| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 6 Jun 2018 09:51:51 +0800 (GMT+08:00)
From: 熊文彬 <bear.xiong@...ppsecurity.com.cn>
To: seclist <fulldisclosure@...lists.org>
Subject: [FD] libmobi 0.3 vulnerabilities
libmobi multiple vulnerabilities
================
Author : Webin security lab - dbapp security Ltd
===============
Introduction:
=============
C library for handling Mobipocket/Kindle (MOBI) ebook format documents.
For examples on how to use the library have a look at tools folder.
Affected version:
=====
0.3
Vulnerability Description:
==========================
1. The mobi_parse_index_entry function in index.c in Libmobi 0.3 allows remote attackers to cause an information disclosure (heap-based buffer over-read) via a crafted mobi file.
./mobitool -s mobi_parse_index_entry.mobi
==34855==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61100000025c at pc 0x0000005786ba bp 0x7ffe56e09250 sp 0x7ffe56e09248
READ of size 1 at 0x61100000025c thread T0
#0 0x5786b9 in mobi_parse_index_entry /home/xxx/libmobi/src/index.c:405:30
#1 0x5786b9 in mobi_parse_indx /home/xxx/libmobi/src/index.c:667
#2 0x578adb in mobi_parse_index /home/xxx/libmobi/src/index.c:721:15
#3 0x53504f in mobi_parse_rawml_opt /home/xxx/libmobi/src/parse_rawml.c:2059:19
#4 0x51dbda in loadfilename /home/xxx/libmobi/tools/mobitool.c:788:20
#5 0x51e41f in main /home/xxx/libmobi/tools/mobitool.c:955:11
#6 0x7fc5cbf3c82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#7 0x41ab78 in _start (/home/xxx/libmobi/tools/mobitool+0x41ab78)
0x61100000025c is located 0 bytes to the right of 220-byte region [0x611000000180,0x61100000025c)
allocated by thread T0 here:
#0 0x4deda8 in __interceptor_malloc (/home/xxx/libmobi/tools/mobitool+0x4deda8)
#1 0x536832 in mobi_load_recdata /home/xxx/libmobi/src/read.c:180:17
#2 0x536832 in mobi_load_rec /home/xxx/libmobi/src/read.c:156
Reproducer:
mobi_parse_index_entry.mobi
CVE:
CVE-2018-11725
2. The mobi_pk1_decrypt function in encryption.c in Libmobi 0.3 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted mobi file.
./mobitool -s mobi_pk1_decrypt.mobi
==34495==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000004d00 at pc 0x000000564831 bp 0x7fffeb2af210 sp 0x7fffeb2af208
WRITE of size 1 at 0x621000004d00 thread T0
#0 0x564830 in mobi_pk1_decrypt /home/xxx/libmobi/src/encryption.c:122:16
#1 0x5645be in mobi_drm_decrypt_buffer /home/xxx/libmobi/src/encryption.c:417:20
#2 0x548227 in mobi_decompress_content /home/xxx/libmobi/src/util.c:1721:23
#3 0x547575 in mobi_get_rawml /home/xxx/libmobi/src/util.c:1832:12
#4 0x53495f in mobi_parse_rawml_opt /home/xxx/libmobi/src/parse_rawml.c:1993:11
#5 0x51dbda in loadfilename /home/xxx/libmobi/tools/mobitool.c:788:20
#6 0x51e41f in main /home/xxx/libmobi/tools/mobitool.c:955:11
#7 0x7f98dbf0e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#8 0x41ab78 in _start (/home/xxx/libmobi/tools/mobitool+0x41ab78)
0x621000004d00 is located 0 bytes to the right of 4096-byte region [0x621000003d00,0x621000004d00)
allocated by thread T0 here:
#0 0x4deda8 in __interceptor_malloc (/home/xxx/libmobi/tools/mobitool+0x4deda8)
#1 0x547e37 in mobi_decompress_content /home/xxx/libmobi/src/util.c:1702:39
#2 0x547575 in mobi_get_rawml /home/xxx/libmobi/src/util.c:1832:12
#3 0x51dbda in loadfilename /home/xxx/libmobi/tools/mobitool.c:788:20
Reproducer:
mobi_pk1_decrypt.mobi
CVE:
CVE-2018-11724
3. The mobi_decode_font_resource function in util.c in Libmobi 0.3 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted mobi file.
./mobitool -s mobi_decode_font_resource.mobi
==35004==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000bdb at pc 0x0000004ddd05 bp 0x7ffcef672650 sp 0x7ffcef671e00
WRITE of size 68882 at 0x602000000bdb thread T0
#0 0x4ddd04 in __asan_memcpy (/home/xxx/libmobi/tools/mobitool+0x4ddd04)
#1 0x54d886 in mobi_decode_font_resource /home/xxx/libmobi/src/util.c:2397:9
#2 0x54ce21 in mobi_add_font_resource /home/xxx/libmobi/src/util.c:2301:20
#3 0x52a6f5 in mobi_reconstruct_resources /home/xxx/libmobi/src/parse_rawml.c:596:19
#4 0x534b7d in mobi_parse_rawml_opt /home/xxx/libmobi/src/parse_rawml.c:2015:11
#5 0x51dbda in loadfilename /home/xxx/libmobi/tools/mobitool.c:788:20
#6 0x51e41f in main /home/xxx/libmobi/tools/mobitool.c:955:11
#7 0x7ffb2f7c282f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#8 0x41ab78 in _start (/home/xxx/libmobi/tools/mobitool+0x41ab78)
0x602000000bdb is located 0 bytes to the right of 11-byte region [0x602000000bd0,0x602000000bdb)
allocated by thread T0 here:
#0 0x4deda8 in __interceptor_malloc (/home/xxx/libmobi/tools/mobitool+0x4deda8)
#1 0x54d79a in mobi_decode_font_resource /home/xxx/libmobi/src/util.c:2373:21
#2 0x54ce21 in mobi_add_font_resource /home/xxx/libmobi/src/util.c:2301:20
#3 0x52a6f5 in mobi_reconstruct_resources /home/xxx/libmobi/src/parse_rawml.c:596:19
Reproducer:
mobi_decode_font_resource.mobi
CVE:
CVE-2018-11726
===============================
Webin security lab - dbapp security Ltd
Download attachment "pocs.zip" of type "application/x-zip-compressed" (133951 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists