BUG report #86
Description
I was recently using fuzz to conduct security testing on hashset, and found a stack overflow error in cap2hccapx.bin. The specific information is as follows:
./cap2hccapx.bin poc /dev/null=================================================================
==32351==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffe18f at pc 0x0000004d1324 bp 0x7ffffffedab0 sp 0x7ffffffedaa8
READ of size 2 at 0x7fffffffe18f thread T0
#0 0x4d1323 in process_packet /work/autofz/github/hashcat-utils/src/cap2hccapx.c:741:50
#1 0x4d1323 in main /work/autofz/github/hashcat-utils/src/cap2hccapx.c:1118:5
#2 0x7ffff6ee583f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
#3 0x41c068 in _start (/work/autofz/github/hashcat-utils/src/cap2hccapx.bin+0x41c068)
Address 0x7fffffffe18f is located in stack of thread T0 at offset 66511 in frame
#0 0x4c874f in main /work/autofz/github/hashcat-utils/src/cap2hccapx.c:875
This frame has 10 object(s):
[32, 64) 'zero.i.i' (line 593)
[96, 195) 'auth_packet_orig.i.i' (line 612)
[240, 290) 'essid.i' (line 747)
[336, 675) 'excpkt.i' (line 855)
[752, 758) 'bssid.i' (line 675)
[784, 834) 'essid' (line 902)
[880, 904) 'pcap_file_header' (line 924)
[944, 960) 'header' (line 987)
[976, 66511) 'packet' (line 1017) <== Memory access at offset 66511 overflows this variable
[66768, 67161) 'hccapx' (line 1288)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /work/autofz/github/hashcat-utils/src/cap2hccapx.c:741:50 in process_packet
Shadow bytes around the buggy address:
0x10007fff7be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007fff7c30: 00[07]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
0x10007fff7c40: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
0x10007fff7c50: f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
0x10007fff7c60: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
0x10007fff7c70: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
0x10007fff7c80: f8 f8 f8 f8 f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==32351==ABORTING
The poc that triggers the error is as follows:https://github.com/Sunzyuu/seed/blob/main/hashset_cap2hccapx_poc
I hope my report will be of some help to hashset, thank you!