lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <69096e03.1ec.15f95063907.Coremail.qflb.wu@dbappsecurity.com.cn>
Date: Tue, 7 Nov 2017 13:48:53 +0800 (GMT+08:00)
From: "qflb.wu" <qflb.wu@...ppsecurity.com.cn>
To: fulldisclosure@...lists.org
Subject: [FD] mkvalidator libebml2 mkclean multiple vulnerabilities

mkvalidator libebml2 mkclean multiple vulnerabilities
================
Author : qflb.wu
===============


Introduction:
=============
mkvalidator is a simple command line tool to verify Matroska and WebM files for spec conformance. It checks the various bogus or missing key elements against the EBML DocType version of the file and reports the errors/warnings in the command line.
mkclean is a command line tool to clean and optimize Matroska (.mkv / .mka / .mks / .mk3d) and WebM (.webm / .weba) files that have already been muxed.


Affected version:
=====
mkvalidator 0.5.1
libebml2(through 2012-08-26)
mkclean 0.8.9


Vulnerability Description:
==========================
1.
the Node_GetData function in corec/corec/node/node.c in mkvalidator 0.5.1 can cause a denial of service(Null pointer dereference and application crash) via a crafted mkv file.


./mkvalidator mkvalidator_0.5.1_null_pointer_dereference.mkv


----debug info:----
Program received signal SIGSEGV, Segmentation fault.
0x0000000000421767 in Node_GetData (p=0x0, Id=256, Type=1)
at ../corec/corec/node/node.c:681
681for (i=p->Data;i;i=i->Next)
(gdb) bt
#0 0x0000000000421767 in Node_GetData (p=0x0, Id=256, Type=1)
at ../corec/corec/node/node.c:681
#1 0x000000000042cb29 in EBML_ElementIsFiniteSize (Element=0x0)
at ebmlelement.c:98
#2 0x000000000042cf51 in EBML_ElementPositionEnd (Element=0x0)
at ebmlelement.c:195
#3 0x0000000000405917 in main (argc=2, argv=0x7fffffffdf78)
at mkvalidator.c:1036
(gdb) disassemble
Dump of assembler code for function Node_GetData:
0x0000000000421743 <+0>:push %rbp
0x0000000000421744 <+1>:mov %rsp,%rbp
0x0000000000421747 <+4>:mov %rdi,-0x18(%rbp)
0x000000000042174b <+8>:mov %rsi,-0x20(%rbp)
0x000000000042174f <+12>:mov %rdx,-0x28(%rbp)
0x0000000000421753 <+16>:mov -0x20(%rbp),%rax
0x0000000000421757 <+20>:shl $0x8,%rax
0x000000000042175b <+24>:or -0x28(%rbp),%rax
0x000000000042175f <+28>:mov %rax,-0x8(%rbp)
0x0000000000421763 <+32>:mov -0x18(%rbp),%rax
=> 0x0000000000421767 <+36>:mov 0x10(%rax),%rax
0x000000000042176b <+40>:mov %rax,-0x10(%rbp)
0x000000000042176f <+44>:jmp 0x421794 <Node_GetData+81>
0x0000000000421771 <+46>:mov -0x10(%rbp),%rax
0x0000000000421775 <+50>:mov 0x8(%rax),%rax
0x0000000000421779 <+54>:cmp -0x8(%rbp),%rax
0x000000000042177d <+58>:jne 0x421789 <Node_GetData+70>
0x000000000042177f <+60>:mov -0x10(%rbp),%rax
0x0000000000421783 <+64>:add $0x10,%rax
0x0000000000421787 <+68>:jmp 0x4217a0 <Node_GetData+93>
0x0000000000421789 <+70>:mov -0x10(%rbp),%rax
0x000000000042178d <+74>:mov (%rax),%rax
---Type to continue, or q to quit---q
Quit
(gdb) i r
rax 0x00
rbx 0x11
rcx 0x7ffff7b00810140737348896784
rdx 0x11
rsi 0x100256
rdi 0x00
rbp 0x7fffffffb7400x7fffffffb740
rsp 0x7fffffffb7400x7fffffffb740
r8 0x411e104267536
r9 0x7fffffffb370140737488335728
r10 0xfffffffffffffa82-1406
r11 0x246582
r12 0x4014204199456
r13 0x7fffffffdf70140737488346992
r14 0x00
r15 0x00
rip 0x4217670x421767 <Node_GetData+36>
eflags 0x10202[ IF RF ]
cs 0x3351
ss 0x2b43
ds 0x00
es 0x00
fs 0x00
---Type to continue, or q to quit---
gs 0x00
(gdb)


POC:mkvalidator_0.5.1_null_pointer_dereference.mkv
CVE:CVE-2017-12779


2.
the ReadData function in ebmlstring.c in libebml2(through 2012-08-26) can cause a denial of service(invalid free and application crash) via a crafted mkv file.


./mkvalidator libebml2_invalid_free.mkv


----debug info:----
.*** Error in `/home/a/Downloads/mkvalidator-0.5.1/release/gcc_linux_x64/mkvalidator': free(): invalid next size (fast): 0x000000000066fa40 ***


Program received signal SIGABRT, Aborted.
0x00007ffff7a4bcc9 in __GI_raise (sig=sig@...ry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff7a4bcc9 in __GI_raise (sig=sig@...ry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff7a4f0d8 in __GI_abort () at abort.c:89
#2 0x00007ffff7a88394 in __libc_message (do_abort=do_abort@...ry=1,
fmt=fmt@...ry=0x7ffff7b96b28 "*** Error in `%s': %s: 0x%s ***\n")
at ../sysdeps/posix/libc_fatal.c:175
#3 0x00007ffff7a9466e in malloc_printerr (ptr=,
str=0x7ffff7b96cc8 "free(): invalid next size (fast)", action=1)
at malloc.c:4996
#4 _int_free (av=, p=, have_lock=0)
at malloc.c:3840
#5 0x0000000000431c0e in ReadData (Element=0x678c90, Input=0x675c40,
ParserContext=0x7fffffffb750, AllowDummyElt=0, Scope=1, DepthCheckCRC=0)
at ebmlstring.c:102
#6 0x000000000042fc8e in ReadData (Element=0x673b70, Input=0x675c40,
ParserContext=0x7fffffffb880, AllowDummyElt=0, Scope=1, DepthCheckCRC=1)
at ebmlmaster.c:331
#7 0x000000000040549d in main (argc=2, argv=0x7fffffffdf68)
at mkvalidator.c:974
(gdb)


POC:libebml2_invalid_free.mkv
CVE:CVE-2017-12780.


3.
the EBML_BufferToID function in ebmlelement.c in libebml2(through 2012-08-26) can cause a denial of service(Null pointer dereference and application crash) via a crafted mkv file.


./mkvalidator libebml2_null_pointer_dereference_1.mkv


----debug info:----
Program received signal SIGSEGV, Segmentation fault.
0x000000000042d233 in EBML_BufferToID (Buffer=0x0) at ebmlelement.c:261
261if (Buffer[0] & 0x80)
(gdb) bt
#0 0x000000000042d233 in EBML_BufferToID (Buffer=0x0) at ebmlelement.c:261
#1 0x000000000040987a in MATROSKA_MetaSeekID (MetaSeek=0x6792f0)
at matroskamain.c:336
#2 0x00000000004030e6 in CheckSeekHead (SeekHead=0x678fa0)
at mkvalidator.c:472
#3 0x000000000040707b in main (argc=2, argv=0x7fffffffdf68)
at mkvalidator.c:1333
(gdb) disassemble
Dump of assembler code for function EBML_BufferToID:
0x000000000042d227 <+0>:push %rbp
0x000000000042d228 <+1>:mov %rsp,%rbp
0x000000000042d22b <+4>:mov %rdi,-0x8(%rbp)
0x000000000042d22f <+8>:mov -0x8(%rbp),%rax
=> 0x000000000042d233 <+12>:movzbl (%rax),%eax
0x000000000042d236 <+15>:test %al,%al
0x000000000042d238 <+17>:jns 0x42d249 <EBML_BufferToID+34>
0x000000000042d23a <+19>:mov -0x8(%rbp),%rax
0x000000000042d23e <+23>:movzbl (%rax),%eax
0x000000000042d241 <+26>:movzbl %al,%eax
0x000000000042d244 <+29>:jmpq 0x42d320 <EBML_BufferToID+249>
0x000000000042d249 <+34>:mov -0x8(%rbp),%rax
0x000000000042d24d <+38>:movzbl (%rax),%eax
0x000000000042d250 <+41>:movzbl %al,%eax
0x000000000042d253 <+44>:and $0x40,%eax
0x000000000042d256 <+47>:test %eax,%eax
0x000000000042d258 <+49>:je 0x42d27e <EBML_BufferToID+87>
0x000000000042d25a <+51>:mov -0x8(%rbp),%rax
0x000000000042d25e <+55>:movzbl (%rax),%eax
0x000000000042d261 <+58>:movzbl %al,%eax
0x000000000042d264 <+61>:shl $0x8,%eax
0x000000000042d267 <+64>:mov %eax,%edx
---Type to continue, or q to quit---q
Quit
(gdb) i r
rax 0x00
rbx 0x67103
rcx 0x00
rdx 0x643ff06569968
rsi 0x6449806572416
rdi 0x00
rbp 0x7fffffffb6900x7fffffffb690
rsp 0x7fffffffb6900x7fffffffb690
r8 0x7ffff7dd59d0140737351866832
r9 0x7fffffffa880140737488332928
r10 0x42bca44373668
r11 0x246582
r12 0x4014204199456
r13 0x7fffffffdf60140737488346976
r14 0x00
r15 0x00
rip 0x42d2330x42d233 <EBML_BufferToID+12>
eflags 0x10246[ PF ZF IF RF ]
cs 0x3351
ss 0x2b43
ds 0x00
es 0x00
fs 0x00
---Type to continue, or q to quit---
gs 0x00
(gdb)


POC:libebml2_null_pointer_dereference_1.mkv
CVE:CVE-2017-12781.


4.
the ReadData function in ebmlmaster.c in libebml2(through 2012-08-26) can cause a denial of service(assert fault) via a crafted mkv file.


./mkvalidator libebml2_assert_fault_1.mkv


----debug info:----
..mkvalidator: ebmlmaster.c:427: ReadData: Assertion `SubElement!=((void *)0)' failed.


Program received signal SIGABRT, Aborted.
0x00007ffff7a4bcc9 in __GI_raise (sig=sig@...ry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff7a4bcc9 in __GI_raise (sig=sig@...ry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff7a4f0d8 in __GI_abort () at abort.c:89
#2 0x00007ffff7a44b86 in __assert_fail_base (
fmt=0x7ffff7b95830 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
assertion=assertion@...ry=0x43b93f "SubElement!=((void *)0)",
file=file@...ry=0x43b5d0 "ebmlmaster.c", line=line@...ry=427,
function=function@...ry=0x43ba73 <PRETTY_FUNCTION.4885> "ReadData")
at assert.c:92
#3 0x00007ffff7a44c32 in __GI___assert_fail (
assertion=0x43b93f "SubElement!=((void *)0)",
file=0x43b5d0 "ebmlmaster.c", line=427,
function=0x43ba73 <PRETTY_FUNCTION.4885> "ReadData") at assert.c:101
#4 0x000000000043032e in ReadData (Element=0x678fa0, Input=0x675c40,
ParserContext=0x7fffffffb8a0, AllowDummyElt=1, Scope=1, DepthCheckCRC=2)
at ebmlmaster.c:427
#5 0x0000000000405c5f in main (argc=2, argv=0x7fffffffdf68)
at mkvalidator.c:1074
(gdb)


POC:libebml2_assert_fault_1.mkv
CVE:CVE-2017-12782.


5.
the ReadDataFloat function in ebmlnumber.c in libebml2(through 2012-08-26) can cause a denial of service(assert fault) via a crafted mkv file.


./mkvalidator libebml2_assert_fault_2.mkv


----debug info:----
....mkvalidator: ebmlnumber.c:222: ReadDataFloat: Assertion `Element->Base.DataSize == 8 || Element->Base.DataSize == 4' failed.


Program received signal SIGABRT, Aborted.
0x00007ffff7a4bcc9 in __GI_raise (sig=sig@...ry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff7a4bcc9 in __GI_raise (sig=sig@...ry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff7a4f0d8 in __GI_abort () at abort.c:89
#2 0x00007ffff7a44b86 in __assert_fail_base (
fmt=0x7ffff7b95830 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
assertion=assertion@...ry=0x43bb08 "Element->Base.DataSize == 8 || Element->Base.DataSize == 4", file=file@...ry=0x43bab0 "ebmlnumber.c",
line=line@...ry=222,
function=function@...ry=0x43bcb2 <PRETTY_FUNCTION.4760> "ReadDataFloat") at assert.c:92
#3 0x00007ffff7a44c32 in __GI___assert_fail (
assertion=0x43bb08 "Element->Base.DataSize == 8 || Element->Base.DataSize == 4", file=0x43bab0 "ebmlnumber.c", line=222,
function=0x43bcb2 <PRETTY_FUNCTION.4760> "ReadDataFloat")
at assert.c:101
#4 0x0000000000430e8b in ReadDataFloat (Element=0x67abc0, Input=0x675c40,
ParserContext=0x7fffffffb520, AllowDummyElt=1, Scope=1, DepthCheckCRC=1)
at ebmlnumber.c:222
#5 0x000000000042fc8e in ReadData (Element=0x67aae0, Input=0x675c40,
ParserContext=0x7fffffffb600, AllowDummyElt=1, Scope=1, DepthCheckCRC=2)
at ebmlmaster.c:331
#6 0x000000000042fc8e in ReadData (Element=0x67a400, Input=0x675c40,
ParserContext=0x7fffffffb750, AllowDummyElt=1, Scope=1, DepthCheckCRC=3)
---Type to continue, or q to quit---
at ebmlmaster.c:331
#7 0x000000000040e558 in ReadTrackEntry (Element=0x67a400, Input=0x675c40,
ParserContext=0x7fffffffb750, AllowDummyElt=1, Scope=1, DepthCheckCRC=3)
at matroskamain.c:2257
#8 0x000000000042fc8e in ReadData (Element=0x679980, Input=0x675c40,
ParserContext=0x7fffffffb8a0, AllowDummyElt=1, Scope=1, DepthCheckCRC=4)
at ebmlmaster.c:331
#9 0x0000000000406097 in main (argc=2, argv=0x7fffffffdf68)
at mkvalidator.c:1124
(gdb)


POC:libebml2_assert_fault_2.mkv
CVE:CVE-2017-12783.


6.
the EBML_FindNextElement function in ebmlmain.c in libebml2(through 2012-08-26) can cause a denial of service(Null pointer dereference and application crash) via a crafted mkv file.


./mkclean libebml2_null_pointer_dereference_2.mkv


----debug info:----
Program received signal SIGSEGV, Segmentation fault.
0x0000000000447ee1 in EBML_FindNextElement (Input=0x6caef0, pContext=0x0,
UpperLevels=0x7fffffffabd4, AllowDummyElt=0) at ebmlmain.c:516
516OrigContext = *pContext;
(gdb) bt
#0 0x0000000000447ee1 in EBML_FindNextElement (Input=0x6caef0, pContext=0x0,
UpperLevels=0x7fffffffabd4, AllowDummyElt=0) at ebmlmain.c:516
#1 0x0000000000446263 in EBML_ElementSkipData (p=0x6c9060, Input=0x6caef0,
Context=0x0, TestReadElt=0x0, AllowDummyElt=0) at ebmlelement.c:122
#2 0x00000000004039cb in CheckMatroskaHead (Head=0x6c9380,
Parser=0x7fffffffb470, Input=0x6caef0) at mkclean.c:673
#3 0x0000000000407c07 in main (argc=2, argv=0x7fffffffdf78) at mkclean.c:1643
(gdb) disassemble
Dump of assembler code for function EBML_FindNextElement:
0x0000000000447deb <+0>:push %rbp
0x0000000000447dec <+1>:mov %rsp,%rbp
0x0000000000447def <+4>:push %rbx
0x0000000000447df0 <+5>:sub $0xd8,%rsp
0x0000000000447df7 <+12>:mov %rdi,-0xb8(%rbp)
0x0000000000447dfe <+19>:mov %rsi,-0xc0(%rbp)
0x0000000000447e05 <+26>:mov %rdx,-0xc8(%rbp)
0x0000000000447e0c <+33>:mov %rcx,-0xd0(%rbp)
0x0000000000447e13 <+40>:mov %fs:0x28,%rax
0x0000000000447e1c <+49>:mov %rax,-0x18(%rbp)
0x0000000000447e20 <+53>:xor %eax,%eax
0x0000000000447e22 <+55>:movb $0x0,-0xac(%rbp)
0x0000000000447e29 <+62>:movb $0x0,-0xaa(%rbp)
0x0000000000447e30 <+69>:movl $0x0,-0xa0(%rbp)
0x0000000000447e3a <+79>:mov -0xc8(%rbp),%rax
0x0000000000447e41 <+86>:mov (%rax),%eax
0x0000000000447e43 <+88>:mov %eax,-0x9c(%rbp)
0x0000000000447e49 <+94>:cmpq $0x0,-0xb8(%rbp)
0x0000000000447e51 <+102>:jne 0x447e72 <EBML_FindNextElement+135>
0x0000000000447e53 <+104>:lea 0x37e56(%rip),%rcx # 0x47fcb0 <PRETTY_FUNCTION.4925>
0x0000000000447e5a <+111>:mov $0x1fc,%edx
---Type to continue, or q to quit---
0x0000000000447e5f <+116>:lea 0x37b8b(%rip),%rsi # 0x47f9f1
0x0000000000447e66 <+123>:lea 0x37d5b(%rip),%rdi # 0x47fbc8
0x0000000000447e6d <+130>:callq 0x401510 __assert_fail@plt
0x0000000000447e72 <+135>:mov -0xb8(%rbp),%rax
0x0000000000447e79 <+142>:mov 0x8(%rax),%rax
0x0000000000447e7d <+146>:mov 0x78(%rax),%rax
0x0000000000447e81 <+150>:mov -0xb8(%rbp),%rcx
0x0000000000447e88 <+157>:mov $0x1,%edx
0x0000000000447e8d <+162>:mov $0x0,%esi
0x0000000000447e92 <+167>:mov %rcx,%rdi
0x0000000000447e95 <+170>:callq *%rax
0x0000000000447e97 <+172>:mov %rax,-0x70(%rbp)
0x0000000000447e9b <+176>:lea -0x50(%rbp),%rax
0x0000000000447e9f <+180>:mov %rax,-0x80(%rbp)
0x0000000000447ea3 <+184>:cmpq $0xffffffffffffffff,-0x70(%rbp)
0x0000000000447ea8 <+189>:jne 0x447eb4 <EBML_FindNextElement+201>
0x0000000000447eaa <+191>:mov $0x0,%eax
0x0000000000447eaf <+196>:jmpq 0x448814 <EBML_FindNextElement+2601>
0x0000000000447eb4 <+201>:cmpq $0x0,-0x80(%rbp)
0x0000000000447eb9 <+206>:jne 0x447eda <EBML_FindNextElement+239>
0x0000000000447ebb <+208>:lea 0x37dee(%rip),%rcx # 0x47fcb0 <PRETTY_FUNCTION.4925>
0x0000000000447ec2 <+215>:mov $0x203,%edx
---Type to continue, or q to quit---
0x0000000000447ec7 <+220>:lea 0x37b23(%rip),%rsi # 0x47f9f1
0x0000000000447ece <+227>:lea 0x37d2b(%rip),%rdi # 0x47fc00
0x0000000000447ed5 <+234>:callq 0x401510 __assert_fail@plt
0x0000000000447eda <+239>:mov -0xc0(%rbp),%rax
=> 0x0000000000447ee1 <+246>:mov (%rax),%rdx
0x0000000000447ee4 <+249>:mov %rdx,-0x50(%rbp)
0x0000000000447ee8 <+253>:mov 0x8(%rax),%rdx
0x0000000000447eec <+257>:mov %rdx,-0x48(%rbp)
0x0000000000447ef0 <+261>:mov 0x10(%rax),%rdx
0x0000000000447ef4 <+265>:mov %rdx,-0x40(%rbp)
0x0000000000447ef8 <+269>:mov 0x18(%rax),%rax
0x0000000000447efc <+273>:mov %rax,-0x38(%rbp)
0x0000000000447f00 <+277>:jmp 0x447f32 <EBML_FindNextElement+327>
0x0000000000447f02 <+279>:mov -0x80(%rbp),%rax
0x0000000000447f06 <+283>:mov 0x8(%rax),%rax
0x0000000000447f0a <+287>:test %rax,%rax
0x0000000000447f0d <+290>:jne 0x447f11 <EBML_FindNextElement+294>
0x0000000000447f0f <+292>:jmp 0x447f55 <EBML_FindNextElement+362>
0x0000000000447f11 <+294>:mov -0x80(%rbp),%rax
0x0000000000447f15 <+298>:mov 0x8(%rax),%rax
0x0000000000447f19 <+302>:mov %rax,-0x80(%rbp)
0x0000000000447f1d <+306>:mov -0xc8(%rbp),%rax
0x0000000000447f24 <+313>:mov (%rax),%eax
---Type to continue, or q to quit---q
Quit
(gdb) i r
rax 0x00
rbx 0x7fffffffb4d0140737488336080
rcx 0x7ffff7b0f4b0140737348957360
rdx 0x11
rsi 0x00
rdi 0x33
rbp 0x7fffffffab900x7fffffffab90
rsp 0x7fffffffaab00x7fffffffaab0
r8 0x00
r9 0xb11
r10 0x7fffffffa9a0140737488333216
r11 0x246582
r12 0x4017b04200368
r13 0x7fffffffdf70140737488346992
r14 0x00
r15 0x00
rip 0x447ee10x447ee1 <EBML_FindNextElement+246>
eflags 0x10202[ IF RF ]
cs 0x3351
ss 0x2b43
ds 0x00
es 0x00
fs 0x00
---Type to continue, or q to quit---
gs 0x00
(gdb)


POC:libebml2_null_pointer_dereference_2.mkv
CVE:CVE-2017-12800.


7.
the UpdateDataSize function in ebmlmaster.c in libebml2(through 2012-08-26) can cause a denial of service(assert fault) via a crafted mkv file.


./mkclean libebml2_assert_fault_3.mkv


----debug info:----
mkclean: ebmlmaster.c:244: UpdateDataSize: Assertion `CheckMandatory((ebml_master*)Element, bWithDefault)' failed.


Program received signal SIGABRT, Aborted.
0x00007ffff7a4bcc9 in __GI_raise (sig=sig@...ry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff7a4bcc9 in __GI_raise (sig=sig@...ry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff7a4f0d8 in __GI_abort () at abort.c:89
#2 0x00007ffff7a44b86 in __assert_fail_base (
fmt=0x7ffff7b95830 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
assertion=assertion@...ry=0x47feb8 "CheckMandatory((ebml_master*)Element, bWithDefault)", file=file@...ry=0x47fcd0 "ebmlmaster.c", line=line@...ry=244,
function=function@...ry=0x480334 <PRETTY_FUNCTION.4876> "UpdateDataSize") at assert.c:92
#3 0x00007ffff7a44c32 in __GI___assert_fail (
assertion=0x47feb8 "CheckMandatory((ebml_master*)Element, bWithDefault)",
file=0x47fcd0 "ebmlmaster.c", line=244,
function=0x480334 <PRETTY_FUNCTION.4876> "UpdateDataSize")
at assert.c:101
#4 0x0000000000449223 in UpdateDataSize (Element=0x6d1ec0, bWithDefault=0,
bForceWithoutMandatory=0) at ebmlmaster.c:244
#5 0x0000000000419f3e in UpdateDataSizeTrackEntry (Element=0x6d1ec0,
bWithDefault=0, bForceWithoutMandatory=0) at matroskamain.c:2343
#6 0x00000000004492ee in UpdateDataSize (Element=0x6d1e50, bWithDefault=0,
bForceWithoutMandatory=0) at ebmlmaster.c:256
#7 0x0000000000409672 in main (argc=2, argv=0x7fffffffdf78) at mkclean.c:2012
(gdb)


POC:libebml2_assert_fault_3.mkv
CVE:CVE-2017-12801.


8.
the EBML_IntegerValue function in ebmlnumber.c in libebml2(through 2012-08-26) can cause a denial of service(assert fault) via a crafted mkv file.


./mkclean libebml2_assert_fault_4.mkv


----debug info:----
mkclean: ebmlnumber.c:428: EBML_IntegerValue: Assertion `Node_IsPartOf(Element,(fourcc_t)(((uint8_t)('E') << 0) | ((uint8_t)('B') << 8) | ((uint8_t)('I') << 16) | ((uint8_t)('T')<< 24))) || Node_IsPartOf(Element,(fourcc_t)(((uint8_t)('E') << 0) | ((uint8_t)('B') << 8) | ((uint8_t)('S') << 16) | ((uint8_t)('I')<< 24)))' failed.


Program received signal SIGABRT, Aborted.
0x00007ffff7a4bcc9 in __GI_raise (sig=sig@...ry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff7a4bcc9 in __GI_raise (sig=sig@...ry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff7a4f0d8 in __GI_abort () at abort.c:89
#2 0x00007ffff7a44b86 in __assert_fail_base (
fmt=0x7ffff7b95830 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
assertion=assertion@...ry=0x480478 "Node_IsPartOf(Element,(fourcc_t)(((uint8_t)('E') << 0) | ((uint8_t)('B') << 8) | ((uint8_t)('I') << 16) | ((uint8_t)('T')<< 24))) || Node_IsPartOf(Element,(fourcc_t)(((uint8_t)('E') << 0) | ((uint8_t)"..., file=file@...ry=0x480390 "ebmlnumber.c", line=line@...ry=428,
function=function@...ry=0x480650 <PRETTY_FUNCTION.4901> "EBML_IntegerValue") at assert.c:92
#3 0x00007ffff7a44c32 in __GI___assert_fail (
assertion=0x480478 "Node_IsPartOf(Element,(fourcc_t)(((uint8_t)('E') << 0) | ((uint8_t)('B') << 8) | ((uint8_t)('I') << 16) | ((uint8_t)('T')<< 24))) || Node_IsPartOf(Element,(fourcc_t)(((uint8_t)('E') << 0) | ((uint8_t)"...,
file=0x480390 "ebmlnumber.c", line=428,
function=0x480650 <PRETTY_FUNCTION.4901> "EBML_IntegerValue")
at assert.c:101
#4 0x000000000044c07a in EBML_IntegerValue (Element=0x6d1190)
at ebmlnumber.c:428
#5 0x000000000040850a in main (argc=2, argv=0x7fffffffdf78) at mkclean.c:1764
(gdb)


POC:libebml2_assert_fault_4.mkv
CVE:CVE-2017-12802.


9
the Node_ValidatePtr function in corec/corec/node/node.c in mkclean 0.8.9 can cause a denial of service(assert fault) via a crafted mkv file.


./mkclean mkclean_0.8.9_assert_fault.mkv


----debug info:----
Program received signal SIGSEGV, Segmentation fault.
0x000000000043d3d2 in Node_ValidatePtr (Node=0x0)
at ../corec/corec/node/node.c:155
155assert(((node*)Node)->Magic==NODE_MAGIC);
(gdb) bt
#0 0x000000000043d3d2 in Node_ValidatePtr (Node=0x0)
at ../corec/corec/node/node.c:155
#1 Node_IsPartOf (Node=0x0, PartOfClass=1414087237)
at ../corec/corec/node/node.c:1534
#2 0x000000000044c040 in EBML_IntegerValue (Element=0x0) at ebmlnumber.c:428
#3 0x0000000000404a87 in CleanTracks (Tracks=0x6d1160, SrcProfile=1,
DstProfile=0x6a0584 , Attachments=0x0,
Alternate3DTracks=0x7fffffffb410) at mkclean.c:962
#4 0x0000000000408812 in main (argc=2, argv=0x7fffffffdf88) at mkclean.c:1811


POC:mkclean_0.8.9_assert_fault.mkv
CVE:CVE-2017-12803.




Issue:
=============
https://github.com/Matroska-Org/foundation-source/issues/24


Fixed:
=============
Fixed


POC:
=============
https://github.com/Matroska-Org/foundation-source/files/1221128/poc.zip




===============================


qflb.wu () dbappsecurity com cn




_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ