[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] libmobi 0.3 vulns

libmobi multiple vulnerabilities
================
Author : Webin security lab - dbapp security Ltd
===============


Introduction:
=============
C library for handling Mobipocket/Kindle (MOBI) ebook format documents.


For examples on how to use the library have a look at tools folder.


Affected version:
=====
0.3


Vulnerability Description:
==========================
1. the mobi_parse_mobiheader function in read.c in libmobi allow remote 
attackers to cause a information disclosure(heap-buffer-overflow OOB read) via 
a crafted mobi file.


./mobitool -s mobi_parse_mobiheader


==36648==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x604000000240 at pc 0x0000005723f1 bp 0x7ffdf813d5a0 sp 0x7ffdf813d598
READ of size 1 at 0x604000000240 thread T0
    #0 0x5723f0 in buffer_get32 /home/xxx/libmobi/src/buffer.c:230:22
    #1 0x5723f0 in buffer_dup32 /home/xxx/libmobi/src/buffer.c:455
    #2 0x537776 in mobi_parse_mobiheader /home/xxx/libmobi/src/read.c:318:5
    #3 0x5387e8 in mobi_parse_record0 /home/xxx/libmobi/src/read.c:463:15
    #4 0x53bffb in mobi_load_file /home/xxx/libmobi/src/read.c:857:11
    #5 0x51d649 in loadfilename /home/xxx/libmobi/tools/mobitool.c:734:16
    #6 0x51e41f in main /home/xxx/libmobi/tools/mobitool.c:955:11
    #7 0x7facdc96682f in __libc_start_main 
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #8 0x41ab78 in _start (/home/xxx/libmobi/tools/mobitool+0x41ab78)
>
0x604000000240 is located 0 bytes to the right of 48-byte region 
[0x604000000210,0x604000000240)
allocated by thread T0 here:
    #0 0x4deda8 in __interceptor_malloc 
(/home/xxx/libmobi/tools/mobitool+0x4deda8)
    #1 0x536832 in mobi_load_recdata /home/xxx/libmobi/src/read.c:180:17
    #2 0x536832 in mobi_load_rec /home/xxx/libmobi/src/read.c:156


Reproducer:
mobi_parse_mobiheader
CVE:
CVE-2018-11432




2.
The mobi_get_kf8boundary_seqnumber function in util.c in Libmobi 0.3 allows 
remote attackers to cause information disclosure (heap-based buffer over-read) 
via a crafted mobi file.


./mobitool -s mobi_get_kf8boundary_seqnumber


==36670==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x6020000006d1 at pc 0x0000004b579c bp 0x7ffdbb7b3780 sp 0x7ffdbb7b2f30
READ of size 8 at 0x6020000006d1 thread T0
    #0 0x4b579b in __interceptor_memcmp.part.77 
(/home/xxx/libmobi/tools/mobitool+0x4b579b)
    #1 0x54fc17 in mobi_get_kf8boundary_seqnumber 
/home/xxx/libmobi/src/util.c:2759:16
    #2 0x53c113 in mobi_load_file /home/xxx/libmobi/src/read.c:868:44
    #3 0x51d649 in loadfilename /home/xxx/libmobi/tools/mobitool.c:734:16
    #4 0x51e41f in main /home/xxx/libmobi/tools/mobitool.c:955:11
    #5 0x7ff191a5682f in __libc_start_main 
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #6 0x41ab78 in _start (/home/xxx/libmobi/tools/mobitool+0x41ab78)

0x6020000006d1 is located 0 bytes to the right of 1-byte region 
[0x6020000006d0,0x6020000006d1)
allocated by thread T0 here:
    #0 0x4deda8 in __interceptor_malloc 
(/home/xxx/libmobi/tools/mobitool+0x4deda8)
    #1 0x536832 in mobi_load_recdata /home/xxx/libmobi/src/read.c:180:17
    #2 0x536832 in mobi_load_rec /home/xxx/libmobi/src/read.c:156


Reproducer:
mobi_get_kf8boundary_seqnumber
CVE:
CVE-2018-11433


3. The buffer_fill64 function in compression.c in Libmobi 0.3 allows remote 
attackers to cause information disclosure (heap-based buffer over-read) via a 
crafted mobi file.


./mobitool -s buffer_fill64


==36692==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x61c000002710 at pc 0x0000005746aa bp 0x7ffcf33c4bd0 sp 0x7ffcf33c4bc8
READ of size 1 at 0x61c000002710 thread T0
    #0 0x5746a9 in buffer_fill64 /home/xxx/libmobi/src/compression.c:98:27
    #1 0x5746a9 in mobi_decompress_huffman_internal 
/home/xxx/libmobi/src/compression.c:128
    #2 0x5743fb in mobi_decompress_huffman_internal 
/home/xxx/libmobi/src/compression.c:180:19
    #3 0x573832 in mobi_decompress_huffman 
/home/xxx/libmobi/src/compression.c:213:20
    #4 0x548c2e in mobi_decompress_content /home/xxx/libmobi/src/util.c:1776:23
    #5 0x547575 in mobi_get_rawml /home/xxx/libmobi/src/util.c:1832:12
    #6 0x53495f in mobi_parse_rawml_opt 
/home/xxx/libmobi/src/parse_rawml.c:1993:11
    #7 0x51dbda in loadfilename /home/xxx/libmobi/tools/mobitool.c:788:20
    #8 0x51e41f in main /home/xxx/libmobi/tools/mobitool.c:955:11
    #9 0x7efe4e4f982f in __libc_start_main 
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #10 0x41ab78 in _start (/home/xxx/libmobi/tools/mobitool+0x41ab78)

0x61c000002710 is located 0 bytes to the right of 1680-byte region 
[0x61c000002080,0x61c000002710)
allocated by thread T0 here:
    #0 0x4deda8 in __interceptor_malloc 
(/home/xxx/libmobi/tools/mobitool+0x4deda8)
    #1 0x536832 in mobi_load_recdata /home/xxx/libmobi/src/read.c:180:17
    #2 0x536832 in mobi_load_rec /home/xxx/libmobi/src/read.c:156

    
Reproducer:
buffer_fill64
CVE:
CVE-2018-11434


4.The mobi_decompress_huffman_internal function in compression.c in Libmobi 0.3 
allows remote attackers to cause information disclosure (read access violation) 
via a crafted mobi file.


./mobitool -s mobi_decompress_huffman_internal


==36715==ERROR: AddressSanitizer: SEGV on unknown address 0x61b0000126d0 (pc 
0x000000574308 bp 0x7ffdaf41eb50 sp 0x7ffdaf41e9e0 T0)
==36715==The signal is caused by a READ memory access.
    #0 0x574307 in mobi_decompress_huffman_internal 
/home/xxx/libmobi/src/compression.c:163:45
    #1 0x573832 in mobi_decompress_huffman 
/home/xxx/libmobi/src/compression.c:213:20
    #2 0x548c2e in mobi_decompress_content /home/xxx/libmobi/src/util.c:1776:23
    #3 0x547575 in mobi_get_rawml /home/xxx/libmobi/src/util.c:1832:12
    #4 0x53495f in mobi_parse_rawml_opt 
/home/xxx/libmobi/src/parse_rawml.c:1993:11
    #5 0x51dbda in loadfilename /home/xxx/libmobi/tools/mobitool.c:788:20
    #6 0x51e41f in main /home/xxx/libmobi/tools/mobitool.c:955:11
    #7 0x7f15b4f3282f in __libc_start_main 
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #8 0x41ab78 in _start (/home/xxx/libmobi/tools/mobitool+0x41ab78)


Reproducer:
mobi_decompress_huffman_internal
CVE:
CVE-2018-11435


5.The buffer_addraw function in buffer.c in Libmobi 0.3 allows remote attackers 
to cause information disclosure (heap-based buffer over-read) via a crafted 
mobi file.


./mobitool -s buffer_addraw


==36738==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x61b0000068f6 at pc 0x0000004ddc2d bp 0x7fffb3989280 sp 0x7fffb3988a30
READ of size 1 at 0x61b0000068f6 thread T0
    #0 0x4ddc2c in __asan_memcpy (/home/xxx/libmobi/tools/mobitool+0x4ddc2c)
    #1 0x5704e6 in buffer_addraw /home/xxx/libmobi/src/buffer.c:153:5
    #2 0x57444f in mobi_decompress_huffman_internal 
/home/xxx/libmobi/src/compression.c:170:13
    #3 0x573832 in mobi_decompress_huffman 
/home/xxx/libmobi/src/compression.c:213:20
    #4 0x548c2e in mobi_decompress_content /home/xxx/libmobi/src/util.c:1776:23
    #5 0x547575 in mobi_get_rawml /home/xxx/libmobi/src/util.c:1832:12
    #6 0x53495f in mobi_parse_rawml_opt 
/home/xxx/libmobi/src/parse_rawml.c:1993:11
    #7 0x51dbda in loadfilename /home/xxx/libmobi/tools/mobitool.c:788:20
    #8 0x51e41f in main /home/xxx/libmobi/tools/mobitool.c:955:11
    #9 0x7fbece1d882f in __libc_start_main 
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #10 0x41ab78 in _start (/home/xxx/libmobi/tools/mobitool+0x41ab78)

0x61b0000068f6 is located 0 bytes to the right of 1654-byte region 
[0x61b000006280,0x61b0000068f6)
allocated by thread T0 here:
    #0 0x4deda8 in __interceptor_malloc 
(/home/xxx/libmobi/tools/mobitool+0x4deda8)
    #1 0x536832 in mobi_load_recdata /home/xxx/libmobi/src/read.c:180:17
    #2 0x536832 in mobi_load_rec /home/xxx/libmobi/src/read.c:156


Reproducer:
buffer_addraw
CVE:
CVE-2018-11436


6.The mobi_reconstruct_parts function in parse_rawml.c in Libmobi 0.3 allows
remote attackers to cause information disclosure (read access
violation) via a crafted mobi file.


./mobitool -s mobi_reconstruct_parts


==36806==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000202a (pc 
0x7f946a6ca529 bp 0x7ffc6c0242d0 sp 0x7ffc6c023a58 T0)
==36806==The signal is caused by a READ memory access.
    #0 0x7f946a6ca528  
/build/glibc-Cl5G7W/glibc-2.23/string/../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:130
    #1 0x4dd86a in __asan_memcpy (/home/xxx/libmobi/tools/mobitool+0x4dd86a)
    #2 0x52c0c2 in mobi_reconstruct_parts 
/home/xxx/libmobi/src/parse_rawml.c:929:13
    #3 0x5352e6 in mobi_parse_rawml_opt 
/home/xxx/libmobi/src/parse_rawml.c:2088:11
    #4 0x51dbda in loadfilename /home/xxx/libmobi/tools/mobitool.c:788:20
    #5 0x51e41f in main /home/xxx/libmobi/tools/mobitool.c:955:11
    #6 0x7f946a58c82f in __libc_start_main 
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #7 0x41ab78 in _start (/home/xxx/libmobi/tools/mobitool+0x41ab78)


Reproducer:
mobi_reconstruct_parts
CVE:
CVE-2018-11437


7.> The mobi_decompress_lz77 function in compression.c in Libmobi 0.3
> allows remote attackers to cause remote code
> execution (heap-based buffer overflow) via a crafted mobi file.


./mobitool -s mobi_decompress_lz77


> ==36853==ERROR: AddressSanitizer: heap-buffer-overflow on address 
> 0x621000004d00 at pc 0x0000004de2d1 bp 0x7fff80bd0440 sp 0x7fff80bcfbf0
> WRITE of size 1 at 0x621000004d00 thread T0
>     #0 0x4de2d0 in __asan_memmove (/home/xxx/libmobi/tools/mobitool+0x4de2d0)
>     #1 0x572b51 in buffer_move /home/xxx/libmobi/src/buffer.c:520:5
>     #2 0x5734ed in mobi_decompress_lz77 
> /home/xxx/libmobi/src/compression.c:59:17
>     #3 0x548bd4 in mobi_decompress_content 
> /home/xxx/libmobi/src/util.c:1768:23
>     #4 0x547575 in mobi_get_rawml /home/xxx/libmobi/src/util.c:1832:12
>     #5 0x53495f in mobi_parse_rawml_opt 
> /home/xxx/libmobi/src/parse_rawml.c:1993:11
>     #6 0x51dbda in loadfilename /home/xxx/libmobi/tools/mobitool.c:788:20
>     #7 0x51e41f in main /home/xxx/libmobi/tools/mobitool.c:955:11
>     #8 0x7f413ce4182f in __libc_start_main 
> /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
>     #9 0x41ab78 in _start (/home/xxx/libmobi/tools/mobitool+0x41ab78)
>
> 0x621000004d00 is located 0 bytes to the right of 4096-byte region 
> [0x621000003d00,0x621000004d00)
> allocated by thread T0 here:
>     #0 0x4deda8 in __interceptor_malloc 
> (/home/xxx/libmobi/tools/mobitool+0x4deda8)
>     #1 0x547e37 in mobi_decompress_content 
> /home/xxx/libmobi/src/util.c:1702:39
>     #2 0x547575 in mobi_get_rawml /home/xxx/libmobi/src/util.c:1832:12
>     #3 0x51dbda in loadfilename /home/xxx/libmobi/tools/mobitool.c:788:20


Reproducer:
mobi_decompress_lz77
CVE:
CVE-2018-11438
===============================


Webin security lab - dbapp security Ltd

Attachment: pocs.zip
Description: Zip compressed data

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/