lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <44c2ada6.68f.163d2cbf69a.Coremail.bear.xiong@dbappsecurity.com.cn>
Date: Wed, 6 Jun 2018 09:52:52 +0800 (GMT+08:00)
From: 熊文彬 <bear.xiong@...ppsecurity.com.cn>
To: seclist <fulldisclosure@...lists.org>
Subject: [FD] libfsntfs 20180420 vulns

libfsntfs multiple vulnerabilities
================
Author : Webin security lab - dbapp security Ltd
===============


Introduction:
=============
libfsntfs is a library to access the New Technology File System (NTFS).


Affected version:
=====
20180420


Vulnerability Description:
==========================


1. The libfsntfs_attribute_read_from_mft function in libfsntfs_attribute.c in libfsntfs through 2018-04-20 allows remote attackers to cause an information disclosure (heap-based buffer over-read) via a crafted ntfs file.


fsntfsinfo libfsntfs_attribute_read_from_mft


 ==4965==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000480 at pc 0x0000004efa6d bp 0x7ffde64b3670 sp 0x7ffde64b2e20
 READ of size 402653184 at 0x619000000480 thread T0
     #0 0x4efa6c in __asan_memcpy (/home/xxx/libfsntfs/fsntfstools/fsntfsinfo+0x4efa6c)
     #1 0x5f8dfe in libfsntfs_attribute_read_from_mft /home/xxx/libfsntfs/libfsntfs/libfsntfs_attribute.c:1325:8
     #2 0x61d812 in libfsntfs_mft_entry_read_attributes /home/xxx/libfsntfs/libfsntfs/libfsntfs_mft_entry.c:1121:16
     #3 0x61bf0a in libfsntfs_mft_entry_read /home/xxx/libfsntfs/libfsntfs/libfsntfs_mft_entry.c:487:7
     #4 0x619761 in libfsntfs_mft_read_mft_entry /home/xxx/libfsntfs/libfsntfs/libfsntfs_mft.c:506:6
     #5 0x639c41 in libfsntfs_internal_volume_open_read /home/xxx/libfsntfs/libfsntfs/libfsntfs_volume.c:961:6
     #6 0x639447 in libfsntfs_volume_open_file_io_handle /home/xxx/libfsntfs/libfsntfs/libfsntfs_volume.c:652:6
     #7 0x52bfbc in info_handle_open_input /home/xxx/libfsntfs/fsntfstools/info_handle.c:738:7
     #8 0x5293cd in main /home/xxx/libfsntfs/fsntfstools/fsntfsinfo.c:295:6
     #9 0x7ff40a01f82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
     #10 0x42c9b8 in _start (/home/xxx/libfsntfs/fsntfstools/fsntfsinfo+0x42c9b8)

 0x619000000480 is located 0 bytes to the right of 1024-byte region [0x619000000080,0x619000000480)
 allocated by thread T0 here:
     #0 0x4f0be8 in malloc (/home/xxx/libfsntfs/fsntfstools/fsntfsinfo+0x4f0be8)
     #1 0x61c094 in libfsntfs_mft_entry_read_header /home/xxx/libfsntfs/libfsntfs/libfsntfs_mft_entry.c:584:32


Reproducer:
libfsntfs_attribute_read_from_mft
CVE:
CVE-2018-11727


2. The libfsntfs_reparse_point_values_read_data function in libfsntfs_reparse_point_values.c in libfsntfs through 2018-04-20 allows remote attackers to cause an information disclosure (heap-based buffer over-read) via a crafted ntfs file.


fsntfsinfo libfsntfs_reparse_point_values_read_data


 ==4994==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000393 at pc 0x00000062bdf6 bp 0x7ffdfd83c4c0 sp 0x7ffdfd83c4b8
 READ of size 1 at 0x602000000393 thread T0
     #0 0x62bdf5 in libfsntfs_reparse_point_values_read_data /home/xxx/libfsntfs/libfsntfs/libfsntfs_reparse_point_values.c:209:2
     #1 0x5fbca1 in libfsntfs_attribute_read_value /home/xxx/libfsntfs/libfsntfs/libfsntfs_attribute.c:2045:9
     #2 0x61eb07 in libfsntfs_mft_entry_append_attribute /home/xxx/libfsntfs/libfsntfs/libfsntfs_mft_entry.c:3011:8
     #3 0x61d9bd in libfsntfs_mft_entry_read_attributes /home/xxx/libfsntfs/libfsntfs/libfsntfs_mft_entry.c:1194:7
     #4 0x625d34 in libfsntfs_mft_entry_read /home/xxx/libfsntfs/libfsntfs/libfsntfs_mft_entry.c:487:7
     #5 0x625d34 in libfsntfs_mft_entry_read_element_data /home/xxx/libfsntfs/libfsntfs/libfsntfs_mft_entry.c:3678
     #6 0x66b4a9 in libfdata_vector_get_element_value_by_index /home/xxx/libfsntfs/libfdata/libfdata_vector.c:1613:7
     #7 0x61adac in libfsntfs_mft_get_mft_entry_by_index /home/xxx/libfsntfs/libfsntfs/libfsntfs_mft.c:959:6
     #8 0x63a54f in libfsntfs_internal_volume_read_bitmap /home/xxx/libfsntfs/libfsntfs/libfsntfs_volume.c:2644:6
     #9 0x639d61 in libfsntfs_internal_volume_open_read /home/xxx/libfsntfs/libfsntfs/libfsntfs_volume.c:1036:6
     #10 0x639447 in libfsntfs_volume_open_file_io_handle /home/xxx/libfsntfs/libfsntfs/libfsntfs_volume.c:652:6
     #11 0x52bfbc in info_handle_open_input /home/xxx/libfsntfs/fsntfstools/info_handle.c:738:7
     #12 0x5293cd in main /home/xxx/libfsntfs/fsntfstools/fsntfsinfo.c:295:6
     #13 0x7f8c0b19382f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
     #14 0x42c9b8 in _start (/home/xxx/libfsntfs/fsntfstools/fsntfsinfo+0x42c9b8)


Reproducer:
libfsntfs_reparse_point_values_read_data
CVE:
CVE-2018-11728


3. The libfsntfs_mft_entry_read_header function in libfsntfs_mft_entry.c in libfsntfs through 2018-04-20 allows remote attackers to cause an information disclosure (heap-based buffer over-read) via a crafted ntfs file.


fsntfsinfo libfsntfs_mft_entry_read_header


 ==5284==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000115 at pc 0x00000061cfc3 bp 0x7fff101dfdb0 sp 0x7fff101dfda8
 READ of size 1 at 0x602000000115 thread T0
     #0 0x61cfc2 in libfsntfs_mft_entry_read_header /home/xxx/libfsntfs/libfsntfs/libfsntfs_mft_entry.c:637:2
     #1 0x61be4e in libfsntfs_mft_entry_read /home/xxx/libfsntfs/libfsntfs/libfsntfs_mft_entry.c:453:11
     #2 0x619761 in libfsntfs_mft_read_mft_entry /home/xxx/libfsntfs/libfsntfs/libfsntfs_mft.c:506:6
     #3 0x639c41 in libfsntfs_internal_volume_open_read /home/xxx/libfsntfs/libfsntfs/libfsntfs_volume.c:961:6
     #4 0x639447 in libfsntfs_volume_open_file_io_handle /home/xxx/libfsntfs/libfsntfs/libfsntfs_volume.c:652:6
     #5 0x52bfbc in info_handle_open_input /home/xxx/libfsntfs/fsntfstools/info_handle.c:738:7
     #6 0x5293cd in main /home/xxx/libfsntfs/fsntfstools/fsntfsinfo.c:295:6
     #7 0x7f1b4a62182f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
     #8 0x42c9b8 in _start (/home/xxx/libfsntfs/fsntfstools/fsntfsinfo+0x42c9b8)

 0x602000000115 is located 1 bytes to the right of 4-byte region [0x602000000110,0x602000000114)
 allocated by thread T0 here:
     #0 0x4f0be8 in malloc (/home/xxx/libfsntfs/fsntfstools/fsntfsinfo+0x4f0be8)
     #1 0x61c094 in libfsntfs_mft_entry_read_header /home/xxx/libfsntfs/libfsntfs/libfsntfs_mft_entry.c:584:32


Reproducer:
libfsntfs_mft_entry_read_header
CVE:
CVE-2018-11729


4. The libfsntfs_security_descriptor_values_free function in libfsntfs_security_descriptor_values.c in libfsntfs through 2018-04-20 allows remote attackers to cause a denial of service (double-free) via a crafted ntfs file.


fsntfsinfo libfsntfs_security_descriptor_values_free


 ==5371==ERROR: AddressSanitizer: attempting double-free on 0x62b000000200 in thread T0:
     #0 0x4f0a28 in __interceptor_cfree.localalias.0 (/home/xxx/libfsntfs/fsntfstools/fsntfsinfo+0x4f0a28)
     #1 0x630108 in libfsntfs_security_descriptor_values_free /home/xxx/libfsntfs/libfsntfs/libfsntfs_security_descriptor_values.c:130:4
     #2 0x5fcca5 in libfsntfs_attribute_read_value /home/xxx/libfsntfs/libfsntfs/libfsntfs_attribute.c:2502:3
     #3 0x61eb07 in libfsntfs_mft_entry_append_attribute /home/xxx/libfsntfs/libfsntfs/libfsntfs_mft_entry.c:3011:8
     #4 0x61d9bd in libfsntfs_mft_entry_read_attributes /home/xxx/libfsntfs/libfsntfs/libfsntfs_mft_entry.c:1194:7
     #5 0x61bf0a in libfsntfs_mft_entry_read
     ...
     #12 0x42c9b8 in _start (/home/xxx/libfsntfs/fsntfstools/fsntfsinfo+0x42c9b8)

 0x62b000000200 is located 0 bytes inside of 27648-byte region [0x62b000000200,0x62b000006e00)
 freed by thread T0 here:
     #0 0x4f0a28 in __interceptor_cfree.localalias.0 (/home/xxx/libfsntfs/fsntfstools/fsntfsinfo+0x4f0a28)
     #1 0x630c9e in libfsntfs_security_descriptor_values_read_stream /home/xxx/libfsntfs/libfsntfs/libfsntfs_security_descriptor_values.c:494:3
     #2 0x5fc511 in libfsntfs_attribute_read_value /home/xxx/libfsntfs/libfsntfs/libfsntfs_attribute.c:2292:9

 previously allocated by thread T0 here:
     #0 0x4f0be8 in malloc (/home/xxx/libfsntfs/fsntfstools/fsntfsinfo+0x4f0be8)
     #1 0x630ac4 in libfsntfs_security_descriptor_values_read_stream /home/xxx/libfsntfs/libfsntfs/libfsntfs_security_descriptor_values.c:439:49
     #2 0x5fc511 in libfsntfs_attribute_read_value /home/xxx/libfsntfs/libfsntfs/libfsntfs_attribute.c:2292:9


Reproducer:
libfsntfs_security_descriptor_values_free
CVE:
CVE-2018-11730


5. The libfsntfs_mft_entry_read_attributes function in libfsntfs_mft_entry.c in libfsntfs through 2018-04-20 allows remote attackers to cause an information disclosure (heap-based buffer over-read) via a crafted ntfs file.


fsntfsinfo libfsntfs_mft_entry_read_attributes


 ==5385==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x615000000503 at pc 0x00000061e7c9 bp 0x7ffc26e98ed0 sp 0x7ffc26e98ec8
 READ of size 1 at 0x615000000503 thread T0
     #0 0x61e7c8 in libfsntfs_mft_entry_read_attributes /home/xxx/libfsntfs/libfsntfs/libfsntfs_mft_entry.c:1216:3
     #1 0x625d34 in libfsntfs_mft_entry_read /home/xxx/libfsntfs/libfsntfs/libfsntfs_mft_entry.c:487:7
     #2 0x625d34 in libfsntfs_mft_entry_read_element_data /home/xxx/libfsntfs/libfsntfs/libfsntfs_mft_entry.c:3678
     #3 0x66b4a9 in libfdata_vector_get_element_value_by_index /home/xxx/libfsntfs/libfdata/libfdata_vector.c:1613:7
     #4 0x61adac in libfsntfs_mft_get_mft_entry_by_index /home/xxx/libfsntfs/libfsntfs/libfsntfs_mft.c:959:6
     #5 0x63a54f in libfsntfs_internal_volume_read_bitmap /home/xxx/libfsntfs/libfsntfs/libfsntfs_volume.c:2644:6
     #6 0x639d61 in libfsntfs_internal_volume_open_read /home/xxx/libfsntfs/libfsntfs/libfsntfs_volume.c:1036:6
     #7 0x639447 in libfsntfs_volume_open_file_io_handle /home/xxx/libfsntfs/libfsntfs/libfsntfs_volume.c:652:6
     #8 0x52bfbc in info_handle_open_input /home/xxx/libfsntfs/fsntfstools/info_handle.c:738:7
     #9 0x5293cd in main /home/xxx/libfsntfs/fsntfstools/fsntfsinfo.c:295:6
     #10 0x7f4c44ae582f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
     #11 0x42c9b8 in _start (/home/xxx/libfsntfs/fsntfstools/fsntfsinfo+0x42c9b8)

 0x615000000503 is located 3 bytes to the right of 512-byte region [0x615000000300,0x615000000500)
 allocated by thread T0 here:
     #0 0x4f0be8 in malloc (/home/xxx/libfsntfs/fsntfstools/fsntfsinfo+0x4f0be8)
     #1 0x61c094 in libfsntfs_mft_entry_read_header /home/xxx/libfsntfs/libfsntfs/libfsntfs_mft_entry.c:584:32


Reproducer:
libfsntfs_mft_entry_read_attributes
CVE:
CVE-2018-11731
==============================


Webin security lab - dbapp security Ltd
Download attachment "pocs.zip" of type "application/x-zip-compressed" (18648 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ