| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2920230.e42.15d924eeca0.Coremail.qflb.wu@dbappsecurity.com.cn>
Date: Sun, 30 Jul 2017 15:03:51 +0800 (GMT+08:00)
From: "qflb.wu" <qflb.wu@...ppsecurity.com.cn>
To: fulldisclosure@...lists.org
Subject: [FD] Links buffer over-read vulnerability
Links buffer over-read vulnerability
================
Author : qflb.wu
===============
Introduction:
=============
Links is a text and graphics mode WWW browser. It includes support for rendering tables and frames, features background downloads, can display colors and has many other features.
Affected version:
=====
2.14
Vulnerability Description:
==========================
the put_chars function in html_r.c in Links 2.14 can cause a denial of service(buffer over-read) via a crafted html file.
./links -dump links_2.14_buffer_over_read.html
=================================================================
==10690==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000002303d00 at pc 0x667c5e bp 0x7ffca2e786f0 sp 0x7ffca2e786e8
READ of size 1 at 0x000002303d00 thread T0
#0 0x667c5d in put_chars /home/a/Documents/links-2.14/html_r.c:662
#1 0x635815 in put_chars_conv /home/a/Documents/links-2.14/html.c:725
#2 0x5e92ec in put_chrs /home/a/Documents/links-2.14/html.c:764
#3 0x5d23f0 in parse_html /home/a/Documents/links-2.14/html.c:2865
#4 0x64814e in do_format /home/a/Documents/links-2.14/html_r.c:1015
#5 0x64814e in format_html_part /home/a/Documents/links-2.14/html_r.c:1092
#6 0x64c42b in really_format_html /home/a/Documents/links-2.14/html_r.c:1248
#7 0x7e528e in format_html /home/a/Documents/links-2.14/session.c:1177
#8 0x7e528e in cached_format_html /home/a/Documents/links-2.14/session.c:1420
#9 0x73fe2a in end_dump /home/a/Documents/links-2.14/main.c:306
#10 0x77a08e in object_timer /home/a/Documents/links-2.14/objreq.c:425
#11 0x7beaf2 in check_timers /home/a/Documents/links-2.14/select.c:468
#12 0x7bc09d in select_loop /home/a/Documents/links-2.14/select.c:890
#13 0x73bdc9 in main /home/a/Documents/links-2.14/main.c:616
#14 0x7f2765871ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#15 0x48619c in _start (/home/a/Documents/links-2.14/links+0x48619c)
0x000002303d00 is located 0 bytes to the right of global variable 'put_chars_conv.buffer' from 'html.c' (0x2303c00) of size 256
SUMMARY: AddressSanitizer: global-buffer-overflow /home/a/Documents/links-2.14/html_r.c:662 put_chars
Shadow bytes around the buggy address:
0x000080458750: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
0x000080458760: 01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x000080458770: 00 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
0x000080458780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080458790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000804587a0:[f9]f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0000804587b0: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0000804587c0: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0000804587d0: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0000804587e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000804587f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==10690==ABORTING
POC:
links_2.14_buffer_over_read.html
CVE:
CVE-2017-11114
===============================
qflb.wu () dbappsecurity com cn
Download attachment "poc.zip" of type "application/x-zip-compressed" (1437 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists