| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 28 May 2018 10:06:48 +0800 (GMT+08:00)
From: 熊文彬 <bear.xiong@...ppsecurity.com.cn>
To: fulldisclosure@...lists.org
Subject: [FD] libmobi 0.3 vulns
libmobi multiple vulnerabilities
================
Author : Webin security lab - dbapp security Ltd
===============
Introduction:
=============
C library for handling Mobipocket/Kindle (MOBI) ebook format documents.
For examples on how to use the library have a look at tools folder.
Affected version:
=====
0.3
Vulnerability Description:
==========================
1. the mobi_parse_mobiheader function in read.c in libmobi allow remote attackers to cause a information disclosure(heap-buffer-overflow OOB read) via a crafted mobi file.
./mobitool -s mobi_parse_mobiheader
==36648==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000240 at pc 0x0000005723f1 bp 0x7ffdf813d5a0 sp 0x7ffdf813d598
READ of size 1 at 0x604000000240 thread T0
#0 0x5723f0 in buffer_get32 /home/xxx/libmobi/src/buffer.c:230:22
#1 0x5723f0 in buffer_dup32 /home/xxx/libmobi/src/buffer.c:455
#2 0x537776 in mobi_parse_mobiheader /home/xxx/libmobi/src/read.c:318:5
#3 0x5387e8 in mobi_parse_record0 /home/xxx/libmobi/src/read.c:463:15
#4 0x53bffb in mobi_load_file /home/xxx/libmobi/src/read.c:857:11
#5 0x51d649 in loadfilename /home/xxx/libmobi/tools/mobitool.c:734:16
#6 0x51e41f in main /home/xxx/libmobi/tools/mobitool.c:955:11
#7 0x7facdc96682f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#8 0x41ab78 in _start (/home/xxx/libmobi/tools/mobitool+0x41ab78)
>
0x604000000240 is located 0 bytes to the right of 48-byte region [0x604000000210,0x604000000240)
allocated by thread T0 here:
#0 0x4deda8 in __interceptor_malloc (/home/xxx/libmobi/tools/mobitool+0x4deda8)
#1 0x536832 in mobi_load_recdata /home/xxx/libmobi/src/read.c:180:17
#2 0x536832 in mobi_load_rec /home/xxx/libmobi/src/read.c:156
Reproducer:
mobi_parse_mobiheader
CVE:
CVE-2018-11432
2.
The mobi_get_kf8boundary_seqnumber function in util.c in Libmobi 0.3 allows remote attackers to cause information disclosure (heap-based buffer over-read) via a crafted mobi file.
./mobitool -s mobi_get_kf8boundary_seqnumber
==36670==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000006d1 at pc 0x0000004b579c bp 0x7ffdbb7b3780 sp 0x7ffdbb7b2f30
READ of size 8 at 0x6020000006d1 thread T0
#0 0x4b579b in __interceptor_memcmp.part.77 (/home/xxx/libmobi/tools/mobitool+0x4b579b)
#1 0x54fc17 in mobi_get_kf8boundary_seqnumber /home/xxx/libmobi/src/util.c:2759:16
#2 0x53c113 in mobi_load_file /home/xxx/libmobi/src/read.c:868:44
#3 0x51d649 in loadfilename /home/xxx/libmobi/tools/mobitool.c:734:16
#4 0x51e41f in main /home/xxx/libmobi/tools/mobitool.c:955:11
#5 0x7ff191a5682f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#6 0x41ab78 in _start (/home/xxx/libmobi/tools/mobitool+0x41ab78)
0x6020000006d1 is located 0 bytes to the right of 1-byte region [0x6020000006d0,0x6020000006d1)
allocated by thread T0 here:
#0 0x4deda8 in __interceptor_malloc (/home/xxx/libmobi/tools/mobitool+0x4deda8)
#1 0x536832 in mobi_load_recdata /home/xxx/libmobi/src/read.c:180:17
#2 0x536832 in mobi_load_rec /home/xxx/libmobi/src/read.c:156
Reproducer:
mobi_get_kf8boundary_seqnumber
CVE:
CVE-2018-11433
3. The buffer_fill64 function in compression.c in Libmobi 0.3 allows remote attackers to cause information disclosure (heap-based buffer over-read) via a crafted mobi file.
./mobitool -s buffer_fill64
==36692==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61c000002710 at pc 0x0000005746aa bp 0x7ffcf33c4bd0 sp 0x7ffcf33c4bc8
READ of size 1 at 0x61c000002710 thread T0
#0 0x5746a9 in buffer_fill64 /home/xxx/libmobi/src/compression.c:98:27
#1 0x5746a9 in mobi_decompress_huffman_internal /home/xxx/libmobi/src/compression.c:128
#2 0x5743fb in mobi_decompress_huffman_internal /home/xxx/libmobi/src/compression.c:180:19
#3 0x573832 in mobi_decompress_huffman /home/xxx/libmobi/src/compression.c:213:20
#4 0x548c2e in mobi_decompress_content /home/xxx/libmobi/src/util.c:1776:23
#5 0x547575 in mobi_get_rawml /home/xxx/libmobi/src/util.c:1832:12
#6 0x53495f in mobi_parse_rawml_opt /home/xxx/libmobi/src/parse_rawml.c:1993:11
#7 0x51dbda in loadfilename /home/xxx/libmobi/tools/mobitool.c:788:20
#8 0x51e41f in main /home/xxx/libmobi/tools/mobitool.c:955:11
#9 0x7efe4e4f982f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#10 0x41ab78 in _start (/home/xxx/libmobi/tools/mobitool+0x41ab78)
0x61c000002710 is located 0 bytes to the right of 1680-byte region [0x61c000002080,0x61c000002710)
allocated by thread T0 here:
#0 0x4deda8 in __interceptor_malloc (/home/xxx/libmobi/tools/mobitool+0x4deda8)
#1 0x536832 in mobi_load_recdata /home/xxx/libmobi/src/read.c:180:17
#2 0x536832 in mobi_load_rec /home/xxx/libmobi/src/read.c:156
Reproducer:
buffer_fill64
CVE:
CVE-2018-11434
4.The mobi_decompress_huffman_internal function in compression.c in Libmobi 0.3 allows remote attackers to cause information disclosure (read access violation) via a crafted mobi file.
./mobitool -s mobi_decompress_huffman_internal
==36715==ERROR: AddressSanitizer: SEGV on unknown address 0x61b0000126d0 (pc 0x000000574308 bp 0x7ffdaf41eb50 sp 0x7ffdaf41e9e0 T0)
==36715==The signal is caused by a READ memory access.
#0 0x574307 in mobi_decompress_huffman_internal /home/xxx/libmobi/src/compression.c:163:45
#1 0x573832 in mobi_decompress_huffman /home/xxx/libmobi/src/compression.c:213:20
#2 0x548c2e in mobi_decompress_content /home/xxx/libmobi/src/util.c:1776:23
#3 0x547575 in mobi_get_rawml /home/xxx/libmobi/src/util.c:1832:12
#4 0x53495f in mobi_parse_rawml_opt /home/xxx/libmobi/src/parse_rawml.c:1993:11
#5 0x51dbda in loadfilename /home/xxx/libmobi/tools/mobitool.c:788:20
#6 0x51e41f in main /home/xxx/libmobi/tools/mobitool.c:955:11
#7 0x7f15b4f3282f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#8 0x41ab78 in _start (/home/xxx/libmobi/tools/mobitool+0x41ab78)
Reproducer:
mobi_decompress_huffman_internal
CVE:
CVE-2018-11435
5.The buffer_addraw function in buffer.c in Libmobi 0.3 allows remote attackers to cause information disclosure (heap-based buffer over-read) via a crafted mobi file.
./mobitool -s buffer_addraw
==36738==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b0000068f6 at pc 0x0000004ddc2d bp 0x7fffb3989280 sp 0x7fffb3988a30
READ of size 1 at 0x61b0000068f6 thread T0
#0 0x4ddc2c in __asan_memcpy (/home/xxx/libmobi/tools/mobitool+0x4ddc2c)
#1 0x5704e6 in buffer_addraw /home/xxx/libmobi/src/buffer.c:153:5
#2 0x57444f in mobi_decompress_huffman_internal /home/xxx/libmobi/src/compression.c:170:13
#3 0x573832 in mobi_decompress_huffman /home/xxx/libmobi/src/compression.c:213:20
#4 0x548c2e in mobi_decompress_content /home/xxx/libmobi/src/util.c:1776:23
#5 0x547575 in mobi_get_rawml /home/xxx/libmobi/src/util.c:1832:12
#6 0x53495f in mobi_parse_rawml_opt /home/xxx/libmobi/src/parse_rawml.c:1993:11
#7 0x51dbda in loadfilename /home/xxx/libmobi/tools/mobitool.c:788:20
#8 0x51e41f in main /home/xxx/libmobi/tools/mobitool.c:955:11
#9 0x7fbece1d882f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#10 0x41ab78 in _start (/home/xxx/libmobi/tools/mobitool+0x41ab78)
0x61b0000068f6 is located 0 bytes to the right of 1654-byte region [0x61b000006280,0x61b0000068f6)
allocated by thread T0 here:
#0 0x4deda8 in __interceptor_malloc (/home/xxx/libmobi/tools/mobitool+0x4deda8)
#1 0x536832 in mobi_load_recdata /home/xxx/libmobi/src/read.c:180:17
#2 0x536832 in mobi_load_rec /home/xxx/libmobi/src/read.c:156
Reproducer:
buffer_addraw
CVE:
CVE-2018-11436
6.The mobi_reconstruct_parts function in parse_rawml.c in Libmobi 0.3 allows
remote attackers to cause information disclosure (read access
violation) via a crafted mobi file.
./mobitool -s mobi_reconstruct_parts
==36806==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000202a (pc 0x7f946a6ca529 bp 0x7ffc6c0242d0 sp 0x7ffc6c023a58 T0)
==36806==The signal is caused by a READ memory access.
#0 0x7f946a6ca528 /build/glibc-Cl5G7W/glibc-2.23/string/../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:130
#1 0x4dd86a in __asan_memcpy (/home/xxx/libmobi/tools/mobitool+0x4dd86a)
#2 0x52c0c2 in mobi_reconstruct_parts /home/xxx/libmobi/src/parse_rawml.c:929:13
#3 0x5352e6 in mobi_parse_rawml_opt /home/xxx/libmobi/src/parse_rawml.c:2088:11
#4 0x51dbda in loadfilename /home/xxx/libmobi/tools/mobitool.c:788:20
#5 0x51e41f in main /home/xxx/libmobi/tools/mobitool.c:955:11
#6 0x7f946a58c82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#7 0x41ab78 in _start (/home/xxx/libmobi/tools/mobitool+0x41ab78)
Reproducer:
mobi_reconstruct_parts
CVE:
CVE-2018-11437
7.> The mobi_decompress_lz77 function in compression.c in Libmobi 0.3
> allows remote attackers to cause remote code
> execution (heap-based buffer overflow) via a crafted mobi file.
./mobitool -s mobi_decompress_lz77
> ==36853==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000004d00 at pc 0x0000004de2d1 bp 0x7fff80bd0440 sp 0x7fff80bcfbf0
> WRITE of size 1 at 0x621000004d00 thread T0
> #0 0x4de2d0 in __asan_memmove (/home/xxx/libmobi/tools/mobitool+0x4de2d0)
> #1 0x572b51 in buffer_move /home/xxx/libmobi/src/buffer.c:520:5
> #2 0x5734ed in mobi_decompress_lz77 /home/xxx/libmobi/src/compression.c:59:17
> #3 0x548bd4 in mobi_decompress_content /home/xxx/libmobi/src/util.c:1768:23
> #4 0x547575 in mobi_get_rawml /home/xxx/libmobi/src/util.c:1832:12
> #5 0x53495f in mobi_parse_rawml_opt /home/xxx/libmobi/src/parse_rawml.c:1993:11
> #6 0x51dbda in loadfilename /home/xxx/libmobi/tools/mobitool.c:788:20
> #7 0x51e41f in main /home/xxx/libmobi/tools/mobitool.c:955:11
> #8 0x7f413ce4182f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
> #9 0x41ab78 in _start (/home/xxx/libmobi/tools/mobitool+0x41ab78)
>
> 0x621000004d00 is located 0 bytes to the right of 4096-byte region [0x621000003d00,0x621000004d00)
> allocated by thread T0 here:
> #0 0x4deda8 in __interceptor_malloc (/home/xxx/libmobi/tools/mobitool+0x4deda8)
> #1 0x547e37 in mobi_decompress_content /home/xxx/libmobi/src/util.c:1702:39
> #2 0x547575 in mobi_get_rawml /home/xxx/libmobi/src/util.c:1832:12
> #3 0x51dbda in loadfilename /home/xxx/libmobi/tools/mobitool.c:788:20
Reproducer:
mobi_decompress_lz77
CVE:
CVE-2018-11438
===============================
Webin security lab - dbapp security Ltd
Download attachment "pocs.zip" of type "application/x-zip-compressed" (291429 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists