[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] libmobi 0.3 vulns
From: 熊文彬 <bear.xiong () dbappsecurity ! com ! cn>
Date: 2018-05-28 2:06:48
Message-ID: 79cea4a8.125.163a47f7bf8.Coremail.bear.xiong () dbappsecurity ! com ! cn
[Download RAW message or body]
[Attachment #2 (text/plain)]
libmobi multiple vulnerabilities
================
Author : Webin security lab - dbapp security Ltd
===============
Introduction:
=============
C library for handling Mobipocket/Kindle (MOBI) ebook format documents.
For examples on how to use the library have a look at tools folder.
Affected version:
=====
0.3
Vulnerability Description:
==========================
1. the mobi_parse_mobiheader function in read.c in libmobi allow remote attackers to cause a \
information disclosure(heap-buffer-overflow OOB read) via a crafted mobi file.
./mobitool -s mobi_parse_mobiheader
==36648==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000240 at pc \
0x0000005723f1 bp 0x7ffdf813d5a0 sp 0x7ffdf813d598 READ of size 1 at 0x604000000240 thread T0
#0 0x5723f0 in buffer_get32 /home/xxx/libmobi/src/buffer.c:230:22
#1 0x5723f0 in buffer_dup32 /home/xxx/libmobi/src/buffer.c:455
#2 0x537776 in mobi_parse_mobiheader /home/xxx/libmobi/src/read.c:318:5
#3 0x5387e8 in mobi_parse_record0 /home/xxx/libmobi/src/read.c:463:15
#4 0x53bffb in mobi_load_file /home/xxx/libmobi/src/read.c:857:11
#5 0x51d649 in loadfilename /home/xxx/libmobi/tools/mobitool.c:734:16
#6 0x51e41f in main /home/xxx/libmobi/tools/mobitool.c:955:11
#7 0x7facdc96682f in __libc_start_main \
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #8 0x41ab78 in _start \
(/home/xxx/libmobi/tools/mobitool+0x41ab78)
>
0x604000000240 is located 0 bytes to the right of 48-byte region \
[0x604000000210,0x604000000240) allocated by thread T0 here:
#0 0x4deda8 in __interceptor_malloc (/home/xxx/libmobi/tools/mobitool+0x4deda8)
#1 0x536832 in mobi_load_recdata /home/xxx/libmobi/src/read.c:180:17
#2 0x536832 in mobi_load_rec /home/xxx/libmobi/src/read.c:156
Reproducer:
mobi_parse_mobiheader
CVE:
CVE-2018-11432
2.
The mobi_get_kf8boundary_seqnumber function in util.c in Libmobi 0.3 allows remote attackers to \
cause information disclosure (heap-based buffer over-read) via a crafted mobi file.
./mobitool -s mobi_get_kf8boundary_seqnumber
==36670==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000006d1 at pc \
0x0000004b579c bp 0x7ffdbb7b3780 sp 0x7ffdbb7b2f30 READ of size 8 at 0x6020000006d1 thread T0
#0 0x4b579b in __interceptor_memcmp.part.77 (/home/xxx/libmobi/tools/mobitool+0x4b579b)
#1 0x54fc17 in mobi_get_kf8boundary_seqnumber /home/xxx/libmobi/src/util.c:2759:16
#2 0x53c113 in mobi_load_file /home/xxx/libmobi/src/read.c:868:44
#3 0x51d649 in loadfilename /home/xxx/libmobi/tools/mobitool.c:734:16
#4 0x51e41f in main /home/xxx/libmobi/tools/mobitool.c:955:11
#5 0x7ff191a5682f in __libc_start_main \
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #6 0x41ab78 in _start \
(/home/xxx/libmobi/tools/mobitool+0x41ab78)
0x6020000006d1 is located 0 bytes to the right of 1-byte region [0x6020000006d0,0x6020000006d1)
allocated by thread T0 here:
#0 0x4deda8 in __interceptor_malloc (/home/xxx/libmobi/tools/mobitool+0x4deda8)
#1 0x536832 in mobi_load_recdata /home/xxx/libmobi/src/read.c:180:17
#2 0x536832 in mobi_load_rec /home/xxx/libmobi/src/read.c:156
Reproducer:
mobi_get_kf8boundary_seqnumber
CVE:
CVE-2018-11433
3. The buffer_fill64 function in compression.c in Libmobi 0.3 allows remote attackers to cause \
information disclosure (heap-based buffer over-read) via a crafted mobi file.
./mobitool -s buffer_fill64
==36692==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61c000002710 at pc \
0x0000005746aa bp 0x7ffcf33c4bd0 sp 0x7ffcf33c4bc8 READ of size 1 at 0x61c000002710 thread T0
#0 0x5746a9 in buffer_fill64 /home/xxx/libmobi/src/compression.c:98:27
#1 0x5746a9 in mobi_decompress_huffman_internal /home/xxx/libmobi/src/compression.c:128
#2 0x5743fb in mobi_decompress_huffman_internal /home/xxx/libmobi/src/compression.c:180:19
#3 0x573832 in mobi_decompress_huffman /home/xxx/libmobi/src/compression.c:213:20
#4 0x548c2e in mobi_decompress_content /home/xxx/libmobi/src/util.c:1776:23
#5 0x547575 in mobi_get_rawml /home/xxx/libmobi/src/util.c:1832:12
#6 0x53495f in mobi_parse_rawml_opt /home/xxx/libmobi/src/parse_rawml.c:1993:11
#7 0x51dbda in loadfilename /home/xxx/libmobi/tools/mobitool.c:788:20
#8 0x51e41f in main /home/xxx/libmobi/tools/mobitool.c:955:11
#9 0x7efe4e4f982f in __libc_start_main \
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #10 0x41ab78 in _start \
(/home/xxx/libmobi/tools/mobitool+0x41ab78)
0x61c000002710 is located 0 bytes to the right of 1680-byte region \
[0x61c000002080,0x61c000002710) allocated by thread T0 here:
#0 0x4deda8 in __interceptor_malloc (/home/xxx/libmobi/tools/mobitool+0x4deda8)
#1 0x536832 in mobi_load_recdata /home/xxx/libmobi/src/read.c:180:17
#2 0x536832 in mobi_load_rec /home/xxx/libmobi/src/read.c:156
Reproducer:
buffer_fill64
CVE:
CVE-2018-11434
4.The mobi_decompress_huffman_internal function in compression.c in Libmobi 0.3 allows remote \
attackers to cause information disclosure (read access violation) via a crafted mobi file.
./mobitool -s mobi_decompress_huffman_internal
==36715==ERROR: AddressSanitizer: SEGV on unknown address 0x61b0000126d0 (pc 0x000000574308 bp \
0x7ffdaf41eb50 sp 0x7ffdaf41e9e0 T0) ==36715==The signal is caused by a READ memory access.
#0 0x574307 in mobi_decompress_huffman_internal /home/xxx/libmobi/src/compression.c:163:45
#1 0x573832 in mobi_decompress_huffman /home/xxx/libmobi/src/compression.c:213:20
#2 0x548c2e in mobi_decompress_content /home/xxx/libmobi/src/util.c:1776:23
#3 0x547575 in mobi_get_rawml /home/xxx/libmobi/src/util.c:1832:12
#4 0x53495f in mobi_parse_rawml_opt /home/xxx/libmobi/src/parse_rawml.c:1993:11
#5 0x51dbda in loadfilename /home/xxx/libmobi/tools/mobitool.c:788:20
#6 0x51e41f in main /home/xxx/libmobi/tools/mobitool.c:955:11
#7 0x7f15b4f3282f in __libc_start_main \
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #8 0x41ab78 in _start \
(/home/xxx/libmobi/tools/mobitool+0x41ab78)
Reproducer:
mobi_decompress_huffman_internal
CVE:
CVE-2018-11435
5.The buffer_addraw function in buffer.c in Libmobi 0.3 allows remote attackers to cause \
information disclosure (heap-based buffer over-read) via a crafted mobi file.
./mobitool -s buffer_addraw
==36738==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b0000068f6 at pc \
0x0000004ddc2d bp 0x7fffb3989280 sp 0x7fffb3988a30 READ of size 1 at 0x61b0000068f6 thread T0
#0 0x4ddc2c in __asan_memcpy (/home/xxx/libmobi/tools/mobitool+0x4ddc2c)
#1 0x5704e6 in buffer_addraw /home/xxx/libmobi/src/buffer.c:153:5
#2 0x57444f in mobi_decompress_huffman_internal /home/xxx/libmobi/src/compression.c:170:13
#3 0x573832 in mobi_decompress_huffman /home/xxx/libmobi/src/compression.c:213:20
#4 0x548c2e in mobi_decompress_content /home/xxx/libmobi/src/util.c:1776:23
#5 0x547575 in mobi_get_rawml /home/xxx/libmobi/src/util.c:1832:12
#6 0x53495f in mobi_parse_rawml_opt /home/xxx/libmobi/src/parse_rawml.c:1993:11
#7 0x51dbda in loadfilename /home/xxx/libmobi/tools/mobitool.c:788:20
#8 0x51e41f in main /home/xxx/libmobi/tools/mobitool.c:955:11
#9 0x7fbece1d882f in __libc_start_main \
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #10 0x41ab78 in _start \
(/home/xxx/libmobi/tools/mobitool+0x41ab78)
0x61b0000068f6 is located 0 bytes to the right of 1654-byte region \
[0x61b000006280,0x61b0000068f6) allocated by thread T0 here:
#0 0x4deda8 in __interceptor_malloc (/home/xxx/libmobi/tools/mobitool+0x4deda8)
#1 0x536832 in mobi_load_recdata /home/xxx/libmobi/src/read.c:180:17
#2 0x536832 in mobi_load_rec /home/xxx/libmobi/src/read.c:156
Reproducer:
buffer_addraw
CVE:
CVE-2018-11436
6.The mobi_reconstruct_parts function in parse_rawml.c in Libmobi 0.3 allows
remote attackers to cause information disclosure (read access
violation) via a crafted mobi file.
./mobitool -s mobi_reconstruct_parts
==36806==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000202a (pc 0x7f946a6ca529 bp \
0x7ffc6c0242d0 sp 0x7ffc6c023a58 T0) ==36806==The signal is caused by a READ memory access.
#0 0x7f946a6ca528 \
/build/glibc-Cl5G7W/glibc-2.23/string/../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:130 #1 \
0x4dd86a in __asan_memcpy (/home/xxx/libmobi/tools/mobitool+0x4dd86a) #2 0x52c0c2 in \
mobi_reconstruct_parts /home/xxx/libmobi/src/parse_rawml.c:929:13 #3 0x5352e6 in \
mobi_parse_rawml_opt /home/xxx/libmobi/src/parse_rawml.c:2088:11 #4 0x51dbda in loadfilename \
/home/xxx/libmobi/tools/mobitool.c:788:20 #5 0x51e41f in main \
/home/xxx/libmobi/tools/mobitool.c:955:11 #6 0x7f946a58c82f in __libc_start_main \
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #7 0x41ab78 in _start \
(/home/xxx/libmobi/tools/mobitool+0x41ab78)
Reproducer:
mobi_reconstruct_parts
CVE:
CVE-2018-11437
7.> The mobi_decompress_lz77 function in compression.c in Libmobi 0.3
> allows remote attackers to cause remote code
> execution (heap-based buffer overflow) via a crafted mobi file.
./mobitool -s mobi_decompress_lz77
> ==36853==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000004d00 at pc \
> 0x0000004de2d1 bp 0x7fff80bd0440 sp 0x7fff80bcfbf0 WRITE of size 1 at 0x621000004d00 thread \
> T0 #0 0x4de2d0 in __asan_memmove (/home/xxx/libmobi/tools/mobitool+0x4de2d0)
> #1 0x572b51 in buffer_move /home/xxx/libmobi/src/buffer.c:520:5
> #2 0x5734ed in mobi_decompress_lz77 /home/xxx/libmobi/src/compression.c:59:17
> #3 0x548bd4 in mobi_decompress_content /home/xxx/libmobi/src/util.c:1768:23
> #4 0x547575 in mobi_get_rawml /home/xxx/libmobi/src/util.c:1832:12
> #5 0x53495f in mobi_parse_rawml_opt /home/xxx/libmobi/src/parse_rawml.c:1993:11
> #6 0x51dbda in loadfilename /home/xxx/libmobi/tools/mobitool.c:788:20
> #7 0x51e41f in main /home/xxx/libmobi/tools/mobitool.c:955:11
> #8 0x7f413ce4182f in __libc_start_main \
> /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #9 0x41ab78 in _start \
> (/home/xxx/libmobi/tools/mobitool+0x41ab78)
> 0x621000004d00 is located 0 bytes to the right of 4096-byte region \
> [0x621000003d00,0x621000004d00) allocated by thread T0 here:
> #0 0x4deda8 in __interceptor_malloc (/home/xxx/libmobi/tools/mobitool+0x4deda8)
> #1 0x547e37 in mobi_decompress_content /home/xxx/libmobi/src/util.c:1702:39
> #2 0x547575 in mobi_get_rawml /home/xxx/libmobi/src/util.c:1832:12
> #3 0x51dbda in loadfilename /home/xxx/libmobi/tools/mobitool.c:788:20
Reproducer:
mobi_decompress_lz77
CVE:
CVE-2018-11438
===============================
Webin security lab - dbapp security Ltd
["pocs.zip" (application/x-zip-compressed)]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic