[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] liblnk 20180419 vulns
From:       熊文彬 <bear.xiong () dbappsecurity ! com ! cn>
Date:       2018-06-12 1:31:25
Message-ID: 6cdb0b60.9f1.163f19e7ace.Coremail.bear.xiong () dbappsecurity ! com ! cn
[Download RAW message or body]

[Attachment #2 (text/plain)]

libmobi multiple vulnerabilities
================
Author : Webin security lab - dbapp security Ltd
===============


Introduction:
=============
liblnk is a library to access the Windows Shortcut File (LNK) format.


Affected version:
=====
20180419


Vulnerability Description:
==========================
1.  The liblnk_data_string_get_utf8_string_size function in liblnk_data_string.c in liblnk \
through 2018-04-19 allows remote attackers to cause an information disclosure (heap-based \
buffer over-read) via a crafted lnk file.


./lnkinfo liblnk_data_string_get_utf8_string_size


 ==8006==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000006f at pc \
0x00000058f617 bp 0x7fffe851ecb0 sp 0x7fffe851eca8  READ of size 1 at 0x60200000006f thread T0
     #0 0x58f616 in libuna_utf8_string_size_from_byte_stream \
                /home/xxx/liblnk/libuna/libuna_utf8_string.c:82:6
     #1 0x606cf0 in liblnk_data_string_get_utf8_string_size \
                /home/xxx/liblnk/liblnk/liblnk_data_string.c:434:12
     #2 0x5ea89c in liblnk_file_get_utf8_command_line_arguments_size \
                /home/xxx/liblnk/liblnk/liblnk_file.c:5301:6
     #3 0x52cdc9 in info_handle_command_line_arguments_fprint \
                /home/xxx/liblnk/lnktools/info_handle.c:1792:11
     #4 0x52ecf4 in info_handle_file_fprint /home/xxx/liblnk/lnktools/info_handle.c:2624:6
     #5 0x52fc63 in main /home/xxx/liblnk/lnktools/lnkinfo.c:277:6
     #6 0x7f79fb92282f in __libc_start_main \
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291  #7 0x42c678 in _start \
(/home/xxx/liblnk/lnktools/lnkinfo+0x42c678)

 0x60200000006f is located 1 bytes to the left of 1-byte region [0x602000000070,0x602000000071)
 allocated by thread T0 here:
     #0 0x4f08a8 in malloc (/home/xxx/liblnk/lnktools/lnkinfo+0x4f08a8)
     #1 0x6067fc in liblnk_data_string_read /home/xxx/liblnk/liblnk/liblnk_data_string.c:273:34
     #2 0x5df733 in liblnk_file_open_read /home/xxx/liblnk/liblnk/liblnk_file.c:1317:16
     #3 0x5de9ab in liblnk_file_open_file_io_handle /home/xxx/liblnk/liblnk/liblnk_file.c:627:6
     #4 0x7f79fb93b785 in getenv /build/glibc-Cl5G7W/glibc-2.23/stdlib/getenv.c:35


Reproducer:
liblnk_data_string_get_utf8_string_size
CVE:
CVE-2018-12096




2.  The liblnk_location_information_read_data function in liblnk_location_information.c in \
liblnk through 2018-04-19 allows remote attackers to cause an information disclosure \
(heap-based buffer over-read) via a crafted lnk file.


./lnkinfo liblnk_location_information_read_data


 ==8015==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b00000020a at pc \
0x0000004ef72d bp 0x7ffc0f581380 sp 0x7ffc0f580b30  READ of size 2 at 0x60b00000020a thread T0
     #0 0x4ef72c in __asan_memcpy (/home/xxx/liblnk/lnktools/lnkinfo+0x4ef72c)
     #1 0x5f3910 in liblnk_location_information_read_data \
                /home/xxx/liblnk/liblnk/liblnk_location_information.c:1661:7
     #2 0x5f4aa4 in liblnk_location_information_read \
                /home/xxx/liblnk/liblnk/liblnk_location_information.c:1907:6
     #3 0x5df231 in liblnk_file_open_read /home/xxx/liblnk/liblnk/liblnk_file.c:1149:16
     #4 0x5de9ab in liblnk_file_open_file_io_handle /home/xxx/liblnk/liblnk/liblnk_file.c:627:6
     #5 0x5de33e in liblnk_file_open /home/xxx/liblnk/liblnk/liblnk_file.c:345:6
     #6 0x529078 in info_handle_open_input /home/xxx/liblnk/lnktools/info_handle.c:415:6
     #7 0x52fc2e in main /home/xxx/liblnk/lnktools/lnkinfo.c:265:6
     #8 0x7f0ac292082f in __libc_start_main \
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291  #9 0x42c678 in _start \
(/home/xxx/liblnk/lnktools/lnkinfo+0x42c678)

 0x60b00000020a is located 0 bytes to the right of 106-byte region \
[0x60b0000001a0,0x60b00000020a)  allocated by thread T0 here:
     #0 0x4f08a8 in malloc (/home/xxx/liblnk/lnktools/lnkinfo+0x4f08a8)
     #1 0x5f4a1a in liblnk_location_information_read \
                /home/xxx/liblnk/liblnk/liblnk_location_information.c:1876:42
     #2 0x5df231 in liblnk_file_open_read /home/xxx/liblnk/liblnk/liblnk_file.c:1149:16
     #3 0x5de9ab in liblnk_file_open_file_io_handle /home/xxx/liblnk/liblnk/liblnk_file.c:627:6


Reproducer:
liblnk_location_information_read_data
CVE:
CVE-2018-12097


3.   The liblnk_data_block_read function in liblnk_data_block.c in liblnk through 2018-04-19 \
allows remote attackers to cause an information disclosure (heap-based buffer over-read) via a \
crafted lnk file.


./lnkinfo liblnk_data_block_read


 ==8039==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000093 at pc \
0x00000060537b bp 0x7ffc89001270 sp 0x7ffc89001268  READ of size 1 at 0x602000000093 thread T0
     #0 0x60537a in liblnk_data_block_read /home/xxx/liblnk/liblnk/liblnk_data_block.c:296:3
     #1 0x5dfa5a in liblnk_file_open_read /home/xxx/liblnk/liblnk/liblnk_file.c:1409:17
     #2 0x5de9ab in liblnk_file_open_file_io_handle /home/xxx/liblnk/liblnk/liblnk_file.c:627:6
     #3 0x5de33e in liblnk_file_open /home/xxx/liblnk/liblnk/liblnk_file.c:345:6
     #4 0x529078 in info_handle_open_input /home/xxx/liblnk/lnktools/info_handle.c:415:6
     #5 0x52fc2e in main /home/xxx/liblnk/lnktools/lnkinfo.c:265:6
     #6 0x7f5ad442d82f in __libc_start_main \
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291  #7 0x42c678 in _start \
(/home/xxx/liblnk/lnktools/lnkinfo+0x42c678)

 0x602000000093 is located 2 bytes to the right of 1-byte region \
[0x602000000090,0x602000000091)  allocated by thread T0 here:
     #0 0x4f08a8 in malloc (/home/xxx/liblnk/lnktools/lnkinfo+0x4f08a8)
     #1 0x604ff0 in liblnk_data_block_read /home/xxx/liblnk/liblnk/liblnk_data_block.c:263:34
     #2 0x5dfa5a in liblnk_file_open_read /home/xxx/liblnk/liblnk/liblnk_file.c:1409:17
     #3 0x5de9ab in liblnk_file_open_file_io_handle /home/xxx/liblnk/liblnk/liblnk_file.c:627:6
     #4 0x7f5ad4446785 in getenv /build/glibc-Cl5G7W/glibc-2.23/stdlib/getenv.c:35
    
Reproducer:
liblnk_data_block_read
CVE:
CVE-2018-12098
===============================


Webin security lab - dbapp security Ltd


["pocs.zip" (application/x-zip-compressed)]

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic