| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 12 Jun 2018 09:31:25 +0800 (GMT+08:00)
From: 熊文彬 <bear.xiong@...ppsecurity.com.cn>
To: seclist <fulldisclosure@...lists.org>
Subject: [FD] liblnk 20180419 vulns
libmobi multiple vulnerabilities
================
Author : Webin security lab - dbapp security Ltd
===============
Introduction:
=============
liblnk is a library to access the Windows Shortcut File (LNK) format.
Affected version:
=====
20180419
Vulnerability Description:
==========================
1. The liblnk_data_string_get_utf8_string_size function in liblnk_data_string.c in liblnk through 2018-04-19 allows remote attackers to cause an information disclosure (heap-based buffer over-read) via a crafted lnk file.
./lnkinfo liblnk_data_string_get_utf8_string_size
==8006==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000006f at pc 0x00000058f617 bp 0x7fffe851ecb0 sp 0x7fffe851eca8
READ of size 1 at 0x60200000006f thread T0
#0 0x58f616 in libuna_utf8_string_size_from_byte_stream /home/xxx/liblnk/libuna/libuna_utf8_string.c:82:6
#1 0x606cf0 in liblnk_data_string_get_utf8_string_size /home/xxx/liblnk/liblnk/liblnk_data_string.c:434:12
#2 0x5ea89c in liblnk_file_get_utf8_command_line_arguments_size /home/xxx/liblnk/liblnk/liblnk_file.c:5301:6
#3 0x52cdc9 in info_handle_command_line_arguments_fprint /home/xxx/liblnk/lnktools/info_handle.c:1792:11
#4 0x52ecf4 in info_handle_file_fprint /home/xxx/liblnk/lnktools/info_handle.c:2624:6
#5 0x52fc63 in main /home/xxx/liblnk/lnktools/lnkinfo.c:277:6
#6 0x7f79fb92282f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#7 0x42c678 in _start (/home/xxx/liblnk/lnktools/lnkinfo+0x42c678)
0x60200000006f is located 1 bytes to the left of 1-byte region [0x602000000070,0x602000000071)
allocated by thread T0 here:
#0 0x4f08a8 in malloc (/home/xxx/liblnk/lnktools/lnkinfo+0x4f08a8)
#1 0x6067fc in liblnk_data_string_read /home/xxx/liblnk/liblnk/liblnk_data_string.c:273:34
#2 0x5df733 in liblnk_file_open_read /home/xxx/liblnk/liblnk/liblnk_file.c:1317:16
#3 0x5de9ab in liblnk_file_open_file_io_handle /home/xxx/liblnk/liblnk/liblnk_file.c:627:6
#4 0x7f79fb93b785 in getenv /build/glibc-Cl5G7W/glibc-2.23/stdlib/getenv.c:35
Reproducer:
liblnk_data_string_get_utf8_string_size
CVE:
CVE-2018-12096
2. The liblnk_location_information_read_data function in liblnk_location_information.c in liblnk through 2018-04-19 allows remote attackers to cause an information disclosure (heap-based buffer over-read) via a crafted lnk file.
./lnkinfo liblnk_location_information_read_data
==8015==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b00000020a at pc 0x0000004ef72d bp 0x7ffc0f581380 sp 0x7ffc0f580b30
READ of size 2 at 0x60b00000020a thread T0
#0 0x4ef72c in __asan_memcpy (/home/xxx/liblnk/lnktools/lnkinfo+0x4ef72c)
#1 0x5f3910 in liblnk_location_information_read_data /home/xxx/liblnk/liblnk/liblnk_location_information.c:1661:7
#2 0x5f4aa4 in liblnk_location_information_read /home/xxx/liblnk/liblnk/liblnk_location_information.c:1907:6
#3 0x5df231 in liblnk_file_open_read /home/xxx/liblnk/liblnk/liblnk_file.c:1149:16
#4 0x5de9ab in liblnk_file_open_file_io_handle /home/xxx/liblnk/liblnk/liblnk_file.c:627:6
#5 0x5de33e in liblnk_file_open /home/xxx/liblnk/liblnk/liblnk_file.c:345:6
#6 0x529078 in info_handle_open_input /home/xxx/liblnk/lnktools/info_handle.c:415:6
#7 0x52fc2e in main /home/xxx/liblnk/lnktools/lnkinfo.c:265:6
#8 0x7f0ac292082f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#9 0x42c678 in _start (/home/xxx/liblnk/lnktools/lnkinfo+0x42c678)
0x60b00000020a is located 0 bytes to the right of 106-byte region [0x60b0000001a0,0x60b00000020a)
allocated by thread T0 here:
#0 0x4f08a8 in malloc (/home/xxx/liblnk/lnktools/lnkinfo+0x4f08a8)
#1 0x5f4a1a in liblnk_location_information_read /home/xxx/liblnk/liblnk/liblnk_location_information.c:1876:42
#2 0x5df231 in liblnk_file_open_read /home/xxx/liblnk/liblnk/liblnk_file.c:1149:16
#3 0x5de9ab in liblnk_file_open_file_io_handle /home/xxx/liblnk/liblnk/liblnk_file.c:627:6
Reproducer:
liblnk_location_information_read_data
CVE:
CVE-2018-12097
3. The liblnk_data_block_read function in liblnk_data_block.c in liblnk through 2018-04-19 allows remote attackers to cause an information disclosure (heap-based buffer over-read) via a crafted lnk file.
./lnkinfo liblnk_data_block_read
==8039==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000093 at pc 0x00000060537b bp 0x7ffc89001270 sp 0x7ffc89001268
READ of size 1 at 0x602000000093 thread T0
#0 0x60537a in liblnk_data_block_read /home/xxx/liblnk/liblnk/liblnk_data_block.c:296:3
#1 0x5dfa5a in liblnk_file_open_read /home/xxx/liblnk/liblnk/liblnk_file.c:1409:17
#2 0x5de9ab in liblnk_file_open_file_io_handle /home/xxx/liblnk/liblnk/liblnk_file.c:627:6
#3 0x5de33e in liblnk_file_open /home/xxx/liblnk/liblnk/liblnk_file.c:345:6
#4 0x529078 in info_handle_open_input /home/xxx/liblnk/lnktools/info_handle.c:415:6
#5 0x52fc2e in main /home/xxx/liblnk/lnktools/lnkinfo.c:265:6
#6 0x7f5ad442d82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#7 0x42c678 in _start (/home/xxx/liblnk/lnktools/lnkinfo+0x42c678)
0x602000000093 is located 2 bytes to the right of 1-byte region [0x602000000090,0x602000000091)
allocated by thread T0 here:
#0 0x4f08a8 in malloc (/home/xxx/liblnk/lnktools/lnkinfo+0x4f08a8)
#1 0x604ff0 in liblnk_data_block_read /home/xxx/liblnk/liblnk/liblnk_data_block.c:263:34
#2 0x5dfa5a in liblnk_file_open_read /home/xxx/liblnk/liblnk/liblnk_file.c:1409:17
#3 0x5de9ab in liblnk_file_open_file_io_handle /home/xxx/liblnk/liblnk/liblnk_file.c:627:6
#4 0x7f5ad4446785 in getenv /build/glibc-Cl5G7W/glibc-2.23/stdlib/getenv.c:35
Reproducer:
liblnk_data_block_read
CVE:
CVE-2018-12098
===============================
Webin security lab - dbapp security Ltd
Download attachment "pocs.zip" of type "application/x-zip-compressed" (2522 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists