Security Flaw CVE-2017-8368

mijohnst 2017-08-08 15:35:50 UTC #1

Is there a timeline to get this resolved? Working in a closed environment, I cannot use the newest version until this is closed. Anyone else in the same situation?

https://nvd.nist.gov/vuln/detail/CVE-2017-8368

wbond 2017-08-08 15:51:35 UTC #2

I would appreciate some sort of reproduction or confirmation of this attack. The author contacted me and called a DoS, but this is claiming code execution and buffer overflow.

I spent a while trying to reproduce anything, and was unable to. The author went on to suggest I download (other) large files off of the internet and try the same process (select all, delete, undo) to achieve a hang. Unfortunately I was unable to reproduce anything, hence why I am asking for some sort of assistance in confirming this report.

wbond 2017-08-08 15:52:09 UTC #3

Jackeroo 2017-08-08 16:25:45 UTC #4

How could ST be affected by this? A mkv file is an audiovisual file, only opened by audiovisual tools, such as VLC. Could someone please explain?

deathaxe 2017-08-08 16:31:45 UTC #5

I was able to reproduce the issue. It is not caused by the mkv itself but the size of the file and maybe the fact that such files are displayed as Hexadecimal

Don't have a 150MB text file right now.

Steps:
1. Open windbg.exe
2. Select Main Menu / File / Open Executable ... 3. Select the sublime_text.exe of Sublime Text 3126 (vanilla install)
4. Press F5 once, to start debugging
5. Open a media file of about 150MB of size
6. Ctrl+A, Del, Ctrl+Z as said

This will cause ST to consume about 2.5GB of RAM all over the time. While undo is in progress RAM usage suddenly jumps to 4GB and CPU drops to 0% with the following lines printed out by windbg.

(1e8c.1e54): C++ EH exception - code e06d7363 (first chance)
(1e8c.1e54): C++ EH exception - code e06d7363 (!!! second chance !!!)
*** ERROR: Module load completed but symbols could not be loaded for sublime_text.exe
KERNELBASE!RaiseException+0x68:
00007ff9`598c9e08 488b8c24c0000000 mov     rcx,qword ptr [rsp+0C0h] ss:00000068`8a2fabb0=0000374d45257b98

When pressing F5 again in windbg to continue execution the following lines are printed

0:000> g
WARNING: Continuing a non-continuable exception
(1e8c.1e54): Break instruction exception - code 80000003 (first chance)
sublime_text+0x359390:
00007ff6`d48f9390 cc              int     3
0:000> g
(1e8c.1e54): Break instruction exception - code 80000003 (first chance)
sublime_text+0x359391:
00007ff6`d48f9391 cc              int     3
0:000> g
(1e8c.1e54): Break instruction exception - code 80000003 (first chance)
sublime_text+0x359392:
00007ff6`d48f9392 cc              int     3
0:000> g
(1e8c.1e54): Break instruction exception - code 80000003 (first chance)
sublime_text+0x359393:
00007ff6`d48f9393 cc              int     3
0:000> g
(1e8c.1e54): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
sublime_text+0x3594ce:
00007ff6`d48f94ce 4883610800      and     qword ptr [rcx+8],0 ds:3725cf0a`d1680008=????????????????
0:000> g
(1e8c.1e54): Access violation - code c0000005 (!!! second chance !!!)
sublime_text+0x3594ce:
00007ff6`d48f94ce 4883610800      and     qword ptr [rcx+8],0 ds:3725cf0a`d1680008=????????????????
0:000> g
(1e8c.1e54): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
sublime_text+0x3594ce:
00007ff6`d48f94ce 4883610800      and     qword ptr [rcx+8],0 ds:3725cf0a`d1680008=????????????????
0:000> g
(1e8c.1e54): Access violation - code c0000005 (!!! second chance !!!)
sublime_text+0x3594ce:
00007ff6`d48f94ce 4883610800      and     qword ptr [rcx+8],0 ds:3725cf0a`d1680008=????????????????
0:000> g
(1e8c.1e54): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
sublime_text+0x3594ce:
00007ff6`d48f94ce 4883610800      and     qword ptr [rcx+8],0 ds:3725cf0a`d1680008=????????????????

ST 3126 x64 on Windows 10 x64 1703

wbond 2017-08-08 16:34:16 UTC #6

@deathaxe thanks for the confirmation! How much ram do you have on your machine?

deathaxe 2017-08-08 16:34:47 UTC #7

My system has 8GB RAM

Maybe out of memory exception? Will try again and look for overall RAM usage of my box.

deathaxe 2017-08-08 16:50:15 UTC #8

Tried once more with both ST3126 and ST3142. Overall RAM consumption is about
94% when ST stops working. As memory consumption is growing quickly at this point of time it might be the Windows kernel who just denies further memory allocation to prevent the system from crash.

I might try with a larger swap file, but I am pretty sure, the CVE is triggered by an out of memory situation.

This leads to the question, why does a 150MB file require 2.5GB of RAM to be just opened. Is this caused by python bindings?

braver 2017-08-08 21:19:08 UTC #9

Just because I had to try, I opened a ~200MB .afphoto file (because I couldn't find anything else that's big). It takes over 1GB to open, about 4GB after deleting all content, and almost touches 8GB after hitting CMD-Z. This is on macOS Sierra 10.12.6, Sublime 3142, on a 2015 MacBook Pro Retina with 16GB. This isn't exactly why I got 16GB, but at least it didn't crash

rwols 2017-08-08 21:27:14 UTC #10

So where's the exploit? Doesn't this just freeze/crash sublime?

braver 2017-08-08 21:38:27 UTC #11

There doesn’t seem to be any exploit..

> [Attack Type]
> Local
> 
> ------------------------------------------
> 
> [Impact Denial of Service]
> true
> 
> ------------------------------------------
> 
> [Attack Vectors]
> application crashed by opening a crafted file and issuing several user 
> defined commands
>

As I read it, if the user is willing to do ctrl-a, del, ctrl-z, the application may crash, and that’s it. I don’t see any evidence of anything else. There is a reference to an article about code accessing memory it shouldn’t, but no info about how this out-of-memory crash could lead to that.

OdatNurd 2017-08-08 21:46:04 UTC #12

Yeah, I think the implication is supposed to be that due to the nature of the crash there's some possibility that you could carefully craft a large file such that a potential buffer overflow would cause arbitrary code execution, but no such file (or direct evidence that it can/has been done) is given.

Jackeroo 2017-08-08 21:49:42 UTC #13

I think it is much ado about mostly nothing. Seems that it is more of a limitation of Sublime Text in handling executable files.(but I could be wrong ). Who works in hexadecimal with these large files?

kingkeith 2017-08-09 05:37:40 UTC #14

looks like it's two things: hex encoding mode takes more memory, and the undo stack is unlimited:

exactly - and people could always use a dedicated hex editor if they really need to

rwols 2017-08-09 07:49:32 UTC #15

I use HexViewer for that

braver 2017-08-09 08:51:11 UTC #16

Well, that doesn't really matter here does it? The entire idea of this security issue is that someone can send someone a file, ask the receiver to open it in Sublime, then perform the suggested actions, and boom the receiver's computer is compromised. It's convoluted, but it's still an attack vector. Like it says in the description: "Victim must voluntarily interact with attack mechanism". If going out of memory actually results in an overflow that allows arbitrary code execution, which I'm not sure is a given, or otherwise proven here.

Listen under impact types:

Allows unauthorized disclosure of information
Allows unauthorized modification
Allows disruption of service

There is only indication of number 3: you can crash Sublime with operations on large binaries. If it's just that then that's indeed much ado about nothing, but it also seems like a clear enough case to build in some kind of prevention against the excessive memory use. Excessively long lines also used to crash Sublime and that has been fixed too IIRC.

I don't know these reports are normally handled, but if there isn't any evidence of 1 and 2 how is @wbond or anyone expected to do anything about it?

mwb1100 2017-08-09 18:31:13 UTC #17

He (or jps or someone) could prevent whatever bug is causing the buffer overflow, Some possibilities might be to refuse to perform the operation (perhaps with an error message), to exit Sublime Text before the buffer overflow occurs, or something else. I think that as long as there no longer an uncontrolled buffer overflow, the vulnerability (however unlikely it might currently be) would be eliminated.

How much of a priority this work might be is for someone at Sublime HQ to decide.

deathaxe 2017-08-09 19:02:37 UTC #18

This issue is not limited to binary files. Even normal text files of only 5MB of size may cause 400MB of RAM usage in some situations (e.g. Ctrl+A, TAB to indent everything). If the file was a little larger (50 or 100MB) it could easily cause the crash if not enough RAM is available.

It's not the history only which causes high RAM usage.

kingkeith 2017-08-09 19:20:38 UTC #19

agreed, this is a separate known bug which could indeed exacerbate the situation: