256 bytes on the heap to temporarily store the configuration path string read from the command-line arguments.

libconfig/contrib/ls-config/src/ls-config.c

Line 1150 in e485a72

sinp = malloc(sizeof(char) * 256);

Then, the program uses the unsafety function sscanf() to process %s format specifier in the line 1249. When processing the %s format specifier, sscanf() reads a sequence of non-whitespace characters from the input until it encounters whitespace, doesn't enforce a maximum read length, and appends a null terminator (\0) to the destination buffer.

libconfig/contrib/ls-config/src/ls-config.c

Line 1249 in e485a72

test = sscanf(optarg, "%s", sinp);

The complete exploitation sequence is as follows:

1. The value of the command-line argument --set is passed to sscanf() via the optarg parameter.
2. sscanf(optarg, "%s", sinp) begins copying the string.
3. due to the fact that %s has no width limit, sscanf() reads 500 consecutive 'A' characters.
4. sscanf() writes a null terminator at byte 257 (requiring one extra byte beyond the buffer).
5. Total data written: 500 'A's + 1 null byte = 501 bytes.
6. Buffer size: 256 bytes.
7. Overflow size: 501 − 256 = 245 bytes are written beyond the allocated buffer into adjacent heap memory.
   A heap-based buffer overflow of this nature may corrupt heap metadata, overwrite other dynamically allocated data, and under certain conditions could lead to arbitrary code execution.

Exploit

An attacker could trigger this vulnerability in the following scenarios:

1. Command-line argument injection attacks
   ./ls_config_vuln --set "$(python3 -c 'print("A" * 500)')" --file config.cfg

2. Environment variable manipulation
   export MALICIOUS_INPUT="$(python3 -c 'print("A" * 500)')" && ./ls_config_vuln --set "$MALICIOUS_INPUT" --file config.cfg

3. Script parameter passing
   ./config_manager.sh "$(python3 -c 'print("A" * 500)')"

Through practical testing, this vulnerability can be triggered with an input of just 256 bytes.

Impacted

This vulnerability exists in all project versions from v1.7 up to the latest v1.8.2, all of which use a fixed 256-byte heap allocation and lack necessary length checks. No code changes or mitigations have been implemented in any commit to address the risk of this heap-based buffer overflow.