Re: [sword-devel] Major Sword bug found -- buffer overflow

DM Smith Thu, 02 Mar 2006 10:46:59 -0800

Off the top of my head:

My basic thought is that perhaps it is possible to use something knownabout the module to determine whether the unlock was good.

Perhaps on entry of an unlock key, text could be grabbed from the moduleand deciphered and then compared to something expected.

Today a module is one of a few different markups (GBF, ThML, OSIS,PlainText) and encodings (cp1252 and UTF-8).

With regard to the encodings each has some bit patterns that are notallowed. It may be possible to detect them for locked modules. E.g.after decompression, read several hundred bytes from the beginning ofthe file and look for bad characters or character sequences. E.g. Latin1 should have some sequences of words containing mostly unaccentedcharacters and spaces every few characters.

With regard to markup, one would expect certain sequences to be presentfor GBF, ThML and OSIS. And for xml certain characters (e.g. controlcharacters) are not allowed. I don't imagine that non-whitespace controlcharacters are of any use for GBF or PlainText as well.

Another thought, what if the "encryption" would place the key at the endof the "block", which I think is outside of where the current processeswould look for it. If decryption of the block yielded the key, then thekey was correct.

I don't think there is anything that can prevent a brute force attack.The strength of encryption (i.e. key length and algorithm) is what makesit hard to break. Having a system respond as to whether the key is goodor not does not make it any easier to break. (With the code today, itwould not be to hard to write a routine that would provide feedback.)

I think there is a greater risk to sharing of keys or outright stealingonce a key is legitimately obtained.


Troy A. Griffitts wrote:

Hey guys,
Sadly, we've known about this since we implemented cipher support.There may be a bug in sapphire, as DM points out, but here's the realproblem:
To implement cipher support more securely, we have no way to knowif the user has entered a correct key.
Consider why. If there was a confirmation of the correct key,then anyone could brute force all the unlock keys fairly easily. Asit stands now, if they have the correct key, they see correct text,otherwise, they see jibberish.
The major problem is that most of our filters don't do a good jobwith invalid markup (consider jibberish can have <>[] and other metacharacters).
So, now how do we protect against the situation which Martinpoints out:
    A user has a locked module installed and has entered an invalid key.
Granted, a good first step is to make our filters' error handlingmore robust-- which could never be a bad thing, done withoutoptization hits.
    Other suggestions are most welcomed.

        -Troy.



Martin Gruner wrote:
Hi,

sorry for my misunderstanding of how Sword internals work.
However, the problem is there, it may be something in thedecompression algorithm. I'm attaching a valgrind trace of the crashin BibleTime when I try to open the GerHfaLex2002 without a valid key.
mg

--

no room in outbuffer to during decompression. see zipcomp.cpp
==6598==
==6598== Conditional jump or move depends on uninitialised value(s)
==6598== at 0x599FD16: sword::EntriesBlock::getMetaEntry(int,unsigned long*, unsigned long*) (in /usr/lib/libsword.so.5.0.0)==6598== by 0x599FFC7: sword::EntriesBlock::getEntrySize(int) (in/usr/lib/libsword.so.5.0.0)==6598== by 0x599EBDA: sword::zStr::getCompressedText(long, long,char**) (in /usr/lib/libsword.so.5.0.0)==6598== by 0x599FB28: sword::zStr::getText(long, char**, char**)(in /usr/lib/libsword.so.5.0.0)==6598== by 0x59F0644: sword::zLD::getEntry(long) (in/usr/lib/libsword.so.5.0.0)==6598== by 0x59F08DF: sword::zLD::getRawEntryBuf() (in/usr/lib/libsword.so.5.0.0)==6598== by 0x59EEC61:sword::SWLD::setPosition(sword::SW_POSITION) (in/usr/lib/libsword.so.5.0.0)==6598== by 0x812B19E: CSwordLexiconModuleInfo::entries() (in/home/dev/bibletime/bibletime/bibletime)==6598== by 0x80ACF99: CLexiconKeyChooser::refreshContent() (in/home/dev/bibletime/bibletime/bibletime)==6598== by 0x80AD702:CLexiconKeyChooser::CLexiconKeyChooser(QValueList<CSwordModuleInfo*>,CSwordKey*, QWidget*, char const*) (in/home/dev/bibletime/bibletime/bibletime)==6598== by 0x80A45FE:CKeyChooser::createInstance(QValueList<CSwordModuleInfo*>,CSwordKey*, QWidget*) (in /home/dev/bibletime/bibletime/bibletime)==6598== by 0x808785B: CLexiconReadWindow::initView() (in/home/dev/bibletime/bibletime/bibletime)
==6598==
==6598== Conditional jump or move depends on uninitialised value(s)
==6598== at 0x599FD16: sword::EntriesBlock::getMetaEntry(int,unsigned long*, unsigned long*) (in /usr/lib/libsword.so.5.0.0)==6598== by 0x599FF78: sword::EntriesBlock::getEntry(int) (in/usr/lib/libsword.so.5.0.0)==6598== by 0x599EC0F: sword::zStr::getCompressedText(long, long,char**) (in /usr/lib/libsword.so.5.0.0)==6598== by 0x599FB28: sword::zStr::getText(long, char**, char**)(in /usr/lib/libsword.so.5.0.0)==6598== by 0x59F0644: sword::zLD::getEntry(long) (in/usr/lib/libsword.so.5.0.0)==6598== by 0x59F08DF: sword::zLD::getRawEntryBuf() (in/usr/lib/libsword.so.5.0.0)==6598== by 0x59EEC61:sword::SWLD::setPosition(sword::SW_POSITION) (in/usr/lib/libsword.so.5.0.0)==6598== by 0x812B19E: CSwordLexiconModuleInfo::entries() (in/home/dev/bibletime/bibletime/bibletime)==6598== by 0x80ACF99: CLexiconKeyChooser::refreshContent() (in/home/dev/bibletime/bibletime/bibletime)==6598== by 0x80AD702:CLexiconKeyChooser::CLexiconKeyChooser(QValueList<CSwordModuleInfo*>,CSwordKey*, QWidget*, char const*) (in/home/dev/bibletime/bibletime/bibletime)==6598== by 0x80A45FE:CKeyChooser::createInstance(QValueList<CSwordModuleInfo*>,CSwordKey*, QWidget*) (in /home/dev/bibletime/bibletime/bibletime)==6598== by 0x808785B: CLexiconReadWindow::initView() (in/home/dev/bibletime/bibletime/bibletime)
no room in outbuffer to during decompression. see zipcomp.cpp
==6598==
==6598== Conditional jump or move depends on uninitialised value(s)
==6598== at 0x599FFD0: sword::EntriesBlock::getEntrySize(int) (in/usr/lib/libsword.so.5.0.0)==6598== by 0x599EBDA: sword::zStr::getCompressedText(long, long,char**) (in /usr/lib/libsword.so.5.0.0)==6598== by 0x599FB28: sword::zStr::getText(long, char**, char**)(in /usr/lib/libsword.so.5.0.0)==6598== by 0x59F0644: sword::zLD::getEntry(long) (in/usr/lib/libsword.so.5.0.0)==6598== by 0x59F0824: sword::zLD::increment(int) (in/usr/lib/libsword.so.5.0.0)==6598== by 0x812B263: CSwordLexiconModuleInfo::entries() (in/home/dev/bibletime/bibletime/bibletime)==6598== by 0x80ACF99: CLexiconKeyChooser::refreshContent() (in/home/dev/bibletime/bibletime/bibletime)==6598== by 0x80AD702:CLexiconKeyChooser::CLexiconKeyChooser(QValueList<CSwordModuleInfo*>,CSwordKey*, QWidget*, char const*) (in/home/dev/bibletime/bibletime/bibletime)==6598== by 0x80A45FE:CKeyChooser::createInstance(QValueList<CSwordModuleInfo*>,CSwordKey*, QWidget*) (in /home/dev/bibletime/bibletime/bibletime)==6598== by 0x808785B: CLexiconReadWindow::initView() (in/home/dev/bibletime/bibletime/bibletime)==6598== by 0x80868AE: CDisplayWindow::init() (in/home/dev/bibletime/bibletime/bibletime)==6598== by 0x807E11E:BibleTime::createReadDisplayWindow(QValueList<CSwordModuleInfo*>,QString const&) (in /home/dev/bibletime/bibletime/bibletime)
==6598==
==6598== Conditional jump or move depends on uninitialised value(s)
==6598== at 0x599FF81: sword::EntriesBlock::getEntry(int) (in/usr/lib/libsword.so.5.0.0)==6598== by 0x599EC0F: sword::zStr::getCompressedText(long, long,char**) (in /usr/lib/libsword.so.5.0.0)==6598== by 0x599FB28: sword::zStr::getText(long, char**, char**)(in /usr/lib/libsword.so.5.0.0)==6598== by 0x59F0644: sword::zLD::getEntry(long) (in/usr/lib/libsword.so.5.0.0)==6598== by 0x59F0824: sword::zLD::increment(int) (in/usr/lib/libsword.so.5.0.0)==6598== by 0x812B263: CSwordLexiconModuleInfo::entries() (in/home/dev/bibletime/bibletime/bibletime)==6598== by 0x80ACF99: CLexiconKeyChooser::refreshContent() (in/home/dev/bibletime/bibletime/bibletime)==6598== by 0x80AD702:CLexiconKeyChooser::CLexiconKeyChooser(QValueList<CSwordModuleInfo*>,CSwordKey*, QWidget*, char const*) (in/home/dev/bibletime/bibletime/bibletime)==6598== by 0x80A45FE:CKeyChooser::createInstance(QValueList<CSwordModuleInfo*>,CSwordKey*, QWidget*) (in /home/dev/bibletime/bibletime/bibletime)==6598== by 0x808785B: CLexiconReadWindow::initView() (in/home/dev/bibletime/bibletime/bibletime)==6598== by 0x80868AE: CDisplayWindow::init() (in/home/dev/bibletime/bibletime/bibletime)==6598== by 0x807E11E:BibleTime::createReadDisplayWindow(QValueList<CSwordModuleInfo*>,QString const&) (in /home/dev/bibletime/bibletime/bibletime)
==6598==
==6598== Conditional jump or move depends on uninitialised value(s)
==6598==    at 0x401D917: realloc (vg_replace_malloc.c:306)
==6598== by 0x599EBF7: sword::zStr::getCompressedText(long, long,char**) (in /usr/lib/libsword.so.5.0.0)==6598== by 0x599FB28: sword::zStr::getText(long, char**, char**)(in /usr/lib/libsword.so.5.0.0)==6598== by 0x59F0644: sword::zLD::getEntry(long) (in/usr/lib/libsword.so.5.0.0)==6598== by 0x59F0824: sword::zLD::increment(int) (in/usr/lib/libsword.so.5.0.0)==6598== by 0x812B263: CSwordLexiconModuleInfo::entries() (in/home/dev/bibletime/bibletime/bibletime)==6598== by 0x80ACF99: CLexiconKeyChooser::refreshContent() (in/home/dev/bibletime/bibletime/bibletime)==6598== by 0x80AD702:CLexiconKeyChooser::CLexiconKeyChooser(QValueList<CSwordModuleInfo*>,CSwordKey*, QWidget*, char const*) (in/home/dev/bibletime/bibletime/bibletime)==6598== by 0x80A45FE:CKeyChooser::createInstance(QValueList<CSwordModuleInfo*>,CSwordKey*, QWidget*) (in /home/dev/bibletime/bibletime/bibletime)==6598== by 0x808785B: CLexiconReadWindow::initView() (in/home/dev/bibletime/bibletime/bibletime)==6598== by 0x80868AE: CDisplayWindow::init() (in/home/dev/bibletime/bibletime/bibletime)==6598== by 0x807E11E:BibleTime::createReadDisplayWindow(QValueList<CSwordModuleInfo*>,QString const&) (in /home/dev/bibletime/bibletime/bibletime)
==6598==
==6598== Use of uninitialised value of size 4
==6598==    at 0x401E7AA: strcpy (mac_replace_strmem.c:269)
==6598== by 0x599EC1D: sword::zStr::getCompressedText(long, long,char**) (in /usr/lib/libsword.so.5.0.0)==6598== by 0x599FB28: sword::zStr::getText(long, char**, char**)(in /usr/lib/libsword.so.5.0.0)==6598== by 0x59F0644: sword::zLD::getEntry(long) (in/usr/lib/libsword.so.5.0.0)==6598== by 0x59F0824: sword::zLD::increment(int) (in/usr/lib/libsword.so.5.0.0)==6598== by 0x812B263: CSwordLexiconModuleInfo::entries() (in/home/dev/bibletime/bibletime/bibletime)==6598== by 0x80ACF99: CLexiconKeyChooser::refreshContent() (in/home/dev/bibletime/bibletime/bibletime)==6598== by 0x80AD702:CLexiconKeyChooser::CLexiconKeyChooser(QValueList<CSwordModuleInfo*>,CSwordKey*, QWidget*, char const*) (in/home/dev/bibletime/bibletime/bibletime)==6598== by 0x80A45FE:CKeyChooser::createInstance(QValueList<CSwordModuleInfo*>,CSwordKey*, QWidget*) (in /home/dev/bibletime/bibletime/bibletime)==6598== by 0x808785B: CLexiconReadWindow::initView() (in/home/dev/bibletime/bibletime/bibletime)==6598== by 0x80868AE: CDisplayWindow::init() (in/home/dev/bibletime/bibletime/bibletime)==6598== by 0x807E11E:BibleTime::createReadDisplayWindow(QValueList<CSwordModuleInfo*>,QString const&) (in /home/dev/bibletime/bibletime/bibletime)
==6598==
==6598== Conditional jump or move depends on uninitialised value(s)
==6598==    at 0x401E7B3: strcpy (mac_replace_strmem.c:269)
==6598== by 0x599EC1D: sword::zStr::getCompressedText(long, long,char**) (in /usr/lib/libsword.so.5.0.0)==6598== by 0x599FB28: sword::zStr::getText(long, char**, char**)(in /usr/lib/libsword.so.5.0.0)==6598== by 0x59F0644: sword::zLD::getEntry(long) (in/usr/lib/libsword.so.5.0.0)==6598== by 0x59F0824: sword::zLD::increment(int) (in/usr/lib/libsword.so.5.0.0)==6598== by 0x812B263: CSwordLexiconModuleInfo::entries() (in/home/dev/bibletime/bibletime/bibletime)==6598== by 0x80ACF99: CLexiconKeyChooser::refreshContent() (in/home/dev/bibletime/bibletime/bibletime)==6598== by 0x80AD702:CLexiconKeyChooser::CLexiconKeyChooser(QValueList<CSwordModuleInfo*>,CSwordKey*, QWidget*, char const*) (in/home/dev/bibletime/bibletime/bibletime)==6598== by 0x80A45FE:CKeyChooser::createInstance(QValueList<CSwordModuleInfo*>,CSwordKey*, QWidget*) (in /home/dev/bibletime/bibletime/bibletime)==6598== by 0x808785B: CLexiconReadWindow::initView() (in/home/dev/bibletime/bibletime/bibletime)==6598== by 0x80868AE: CDisplayWindow::init() (in/home/dev/bibletime/bibletime/bibletime)==6598== by 0x807E11E:BibleTime::createReadDisplayWindow(QValueList<CSwordModuleInfo*>,QString const&) (in /home/dev/bibletime/bibletime/bibletime)
==6598==
==6598== Conditional jump or move depends on uninitialised value(s)
==6598==    at 0x401E7DC: strcpy (mac_replace_strmem.c:69)
==6598== by 0x599EC1D: sword::zStr::getCompressedText(long, long,char**) (in /usr/lib/libsword.so.5.0.0)==6598== by 0x599FB28: sword::zStr::getText(long, char**, char**)(in /usr/lib/libsword.so.5.0.0)==6598== by 0x59F0644: sword::zLD::getEntry(long) (in/usr/lib/libsword.so.5.0.0)==6598== by 0x59F0824: sword::zLD::increment(int) (in/usr/lib/libsword.so.5.0.0)==6598== by 0x812B263: CSwordLexiconModuleInfo::entries() (in/home/dev/bibletime/bibletime/bibletime)==6598== by 0x80ACF99: CLexiconKeyChooser::refreshContent() (in/home/dev/bibletime/bibletime/bibletime)==6598== by 0x80AD702:CLexiconKeyChooser::CLexiconKeyChooser(QValueList<CSwordModuleInfo*>,CSwordKey*, QWidget*, char const*) (in/home/dev/bibletime/bibletime/bibletime)==6598== by 0x80A45FE:CKeyChooser::createInstance(QValueList<CSwordModuleInfo*>,CSwordKey*, QWidget*) (in /home/dev/bibletime/bibletime/bibletime)==6598== by 0x808785B: CLexiconReadWindow::initView() (in/home/dev/bibletime/bibletime/bibletime)==6598== by 0x80868AE: CDisplayWindow::init() (in/home/dev/bibletime/bibletime/bibletime)==6598== by 0x807E11E:BibleTime::createReadDisplayWindow(QValueList<CSwordModuleInfo*>,QString const&) (in /home/dev/bibletime/bibletime/bibletime)==6598== Warning: set address range perms: large range 243302452, a0, v 1==6598== Warning: set address range perms: large range 243302481, a1, v 1
==6598== Warning: silly arg (-2147483639) to realloc()
==6598==
==6598== Invalid write of size 1
==6598==    at 0x401E7C0: strcpy (mac_replace_strmem.c:269)
==6598== by 0x599EC1D: sword::zStr::getCompressedText(long, long,char**) (in /usr/lib/libsword.so.5.0.0)==6598== by 0x599FB28: sword::zStr::getText(long, char**, char**)(in /usr/lib/libsword.so.5.0.0)==6598== by 0x59F0644: sword::zLD::getEntry(long) (in/usr/lib/libsword.so.5.0.0)==6598== by 0x59F0824: sword::zLD::increment(int) (in/usr/lib/libsword.so.5.0.0)==6598== by 0x812B263: CSwordLexiconModuleInfo::entries() (in/home/dev/bibletime/bibletime/bibletime)==6598== by 0x80ACF99: CLexiconKeyChooser::refreshContent() (in/home/dev/bibletime/bibletime/bibletime)==6598== by 0x80AD702:CLexiconKeyChooser::CLexiconKeyChooser(QValueList<CSwordModuleInfo*>,CSwordKey*, QWidget*, char const*) (in/home/dev/bibletime/bibletime/bibletime)==6598== by 0x80A45FE:CKeyChooser::createInstance(QValueList<CSwordModuleInfo*>,CSwordKey*, QWidget*) (in /home/dev/bibletime/bibletime/bibletime)==6598== by 0x808785B: CLexiconReadWindow::initView() (in/home/dev/bibletime/bibletime/bibletime)==6598== by 0x80868AE: CDisplayWindow::init() (in/home/dev/bibletime/bibletime/bibletime)==6598== by 0x807E11E:BibleTime::createReadDisplayWindow(QValueList<CSwordModuleInfo*>,QString const&) (in /home/dev/bibletime/bibletime/bibletime)
==6598==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
*** BibleTime got signal 11 (Crashing). Trying to save settings.
_______________________________________________
sword-devel mailing list: sword-devel@crosswire.org
http://www.crosswire.org/mailman/listinfo/sword-devel
Instructions to unsubscribe/change your settings at above page
_______________________________________________
sword-devel mailing list: sword-devel@crosswire.org
http://www.crosswire.org/mailman/listinfo/sword-devel
Instructions to unsubscribe/change your settings at above page

_______________________________________________
sword-devel mailing list: sword-devel@crosswire.org
http://www.crosswire.org/mailman/listinfo/sword-devel
Instructions to unsubscribe/change your settings at above page

Re: [sword-devel] Major Sword bug found -- buffer overflow

Reply via email to