[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] libmobi 0.3 vulns
From: 熊文彬 <bear.xiong () dbappsecurity ! com ! cn>
Date: 2018-05-28 2:06:48
Message-ID: 79cea4a8.125.163a47f7bf8.Coremail.bear.xiong () dbappsecurity ! com ! cn
[Download RAW message or body]
[Attachment #2 (text/plain)]
libmobi multiple vulnerabilities
================
Author : Webin security lab - dbapp security Ltd
===============
Introduction:
=============
C library for handling Mobipocket/Kindle (MOBI) ebook format documents.
For examples on how to use the library have a look at tools folder.
Affected version:
=====
0.3
Vulnerability Description:
==========================
1. the mobi_parse_mobiheader function in read.c in libmobi allow remote attackers to \
cause a information disclosure(heap-buffer-overflow OOB read) via a crafted mobi \
file.
./mobitool -s mobi_parse_mobiheader
==36648==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000240 at \
pc 0x0000005723f1 bp 0x7ffdf813d5a0 sp 0x7ffdf813d598 READ of size 1 at \
0x604000000240 thread T0 #0 0x5723f0 in buffer_get32 \
/home/xxx/libmobi/src/buffer.c:230:22 #1 0x5723f0 in buffer_dup32 \
/home/xxx/libmobi/src/buffer.c:455 #2 0x537776 in mobi_parse_mobiheader \
/home/xxx/libmobi/src/read.c:318:5 #3 0x5387e8 in mobi_parse_record0 \
/home/xxx/libmobi/src/read.c:463:15 #4 0x53bffb in mobi_load_file \
/home/xxx/libmobi/src/read.c:857:11 #5 0x51d649 in loadfilename \
/home/xxx/libmobi/tools/mobitool.c:734:16 #6 0x51e41f in main \
/home/xxx/libmobi/tools/mobitool.c:955:11 #7 0x7facdc96682f in __libc_start_main \
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #8 0x41ab78 in _start \
(/home/xxx/libmobi/tools/mobitool+0x41ab78)
>
0x604000000240 is located 0 bytes to the right of 48-byte region \
[0x604000000210,0x604000000240) allocated by thread T0 here:
#0 0x4deda8 in __interceptor_malloc (/home/xxx/libmobi/tools/mobitool+0x4deda8)
#1 0x536832 in mobi_load_recdata /home/xxx/libmobi/src/read.c:180:17
#2 0x536832 in mobi_load_rec /home/xxx/libmobi/src/read.c:156
Reproducer:
mobi_parse_mobiheader
CVE:
CVE-2018-11432
2.
The mobi_get_kf8boundary_seqnumber function in util.c in Libmobi 0.3 allows remote \
attackers to cause information disclosure (heap-based buffer over-read) via a crafted \
mobi file.
./mobitool -s mobi_get_kf8boundary_seqnumber
==36670==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000006d1 at \
pc 0x0000004b579c bp 0x7ffdbb7b3780 sp 0x7ffdbb7b2f30 READ of size 8 at \
0x6020000006d1 thread T0 #0 0x4b579b in __interceptor_memcmp.part.77 \
(/home/xxx/libmobi/tools/mobitool+0x4b579b) #1 0x54fc17 in \
mobi_get_kf8boundary_seqnumber /home/xxx/libmobi/src/util.c:2759:16 #2 0x53c113 in \
mobi_load_file /home/xxx/libmobi/src/read.c:868:44 #3 0x51d649 in loadfilename \
/home/xxx/libmobi/tools/mobitool.c:734:16 #4 0x51e41f in main \
/home/xxx/libmobi/tools/mobitool.c:955:11 #5 0x7ff191a5682f in __libc_start_main \
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #6 0x41ab78 in _start \
(/home/xxx/libmobi/tools/mobitool+0x41ab78)
0x6020000006d1 is located 0 bytes to the right of 1-byte region \
[0x6020000006d0,0x6020000006d1) allocated by thread T0 here:
#0 0x4deda8 in __interceptor_malloc (/home/xxx/libmobi/tools/mobitool+0x4deda8)
#1 0x536832 in mobi_load_recdata /home/xxx/libmobi/src/read.c:180:17
#2 0x536832 in mobi_load_rec /home/xxx/libmobi/src/read.c:156
Reproducer:
mobi_get_kf8boundary_seqnumber
CVE:
CVE-2018-11433
3. The buffer_fill64 function in compression.c in Libmobi 0.3 allows remote attackers \
to cause information disclosure (heap-based buffer over-read) via a crafted mobi \
file.
./mobitool -s buffer_fill64
==36692==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61c000002710 at \
pc 0x0000005746aa bp 0x7ffcf33c4bd0 sp 0x7ffcf33c4bc8 READ of size 1 at \
0x61c000002710 thread T0 #0 0x5746a9 in buffer_fill64 \
/home/xxx/libmobi/src/compression.c:98:27 #1 0x5746a9 in \
mobi_decompress_huffman_internal /home/xxx/libmobi/src/compression.c:128 #2 0x5743fb \
in mobi_decompress_huffman_internal /home/xxx/libmobi/src/compression.c:180:19 #3 \
0x573832 in mobi_decompress_huffman /home/xxx/libmobi/src/compression.c:213:20 #4 \
0x548c2e in mobi_decompress_content /home/xxx/libmobi/src/util.c:1776:23 #5 0x547575 \
in mobi_get_rawml /home/xxx/libmobi/src/util.c:1832:12 #6 0x53495f in \
mobi_parse_rawml_opt /home/xxx/libmobi/src/parse_rawml.c:1993:11 #7 0x51dbda in \
loadfilename /home/xxx/libmobi/tools/mobitool.c:788:20 #8 0x51e41f in main \
/home/xxx/libmobi/tools/mobitool.c:955:11 #9 0x7efe4e4f982f in __libc_start_main \
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #10 0x41ab78 in _start \
(/home/xxx/libmobi/tools/mobitool+0x41ab78)
0x61c000002710 is located 0 bytes to the right of 1680-byte region \
[0x61c000002080,0x61c000002710) allocated by thread T0 here:
#0 0x4deda8 in __interceptor_malloc (/home/xxx/libmobi/tools/mobitool+0x4deda8)
#1 0x536832 in mobi_load_recdata /home/xxx/libmobi/src/read.c:180:17
#2 0x536832 in mobi_load_rec /home/xxx/libmobi/src/read.c:156
Reproducer:
buffer_fill64
CVE:
CVE-2018-11434
4.The mobi_decompress_huffman_internal function in compression.c in Libmobi 0.3 \
allows remote attackers to cause information disclosure (read access violation) via a \
crafted mobi file.
./mobitool -s mobi_decompress_huffman_internal
==36715==ERROR: AddressSanitizer: SEGV on unknown address 0x61b0000126d0 (pc \
0x000000574308 bp 0x7ffdaf41eb50 sp 0x7ffdaf41e9e0 T0) ==36715==The signal is caused \
by a READ memory access. #0 0x574307 in mobi_decompress_huffman_internal \
/home/xxx/libmobi/src/compression.c:163:45 #1 0x573832 in mobi_decompress_huffman \
/home/xxx/libmobi/src/compression.c:213:20 #2 0x548c2e in mobi_decompress_content \
/home/xxx/libmobi/src/util.c:1776:23 #3 0x547575 in mobi_get_rawml \
/home/xxx/libmobi/src/util.c:1832:12 #4 0x53495f in mobi_parse_rawml_opt \
/home/xxx/libmobi/src/parse_rawml.c:1993:11 #5 0x51dbda in loadfilename \
/home/xxx/libmobi/tools/mobitool.c:788:20 #6 0x51e41f in main \
/home/xxx/libmobi/tools/mobitool.c:955:11 #7 0x7f15b4f3282f in __libc_start_main \
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #8 0x41ab78 in _start \
(/home/xxx/libmobi/tools/mobitool+0x41ab78)
Reproducer:
mobi_decompress_huffman_internal
CVE:
CVE-2018-11435
5.The buffer_addraw function in buffer.c in Libmobi 0.3 allows remote attackers to \
cause information disclosure (heap-based buffer over-read) via a crafted mobi file.
./mobitool -s buffer_addraw
==36738==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b0000068f6 at \
pc 0x0000004ddc2d bp 0x7fffb3989280 sp 0x7fffb3988a30 READ of size 1 at \
0x61b0000068f6 thread T0 #0 0x4ddc2c in __asan_memcpy \
(/home/xxx/libmobi/tools/mobitool+0x4ddc2c) #1 0x5704e6 in buffer_addraw \
/home/xxx/libmobi/src/buffer.c:153:5 #2 0x57444f in mobi_decompress_huffman_internal \
/home/xxx/libmobi/src/compression.c:170:13 #3 0x573832 in mobi_decompress_huffman \
/home/xxx/libmobi/src/compression.c:213:20 #4 0x548c2e in mobi_decompress_content \
/home/xxx/libmobi/src/util.c:1776:23 #5 0x547575 in mobi_get_rawml \
/home/xxx/libmobi/src/util.c:1832:12 #6 0x53495f in mobi_parse_rawml_opt \
/home/xxx/libmobi/src/parse_rawml.c:1993:11 #7 0x51dbda in loadfilename \
/home/xxx/libmobi/tools/mobitool.c:788:20 #8 0x51e41f in main \
/home/xxx/libmobi/tools/mobitool.c:955:11 #9 0x7fbece1d882f in __libc_start_main \
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #10 0x41ab78 in _start \
(/home/xxx/libmobi/tools/mobitool+0x41ab78)
0x61b0000068f6 is located 0 bytes to the right of 1654-byte region \
[0x61b000006280,0x61b0000068f6) allocated by thread T0 here:
#0 0x4deda8 in __interceptor_malloc (/home/xxx/libmobi/tools/mobitool+0x4deda8)
#1 0x536832 in mobi_load_recdata /home/xxx/libmobi/src/read.c:180:17
#2 0x536832 in mobi_load_rec /home/xxx/libmobi/src/read.c:156
Reproducer:
buffer_addraw
CVE:
CVE-2018-11436
6.The mobi_reconstruct_parts function in parse_rawml.c in Libmobi 0.3 allows
remote attackers to cause information disclosure (read access
violation) via a crafted mobi file.
./mobitool -s mobi_reconstruct_parts
==36806==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000202a (pc \
0x7f946a6ca529 bp 0x7ffc6c0242d0 sp 0x7ffc6c023a58 T0) ==36806==The signal is caused \
by a READ memory access. #0 0x7f946a6ca528 \
/build/glibc-Cl5G7W/glibc-2.23/string/../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:130
#1 0x4dd86a in __asan_memcpy (/home/xxx/libmobi/tools/mobitool+0x4dd86a)
#2 0x52c0c2 in mobi_reconstruct_parts /home/xxx/libmobi/src/parse_rawml.c:929:13
#3 0x5352e6 in mobi_parse_rawml_opt /home/xxx/libmobi/src/parse_rawml.c:2088:11
#4 0x51dbda in loadfilename /home/xxx/libmobi/tools/mobitool.c:788:20
#5 0x51e41f in main /home/xxx/libmobi/tools/mobitool.c:955:11
#6 0x7f946a58c82f in __libc_start_main \
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #7 0x41ab78 in _start \
(/home/xxx/libmobi/tools/mobitool+0x41ab78)
Reproducer:
mobi_reconstruct_parts
CVE:
CVE-2018-11437
7.> The mobi_decompress_lz77 function in compression.c in Libmobi 0.3
> allows remote attackers to cause remote code
> execution (heap-based buffer overflow) via a crafted mobi file.
./mobitool -s mobi_decompress_lz77
> ==36853==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000004d00 at \
> pc 0x0000004de2d1 bp 0x7fff80bd0440 sp 0x7fff80bcfbf0 WRITE of size 1 at \
> 0x621000004d00 thread T0 #0 0x4de2d0 in __asan_memmove \
> (/home/xxx/libmobi/tools/mobitool+0x4de2d0) #1 0x572b51 in buffer_move \
> /home/xxx/libmobi/src/buffer.c:520:5 #2 0x5734ed in mobi_decompress_lz77 \
> /home/xxx/libmobi/src/compression.c:59:17 #3 0x548bd4 in mobi_decompress_content \
> /home/xxx/libmobi/src/util.c:1768:23 #4 0x547575 in mobi_get_rawml \
> /home/xxx/libmobi/src/util.c:1832:12 #5 0x53495f in mobi_parse_rawml_opt \
> /home/xxx/libmobi/src/parse_rawml.c:1993:11 #6 0x51dbda in loadfilename \
> /home/xxx/libmobi/tools/mobitool.c:788:20 #7 0x51e41f in main \
> /home/xxx/libmobi/tools/mobitool.c:955:11 #8 0x7f413ce4182f in __libc_start_main \
> /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #9 0x41ab78 in _start \
> (/home/xxx/libmobi/tools/mobitool+0x41ab78)
> 0x621000004d00 is located 0 bytes to the right of 4096-byte region \
> [0x621000003d00,0x621000004d00) allocated by thread T0 here:
> #0 0x4deda8 in __interceptor_malloc (/home/xxx/libmobi/tools/mobitool+0x4deda8)
> #1 0x547e37 in mobi_decompress_content /home/xxx/libmobi/src/util.c:1702:39
> #2 0x547575 in mobi_get_rawml /home/xxx/libmobi/src/util.c:1832:12
> #3 0x51dbda in loadfilename /home/xxx/libmobi/tools/mobitool.c:788:20
Reproducer:
mobi_decompress_lz77
CVE:
CVE-2018-11438
===============================
Webin security lab - dbapp security Ltd
["pocs.zip" (application/x-zip-compressed)]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic