lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 6 Jun 2018 09:51:51 +0800 (GMT+08:00)
From: 熊文彬 <bear.xiong@...ppsecurity.com.cn>
To: seclist <fulldisclosure@...lists.org>
Subject: [FD] libmobi 0.3 vulnerabilities

libmobi multiple vulnerabilities
================
Author : Webin security lab - dbapp security Ltd
===============


Introduction:
=============
C library for handling Mobipocket/Kindle (MOBI) ebook format documents.


For examples on how to use the library have a look at tools folder.


Affected version:
=====
0.3


Vulnerability Description:
==========================
1. The mobi_parse_index_entry function in index.c in Libmobi 0.3 allows remote attackers to cause an information disclosure (heap-based buffer over-read) via a crafted mobi file.


./mobitool -s mobi_parse_index_entry.mobi


==34855==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61100000025c at pc 0x0000005786ba bp 0x7ffe56e09250 sp 0x7ffe56e09248
READ of size 1 at 0x61100000025c thread T0
    #0 0x5786b9 in mobi_parse_index_entry /home/xxx/libmobi/src/index.c:405:30
    #1 0x5786b9 in mobi_parse_indx /home/xxx/libmobi/src/index.c:667
    #2 0x578adb in mobi_parse_index /home/xxx/libmobi/src/index.c:721:15
    #3 0x53504f in mobi_parse_rawml_opt /home/xxx/libmobi/src/parse_rawml.c:2059:19
    #4 0x51dbda in loadfilename /home/xxx/libmobi/tools/mobitool.c:788:20
    #5 0x51e41f in main /home/xxx/libmobi/tools/mobitool.c:955:11
    #6 0x7fc5cbf3c82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #7 0x41ab78 in _start (/home/xxx/libmobi/tools/mobitool+0x41ab78)

0x61100000025c is located 0 bytes to the right of 220-byte region [0x611000000180,0x61100000025c)
allocated by thread T0 here:
    #0 0x4deda8 in __interceptor_malloc (/home/xxx/libmobi/tools/mobitool+0x4deda8)
    #1 0x536832 in mobi_load_recdata /home/xxx/libmobi/src/read.c:180:17
    #2 0x536832 in mobi_load_rec /home/xxx/libmobi/src/read.c:156


Reproducer:
mobi_parse_index_entry.mobi
CVE:
CVE-2018-11725




2. The mobi_pk1_decrypt function in encryption.c in Libmobi 0.3 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted mobi file.


./mobitool -s mobi_pk1_decrypt.mobi


 ==34495==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000004d00 at pc 0x000000564831 bp 0x7fffeb2af210 sp 0x7fffeb2af208
 WRITE of size 1 at 0x621000004d00 thread T0
     #0 0x564830 in mobi_pk1_decrypt /home/xxx/libmobi/src/encryption.c:122:16
     #1 0x5645be in mobi_drm_decrypt_buffer /home/xxx/libmobi/src/encryption.c:417:20
     #2 0x548227 in mobi_decompress_content /home/xxx/libmobi/src/util.c:1721:23
     #3 0x547575 in mobi_get_rawml /home/xxx/libmobi/src/util.c:1832:12
     #4 0x53495f in mobi_parse_rawml_opt /home/xxx/libmobi/src/parse_rawml.c:1993:11
     #5 0x51dbda in loadfilename /home/xxx/libmobi/tools/mobitool.c:788:20
     #6 0x51e41f in main /home/xxx/libmobi/tools/mobitool.c:955:11
     #7 0x7f98dbf0e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
     #8 0x41ab78 in _start (/home/xxx/libmobi/tools/mobitool+0x41ab78)

 0x621000004d00 is located 0 bytes to the right of 4096-byte region [0x621000003d00,0x621000004d00)
 allocated by thread T0 here:
     #0 0x4deda8 in __interceptor_malloc (/home/xxx/libmobi/tools/mobitool+0x4deda8)
     #1 0x547e37 in mobi_decompress_content /home/xxx/libmobi/src/util.c:1702:39
     #2 0x547575 in mobi_get_rawml /home/xxx/libmobi/src/util.c:1832:12
     #3 0x51dbda in loadfilename /home/xxx/libmobi/tools/mobitool.c:788:20


Reproducer:
mobi_pk1_decrypt.mobi
CVE:
CVE-2018-11724


3.  The mobi_decode_font_resource function in util.c in Libmobi 0.3 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted mobi file.


./mobitool -s mobi_decode_font_resource.mobi


 ==35004==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000bdb at pc 0x0000004ddd05 bp 0x7ffcef672650 sp 0x7ffcef671e00
 WRITE of size 68882 at 0x602000000bdb thread T0
     #0 0x4ddd04 in __asan_memcpy (/home/xxx/libmobi/tools/mobitool+0x4ddd04)
     #1 0x54d886 in mobi_decode_font_resource /home/xxx/libmobi/src/util.c:2397:9
     #2 0x54ce21 in mobi_add_font_resource /home/xxx/libmobi/src/util.c:2301:20
     #3 0x52a6f5 in mobi_reconstruct_resources /home/xxx/libmobi/src/parse_rawml.c:596:19
     #4 0x534b7d in mobi_parse_rawml_opt /home/xxx/libmobi/src/parse_rawml.c:2015:11
     #5 0x51dbda in loadfilename /home/xxx/libmobi/tools/mobitool.c:788:20
     #6 0x51e41f in main /home/xxx/libmobi/tools/mobitool.c:955:11
     #7 0x7ffb2f7c282f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
     #8 0x41ab78 in _start (/home/xxx/libmobi/tools/mobitool+0x41ab78)

 0x602000000bdb is located 0 bytes to the right of 11-byte region [0x602000000bd0,0x602000000bdb)
 allocated by thread T0 here:
     #0 0x4deda8 in __interceptor_malloc (/home/xxx/libmobi/tools/mobitool+0x4deda8)
     #1 0x54d79a in mobi_decode_font_resource /home/xxx/libmobi/src/util.c:2373:21
     #2 0x54ce21 in mobi_add_font_resource /home/xxx/libmobi/src/util.c:2301:20
     #3 0x52a6f5 in mobi_reconstruct_resources /home/xxx/libmobi/src/parse_rawml.c:596:19
    
Reproducer:
mobi_decode_font_resource.mobi
CVE:
CVE-2018-11726
===============================


Webin security lab - dbapp security Ltd
Download attachment "pocs.zip" of type "application/x-zip-compressed" (133951 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ