Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-17498 PoC — libssh2 输入验证错误漏洞

Source
https://github.com/Timon-L/3007Project
Associated Vulnerability
Title:libssh2 输入验证错误漏洞 (CVE-2019-17498)
Description:libssh2是一款实现SSH2协议的客户端C库,它能够执行远程命令、文件传输,同时为远程的程序提供安全的传输通道。 libssh2 1.9.0及之前版本中的packet.c文件的SSH_MSG_DISCONNECT逻辑存在输入验证错误漏洞。攻击者可借助特制的SSH服务器利用该漏洞泄露敏感信息或造成拒绝服务。
Description
Secure coding project, research on CVE-2019-17498 and implement a player score function written in C.
Readme
# 3007Project
setuid program used to update player's score. Read score file content, search and update score base on given player ID, if no player ID is found, then new ID and score is added to file. Program should not crash unexpectedly and should exit gracefully with errors handled. Check for overflows, memory leaks, race condition and escalated privileges.

## TODO
- [x] Handle error message.
- [x] hand setuid privileges.
- [x] Unit testing.
File Snapshot

 [4.0K]  /data/pocs/963af8725784254d7e40e82ca4b3d4c7ac4f2bb8
├── [ 11K]  adjust_score.c
├── [ 52K]  adjust_score.o
├── [4.0K]  findings
│   └── [4.0K]  default
│       ├── [  15]  cmdline
│       ├── [ 64K]  fuzz_bitmap
│       ├── [ 136]  fuzzer_setup
│       ├── [1.1K]  fuzzer_stats
│       ├── [222K]  plot_data
│       └── [4.0K]  queue
│           ├── [   4]  id:000000,time:0,execs:0,orig:file0
│           ├── [  12]  id:000001,src:000000,time:843,execs:193,op:havoc,rep:16,+cov
│           ├── [  12]  id:000002,src:000001,time:5738,execs:1197,op:havoc,rep:16,+cov
│           ├── [  12]  id:000003,src:000002,time:31954,execs:6508,op:havoc,rep:2,+cov
│           ├── [  16]  id:000004,src:000003,time:1000847,execs:193627,op:havoc,rep:64,+cov
│           ├── [  36]  id:000005,src:000004,time:1225086,execs:238887,op:havoc,rep:4,+cov
│           ├── [  36]  id:000006,src:000005,time:1292897,execs:252651,op:havoc,rep:2,+cov
│           └── [  24]  id:000007,src:000005,time:1293046,execs:252680,op:havoc,rep:8,+cov
├── [4.0K]  findings2
│   └── [4.0K]  default
│       ├── [  15]  cmdline
│       ├── [ 64K]  fuzz_bitmap
│       ├── [ 137]  fuzzer_setup
│       ├── [1.1K]  fuzzer_stats
│       ├── [104K]  plot_data
│       └── [4.0K]  queue
│           ├── [   4]  id:000000,time:0,execs:0,orig:file0
│           ├── [  12]  id:000001,src:000000,time:563,execs:127,op:havoc,rep:4,+cov
│           ├── [  12]  id:000002,src:000001,time:5810,execs:1224,op:havoc,rep:4,+cov
│           └── [  36]  id:000003,src:000001,time:5341282,execs:731322,op:havoc,rep:64,+cov
├── [4.0K]  findings3
│   └── [4.0K]  default
│       ├── [  15]  cmdline
│       ├── [ 64K]  fuzz_bitmap
│       ├── [ 137]  fuzzer_setup
│       ├── [1.1K]  fuzzer_stats
│       ├── [ 16K]  plot_data
│       └── [4.0K]  queue
│           ├── [   8]  id:000000,time:0,execs:0,orig:file0
│           ├── [   8]  id:000001,src:000000,time:190,execs:26,op:havoc,rep:4,+cov
│           ├── [   4]  id:000002,src:000000,time:328,execs:40,op:havoc,rep:4,+cov
│           ├── [   3]  id:000003,src:000000,time:403,execs:48,op:havoc,rep:8
│           ├── [   4]  id:000004,src:000000,time:535,execs:63,op:havoc,rep:8
│           ├── [   1]  id:000005,src:000000,time:657,execs:76,op:havoc,rep:16
│           ├── [   2]  id:000006,src:000000,time:798,execs:89,op:havoc,rep:16
│           ├── [   4]  id:000007,src:000000,time:952,execs:102,op:havoc,rep:16,+cov
│           ├── [   1]  id:000008,src:000000,time:1018,execs:110,op:havoc,rep:16
│           ├── [  11]  id:000009,src:000000,time:1112,execs:119,op:havoc,rep:8,+cov
│           ├── [  13]  id:000010,src:000000,time:1315,execs:143,op:havoc,rep:8
│           ├── [   1]  id:000011,src:000000,time:1619,execs:171,op:havoc,rep:16
│           ├── [   1]  id:000012,src:000000,time:4316,execs:481,op:havoc,rep:16
│           ├── [   2]  id:000013,src:000000,time:4793,execs:535,op:havoc,rep:8
│           ├── [   8]  id:000014,src:000000,time:4919,execs:550,op:havoc,rep:2
│           ├── [   8]  id:000015,src:000000,time:5052,execs:563,op:havoc,rep:4
│           └── [   4]  id:000016,src:000000,time:5274,execs:588,op:havoc,rep:16
├── [4.0K]  findings4
│   └── [4.0K]  default
│       ├── [  15]  cmdline
│       ├── [ 64K]  fuzz_bitmap
│       ├── [ 137]  fuzzer_setup
│       ├── [1.1K]  fuzzer_stats
│       ├── [ 225]  plot_data
│       └── [4.0K]  queue
│           ├── [   8]  id:000000,time:0,execs:0,orig:file0
│           ├── [   8]  id:000001,src:000000,time:206,execs:26,op:havoc,rep:8,+cov
│           ├── [   7]  id:000002,src:000000,time:410,execs:41,op:havoc,rep:16
│           ├── [  13]  id:000003,src:000000,time:497,execs:50,op:havoc,rep:8,+cov
│           ├── [   8]  id:000004,src:000000,time:582,execs:61,op:havoc,rep:2,+cov
│           ├── [   4]  id:000005,src:000000,time:692,execs:72,op:havoc,rep:4
│           ├── [   1]  id:000006,src:000000,time:770,execs:80,op:havoc,rep:16
│           ├── [   2]  id:000007,src:000000,time:843,execs:88,op:havoc,rep:2
│           ├── [  12]  id:000008,src:000000,time:1010,execs:104,op:havoc,rep:16
│           ├── [   4]  id:000009,src:000000,time:1217,execs:119,op:havoc,rep:8
│           ├── [   9]  id:000010,src:000000,time:1838,execs:174,op:havoc,rep:8
│           ├── [   1]  id:000011,src:000000,time:2028,execs:188,op:havoc,rep:16
│           ├── [   2]  id:000012,src:000000,time:2165,execs:202,op:havoc,rep:8,+cov
│           ├── [  17]  id:000013,src:000000,time:2282,execs:216,op:havoc,rep:16
│           ├── [   8]  id:000014,src:000000,time:2466,execs:229,op:havoc,rep:4
│           └── [   3]  id:000015,src:000000,time:2645,execs:242,op:havoc,rep:8
├── [ 449]  README.md
└── [4.0K]  testcase(good)
    ├── [ 483]  file0
    ├── [ 252]  file1
    ├── [ 294]  file2
    ├── [  63]  file3
    ├── [  21]  file4
    ├── [  84]  file5
    ├── [  63]  file6
    ├── [ 525]  file7
    ├── [ 483]  file8
    └── [  21]  file9

13 directories, 78 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.