lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <79cea4a8.125.163a47f7bf8.Coremail.bear.xiong@dbappsecurity.com.cn>
Date: Mon, 28 May 2018 10:06:48 +0800 (GMT+08:00)
From: 熊文彬 <bear.xiong@...ppsecurity.com.cn>
To: fulldisclosure@...lists.org
Subject: [FD] libmobi 0.3 vulns

libmobi multiple vulnerabilities
================
Author : Webin security lab - dbapp security Ltd
===============


Introduction:
=============
C library for handling Mobipocket/Kindle (MOBI) ebook format documents.


For examples on how to use the library have a look at tools folder.


Affected version:
=====
0.3


Vulnerability Description:
==========================
1. the mobi_parse_mobiheader function in read.c in libmobi allow remote attackers to cause a information disclosure(heap-buffer-overflow OOB read) via a crafted mobi file.


./mobitool -s mobi_parse_mobiheader


==36648==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000240 at pc 0x0000005723f1 bp 0x7ffdf813d5a0 sp 0x7ffdf813d598
READ of size 1 at 0x604000000240 thread T0
    #0 0x5723f0 in buffer_get32 /home/xxx/libmobi/src/buffer.c:230:22
    #1 0x5723f0 in buffer_dup32 /home/xxx/libmobi/src/buffer.c:455
    #2 0x537776 in mobi_parse_mobiheader /home/xxx/libmobi/src/read.c:318:5
    #3 0x5387e8 in mobi_parse_record0 /home/xxx/libmobi/src/read.c:463:15
    #4 0x53bffb in mobi_load_file /home/xxx/libmobi/src/read.c:857:11
    #5 0x51d649 in loadfilename /home/xxx/libmobi/tools/mobitool.c:734:16
    #6 0x51e41f in main /home/xxx/libmobi/tools/mobitool.c:955:11
    #7 0x7facdc96682f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #8 0x41ab78 in _start (/home/xxx/libmobi/tools/mobitool+0x41ab78)
>
0x604000000240 is located 0 bytes to the right of 48-byte region [0x604000000210,0x604000000240)
allocated by thread T0 here:
    #0 0x4deda8 in __interceptor_malloc (/home/xxx/libmobi/tools/mobitool+0x4deda8)
    #1 0x536832 in mobi_load_recdata /home/xxx/libmobi/src/read.c:180:17
    #2 0x536832 in mobi_load_rec /home/xxx/libmobi/src/read.c:156


Reproducer:
mobi_parse_mobiheader
CVE:
CVE-2018-11432




2.
The mobi_get_kf8boundary_seqnumber function in util.c in Libmobi 0.3 allows remote attackers to cause information disclosure (heap-based buffer over-read) via a crafted mobi file.


./mobitool -s mobi_get_kf8boundary_seqnumber


==36670==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000006d1 at pc 0x0000004b579c bp 0x7ffdbb7b3780 sp 0x7ffdbb7b2f30
READ of size 8 at 0x6020000006d1 thread T0
    #0 0x4b579b in __interceptor_memcmp.part.77 (/home/xxx/libmobi/tools/mobitool+0x4b579b)
    #1 0x54fc17 in mobi_get_kf8boundary_seqnumber /home/xxx/libmobi/src/util.c:2759:16
    #2 0x53c113 in mobi_load_file /home/xxx/libmobi/src/read.c:868:44
    #3 0x51d649 in loadfilename /home/xxx/libmobi/tools/mobitool.c:734:16
    #4 0x51e41f in main /home/xxx/libmobi/tools/mobitool.c:955:11
    #5 0x7ff191a5682f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #6 0x41ab78 in _start (/home/xxx/libmobi/tools/mobitool+0x41ab78)

0x6020000006d1 is located 0 bytes to the right of 1-byte region [0x6020000006d0,0x6020000006d1)
allocated by thread T0 here:
    #0 0x4deda8 in __interceptor_malloc (/home/xxx/libmobi/tools/mobitool+0x4deda8)
    #1 0x536832 in mobi_load_recdata /home/xxx/libmobi/src/read.c:180:17
    #2 0x536832 in mobi_load_rec /home/xxx/libmobi/src/read.c:156


Reproducer:
mobi_get_kf8boundary_seqnumber
CVE:
CVE-2018-11433


3. The buffer_fill64 function in compression.c in Libmobi 0.3 allows remote attackers to cause information disclosure (heap-based buffer over-read) via a crafted mobi file.


./mobitool -s buffer_fill64


==36692==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61c000002710 at pc 0x0000005746aa bp 0x7ffcf33c4bd0 sp 0x7ffcf33c4bc8
READ of size 1 at 0x61c000002710 thread T0
    #0 0x5746a9 in buffer_fill64 /home/xxx/libmobi/src/compression.c:98:27
    #1 0x5746a9 in mobi_decompress_huffman_internal /home/xxx/libmobi/src/compression.c:128
    #2 0x5743fb in mobi_decompress_huffman_internal /home/xxx/libmobi/src/compression.c:180:19
    #3 0x573832 in mobi_decompress_huffman /home/xxx/libmobi/src/compression.c:213:20
    #4 0x548c2e in mobi_decompress_content /home/xxx/libmobi/src/util.c:1776:23
    #5 0x547575 in mobi_get_rawml /home/xxx/libmobi/src/util.c:1832:12
    #6 0x53495f in mobi_parse_rawml_opt /home/xxx/libmobi/src/parse_rawml.c:1993:11
    #7 0x51dbda in loadfilename /home/xxx/libmobi/tools/mobitool.c:788:20
    #8 0x51e41f in main /home/xxx/libmobi/tools/mobitool.c:955:11
    #9 0x7efe4e4f982f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #10 0x41ab78 in _start (/home/xxx/libmobi/tools/mobitool+0x41ab78)

0x61c000002710 is located 0 bytes to the right of 1680-byte region [0x61c000002080,0x61c000002710)
allocated by thread T0 here:
    #0 0x4deda8 in __interceptor_malloc (/home/xxx/libmobi/tools/mobitool+0x4deda8)
    #1 0x536832 in mobi_load_recdata /home/xxx/libmobi/src/read.c:180:17
    #2 0x536832 in mobi_load_rec /home/xxx/libmobi/src/read.c:156

    
Reproducer:
buffer_fill64
CVE:
CVE-2018-11434


4.The mobi_decompress_huffman_internal function in compression.c in Libmobi 0.3 allows remote attackers to cause information disclosure (read access violation) via a crafted mobi file.


./mobitool -s mobi_decompress_huffman_internal


==36715==ERROR: AddressSanitizer: SEGV on unknown address 0x61b0000126d0 (pc 0x000000574308 bp 0x7ffdaf41eb50 sp 0x7ffdaf41e9e0 T0)
==36715==The signal is caused by a READ memory access.
    #0 0x574307 in mobi_decompress_huffman_internal /home/xxx/libmobi/src/compression.c:163:45
    #1 0x573832 in mobi_decompress_huffman /home/xxx/libmobi/src/compression.c:213:20
    #2 0x548c2e in mobi_decompress_content /home/xxx/libmobi/src/util.c:1776:23
    #3 0x547575 in mobi_get_rawml /home/xxx/libmobi/src/util.c:1832:12
    #4 0x53495f in mobi_parse_rawml_opt /home/xxx/libmobi/src/parse_rawml.c:1993:11
    #5 0x51dbda in loadfilename /home/xxx/libmobi/tools/mobitool.c:788:20
    #6 0x51e41f in main /home/xxx/libmobi/tools/mobitool.c:955:11
    #7 0x7f15b4f3282f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #8 0x41ab78 in _start (/home/xxx/libmobi/tools/mobitool+0x41ab78)


Reproducer:
mobi_decompress_huffman_internal
CVE:
CVE-2018-11435


5.The buffer_addraw function in buffer.c in Libmobi 0.3 allows remote attackers to cause information disclosure (heap-based buffer over-read) via a crafted mobi file.


./mobitool -s buffer_addraw


==36738==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b0000068f6 at pc 0x0000004ddc2d bp 0x7fffb3989280 sp 0x7fffb3988a30
READ of size 1 at 0x61b0000068f6 thread T0
    #0 0x4ddc2c in __asan_memcpy (/home/xxx/libmobi/tools/mobitool+0x4ddc2c)
    #1 0x5704e6 in buffer_addraw /home/xxx/libmobi/src/buffer.c:153:5
    #2 0x57444f in mobi_decompress_huffman_internal /home/xxx/libmobi/src/compression.c:170:13
    #3 0x573832 in mobi_decompress_huffman /home/xxx/libmobi/src/compression.c:213:20
    #4 0x548c2e in mobi_decompress_content /home/xxx/libmobi/src/util.c:1776:23
    #5 0x547575 in mobi_get_rawml /home/xxx/libmobi/src/util.c:1832:12
    #6 0x53495f in mobi_parse_rawml_opt /home/xxx/libmobi/src/parse_rawml.c:1993:11
    #7 0x51dbda in loadfilename /home/xxx/libmobi/tools/mobitool.c:788:20
    #8 0x51e41f in main /home/xxx/libmobi/tools/mobitool.c:955:11
    #9 0x7fbece1d882f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #10 0x41ab78 in _start (/home/xxx/libmobi/tools/mobitool+0x41ab78)

0x61b0000068f6 is located 0 bytes to the right of 1654-byte region [0x61b000006280,0x61b0000068f6)
allocated by thread T0 here:
    #0 0x4deda8 in __interceptor_malloc (/home/xxx/libmobi/tools/mobitool+0x4deda8)
    #1 0x536832 in mobi_load_recdata /home/xxx/libmobi/src/read.c:180:17
    #2 0x536832 in mobi_load_rec /home/xxx/libmobi/src/read.c:156


Reproducer:
buffer_addraw
CVE:
CVE-2018-11436


6.The mobi_reconstruct_parts function in parse_rawml.c in Libmobi 0.3 allows
remote attackers to cause information disclosure (read access
violation) via a crafted mobi file.


./mobitool -s mobi_reconstruct_parts


==36806==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000202a (pc 0x7f946a6ca529 bp 0x7ffc6c0242d0 sp 0x7ffc6c023a58 T0)
==36806==The signal is caused by a READ memory access.
    #0 0x7f946a6ca528  /build/glibc-Cl5G7W/glibc-2.23/string/../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:130
    #1 0x4dd86a in __asan_memcpy (/home/xxx/libmobi/tools/mobitool+0x4dd86a)
    #2 0x52c0c2 in mobi_reconstruct_parts /home/xxx/libmobi/src/parse_rawml.c:929:13
    #3 0x5352e6 in mobi_parse_rawml_opt /home/xxx/libmobi/src/parse_rawml.c:2088:11
    #4 0x51dbda in loadfilename /home/xxx/libmobi/tools/mobitool.c:788:20
    #5 0x51e41f in main /home/xxx/libmobi/tools/mobitool.c:955:11
    #6 0x7f946a58c82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #7 0x41ab78 in _start (/home/xxx/libmobi/tools/mobitool+0x41ab78)


Reproducer:
mobi_reconstruct_parts
CVE:
CVE-2018-11437


7.> The mobi_decompress_lz77 function in compression.c in Libmobi 0.3
> allows remote attackers to cause remote code
> execution (heap-based buffer overflow) via a crafted mobi file.


./mobitool -s mobi_decompress_lz77


> ==36853==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000004d00 at pc 0x0000004de2d1 bp 0x7fff80bd0440 sp 0x7fff80bcfbf0
> WRITE of size 1 at 0x621000004d00 thread T0
>     #0 0x4de2d0 in __asan_memmove (/home/xxx/libmobi/tools/mobitool+0x4de2d0)
>     #1 0x572b51 in buffer_move /home/xxx/libmobi/src/buffer.c:520:5
>     #2 0x5734ed in mobi_decompress_lz77 /home/xxx/libmobi/src/compression.c:59:17
>     #3 0x548bd4 in mobi_decompress_content /home/xxx/libmobi/src/util.c:1768:23
>     #4 0x547575 in mobi_get_rawml /home/xxx/libmobi/src/util.c:1832:12
>     #5 0x53495f in mobi_parse_rawml_opt /home/xxx/libmobi/src/parse_rawml.c:1993:11
>     #6 0x51dbda in loadfilename /home/xxx/libmobi/tools/mobitool.c:788:20
>     #7 0x51e41f in main /home/xxx/libmobi/tools/mobitool.c:955:11
>     #8 0x7f413ce4182f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
>     #9 0x41ab78 in _start (/home/xxx/libmobi/tools/mobitool+0x41ab78)
>
> 0x621000004d00 is located 0 bytes to the right of 4096-byte region [0x621000003d00,0x621000004d00)
> allocated by thread T0 here:
>     #0 0x4deda8 in __interceptor_malloc (/home/xxx/libmobi/tools/mobitool+0x4deda8)
>     #1 0x547e37 in mobi_decompress_content /home/xxx/libmobi/src/util.c:1702:39
>     #2 0x547575 in mobi_get_rawml /home/xxx/libmobi/src/util.c:1832:12
>     #3 0x51dbda in loadfilename /home/xxx/libmobi/tools/mobitool.c:788:20


Reproducer:
mobi_decompress_lz77
CVE:
CVE-2018-11438
===============================


Webin security lab - dbapp security Ltd
Download attachment "pocs.zip" of type "application/x-zip-compressed" (291429 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ