lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <6cdb0b60.9f1.163f19e7ace.Coremail.bear.xiong@dbappsecurity.com.cn>
Date: Tue, 12 Jun 2018 09:31:25 +0800 (GMT+08:00)
From: 熊文彬 <bear.xiong@...ppsecurity.com.cn>
To: seclist <fulldisclosure@...lists.org>
Subject: [FD] liblnk 20180419 vulns

libmobi multiple vulnerabilities
================
Author : Webin security lab - dbapp security Ltd
===============


Introduction:
=============
liblnk is a library to access the Windows Shortcut File (LNK) format.


Affected version:
=====
20180419


Vulnerability Description:
==========================
1.  The liblnk_data_string_get_utf8_string_size function in liblnk_data_string.c in liblnk through 2018-04-19 allows remote attackers to cause an information disclosure (heap-based buffer over-read) via a crafted lnk file.


./lnkinfo liblnk_data_string_get_utf8_string_size


 ==8006==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000006f at pc 0x00000058f617 bp 0x7fffe851ecb0 sp 0x7fffe851eca8
 READ of size 1 at 0x60200000006f thread T0
     #0 0x58f616 in libuna_utf8_string_size_from_byte_stream /home/xxx/liblnk/libuna/libuna_utf8_string.c:82:6
     #1 0x606cf0 in liblnk_data_string_get_utf8_string_size /home/xxx/liblnk/liblnk/liblnk_data_string.c:434:12
     #2 0x5ea89c in liblnk_file_get_utf8_command_line_arguments_size /home/xxx/liblnk/liblnk/liblnk_file.c:5301:6
     #3 0x52cdc9 in info_handle_command_line_arguments_fprint /home/xxx/liblnk/lnktools/info_handle.c:1792:11
     #4 0x52ecf4 in info_handle_file_fprint /home/xxx/liblnk/lnktools/info_handle.c:2624:6
     #5 0x52fc63 in main /home/xxx/liblnk/lnktools/lnkinfo.c:277:6
     #6 0x7f79fb92282f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
     #7 0x42c678 in _start (/home/xxx/liblnk/lnktools/lnkinfo+0x42c678)

 0x60200000006f is located 1 bytes to the left of 1-byte region [0x602000000070,0x602000000071)
 allocated by thread T0 here:
     #0 0x4f08a8 in malloc (/home/xxx/liblnk/lnktools/lnkinfo+0x4f08a8)
     #1 0x6067fc in liblnk_data_string_read /home/xxx/liblnk/liblnk/liblnk_data_string.c:273:34
     #2 0x5df733 in liblnk_file_open_read /home/xxx/liblnk/liblnk/liblnk_file.c:1317:16
     #3 0x5de9ab in liblnk_file_open_file_io_handle /home/xxx/liblnk/liblnk/liblnk_file.c:627:6
     #4 0x7f79fb93b785 in getenv /build/glibc-Cl5G7W/glibc-2.23/stdlib/getenv.c:35


Reproducer:
liblnk_data_string_get_utf8_string_size
CVE:
CVE-2018-12096




2.  The liblnk_location_information_read_data function in liblnk_location_information.c in liblnk through 2018-04-19 allows remote attackers to cause an information disclosure (heap-based buffer over-read) via a crafted lnk file.


./lnkinfo liblnk_location_information_read_data


 ==8015==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b00000020a at pc 0x0000004ef72d bp 0x7ffc0f581380 sp 0x7ffc0f580b30
 READ of size 2 at 0x60b00000020a thread T0
     #0 0x4ef72c in __asan_memcpy (/home/xxx/liblnk/lnktools/lnkinfo+0x4ef72c)
     #1 0x5f3910 in liblnk_location_information_read_data /home/xxx/liblnk/liblnk/liblnk_location_information.c:1661:7
     #2 0x5f4aa4 in liblnk_location_information_read /home/xxx/liblnk/liblnk/liblnk_location_information.c:1907:6
     #3 0x5df231 in liblnk_file_open_read /home/xxx/liblnk/liblnk/liblnk_file.c:1149:16
     #4 0x5de9ab in liblnk_file_open_file_io_handle /home/xxx/liblnk/liblnk/liblnk_file.c:627:6
     #5 0x5de33e in liblnk_file_open /home/xxx/liblnk/liblnk/liblnk_file.c:345:6
     #6 0x529078 in info_handle_open_input /home/xxx/liblnk/lnktools/info_handle.c:415:6
     #7 0x52fc2e in main /home/xxx/liblnk/lnktools/lnkinfo.c:265:6
     #8 0x7f0ac292082f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
     #9 0x42c678 in _start (/home/xxx/liblnk/lnktools/lnkinfo+0x42c678)

 0x60b00000020a is located 0 bytes to the right of 106-byte region [0x60b0000001a0,0x60b00000020a)
 allocated by thread T0 here:
     #0 0x4f08a8 in malloc (/home/xxx/liblnk/lnktools/lnkinfo+0x4f08a8)
     #1 0x5f4a1a in liblnk_location_information_read /home/xxx/liblnk/liblnk/liblnk_location_information.c:1876:42
     #2 0x5df231 in liblnk_file_open_read /home/xxx/liblnk/liblnk/liblnk_file.c:1149:16
     #3 0x5de9ab in liblnk_file_open_file_io_handle /home/xxx/liblnk/liblnk/liblnk_file.c:627:6


Reproducer:
liblnk_location_information_read_data
CVE:
CVE-2018-12097


3.   The liblnk_data_block_read function in liblnk_data_block.c in liblnk through 2018-04-19 allows remote attackers to cause an information disclosure (heap-based buffer over-read) via a crafted lnk file.


./lnkinfo liblnk_data_block_read


 ==8039==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000093 at pc 0x00000060537b bp 0x7ffc89001270 sp 0x7ffc89001268
 READ of size 1 at 0x602000000093 thread T0
     #0 0x60537a in liblnk_data_block_read /home/xxx/liblnk/liblnk/liblnk_data_block.c:296:3
     #1 0x5dfa5a in liblnk_file_open_read /home/xxx/liblnk/liblnk/liblnk_file.c:1409:17
     #2 0x5de9ab in liblnk_file_open_file_io_handle /home/xxx/liblnk/liblnk/liblnk_file.c:627:6
     #3 0x5de33e in liblnk_file_open /home/xxx/liblnk/liblnk/liblnk_file.c:345:6
     #4 0x529078 in info_handle_open_input /home/xxx/liblnk/lnktools/info_handle.c:415:6
     #5 0x52fc2e in main /home/xxx/liblnk/lnktools/lnkinfo.c:265:6
     #6 0x7f5ad442d82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
     #7 0x42c678 in _start (/home/xxx/liblnk/lnktools/lnkinfo+0x42c678)

 0x602000000093 is located 2 bytes to the right of 1-byte region [0x602000000090,0x602000000091)
 allocated by thread T0 here:
     #0 0x4f08a8 in malloc (/home/xxx/liblnk/lnktools/lnkinfo+0x4f08a8)
     #1 0x604ff0 in liblnk_data_block_read /home/xxx/liblnk/liblnk/liblnk_data_block.c:263:34
     #2 0x5dfa5a in liblnk_file_open_read /home/xxx/liblnk/liblnk/liblnk_file.c:1409:17
     #3 0x5de9ab in liblnk_file_open_file_io_handle /home/xxx/liblnk/liblnk/liblnk_file.c:627:6
     #4 0x7f5ad4446785 in getenv /build/glibc-Cl5G7W/glibc-2.23/stdlib/getenv.c:35
    
Reproducer:
liblnk_data_block_read
CVE:
CVE-2018-12098
===============================


Webin security lab - dbapp security Ltd
Download attachment "pocs.zip" of type "application/x-zip-compressed" (2522 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ