vm icon indicating copy to clipboard operation
vm copied to clipboard
Published 1 year ago verified publisher icon codyebberson

Out of bound read and write can lead to code execution

Open Numb3rsProprety opened this issue 1 year ago • 0 comments

Hi, I know that this project is unactive and that it's useless writing an issue but here I am.

Pretty much every instructions using an offset to write/read data are vulnerable to an out of bound vulnerabillity. For example, here is the code for the LOAD instruction:

case LOAD: 
                offset = code[ip++];
                stack[++sp] = stack[fp+offset];
                break;

The offset is a user controlled variable inside the VM and can be up to 8 bytes long (0xffffffff bytes) when the stack allocated for the VM is only 0x1f40 bytes long.

You (i don't really know if someone is reading this) should implement a security check to ensure that it's not bigger that the size of the stack.

PS: i actually wrote an article 🥸 about exploiting this specific vm in order to spawn a shell https://www.numb3rs.re/posts/popping_shells_1/

Numb3rsProprety avatar Jun 18 '24 20:06 Numb3rsProprety