lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 6 Jun 2018 09:50:01 +0800 (GMT+08:00)
From: 熊文彬 <bear.xiong@...ppsecurity.com.cn>
To: seclist <fulldisclosure@...lists.org>
Subject: [FD] libpff 20180428 vulnerability

libpff vulnerability
================
Author : Webin security lab - dbapp security Ltd
===============


Introduction:
=============
libpff is a library to access the Personal Folder File (PFF) and the Offline Folder File (OFF) format.


These format are used by Microsoft Outlook to store email, contacts and other data.


Affected version:
=====
20180428


Vulnerability Description:
==========================


The libpff_name_to_id_map_entry_read function in libpff_name_to_id_map.c in libyal libpff through 2018-04-28 allows remote attackers to cause an information disclosure (heap-based buffer over-read) via a crafted pff file.


pffinfo libpff_name_to_id_map_entry_read


 ==40274==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b000000210 at pc 0x0000004ef7dd bp 0x7ffdcabff1f0 sp 0x7ffdcabfe9a0
 READ of size 16 at 0x60b000000210 thread T0
     #0 0x4ef7dc in __asan_memcpy (/home/xxx/libpff/pfftools/pffinfo+0x4ef7dc)
     #1 0x547371 in libpff_name_to_id_map_entry_read /home/xxx/libpff/libpff/libpff_name_to_id_map.c:668:7
     #2 0x5469fd in libpff_name_to_id_map_read /home/xxx/libpff/libpff/libpff_name_to_id_map.c:498:7
     #3 0x52f49c in libpff_file_open_read /home/xxx/libpff/libpff/libpff_file.c:1081:11
     #4 0x52e93a in libpff_file_open_file_io_handle /home/xxx/libpff/libpff/libpff_file.c:580:6
     #5 0x52e2f3 in libpff_file_open /home/xxx/libpff/libpff/libpff_file.c:322:6
     #6 0x528b63 in info_handle_open_input /home/xxx/libpff/pfftools/info_handle.c:298:6
     #7 0x52c1e4 in main /home/xxx/libpff/pfftools/pffinfo.c:284:6
     #8 0x7f71314be82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
     #9 0x42c728 in _start (/home/xxx/libpff/pfftools/pffinfo+0x42c728)

 0x60b000000210 is located 0 bytes to the right of 112-byte region [0x60b0000001a0,0x60b000000210)
 allocated by thread T0 here:
     #0 0x4f0958 in malloc (/home/xxx/libpff/pfftools/pffinfo+0x4f0958)
     #1 0x54be30 in libpff_record_entry_set_value_data /home/xxx/libpff/libpff/libpff_record_entry.c:593:51


Reproducer:
libpff_name_to_id_map_entry_read
CVE:
CVE-2018-11723


==============================


Webin security lab - dbapp security Ltd
Download attachment "poc.zip" of type "application/x-zip-compressed" (61847 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ