This is a micro-benchmark that exercises the gzprintf function in
zlib version
1.1.3. This version of the zlib library has a bug where calls to
gzprintf use
a fixed sized buffer that can be overflowed.
Each error class has a warm up phase, and a security expoit. The warm up
phase represent normal use of the gzprintf function by a program that links in
zlib. In this phase, gzprintf is called a random number of times with random
arguments and a random choice of 8 format strings. The exploits are listed
below. All exploits are from code discovered on the internet.
| Class | Error message | Cause |
|---|---|---|
| Normal | No exploit | |
| Shell exploit | Produces a root shell | Large buffer with shell code |
| Crash exploit 1 | Crashes program | large string formatting argument, "%10240s" |
| Crash exploit 2 | Crashes program | Large buffer with garbage |