libmobi multiple vulnerabilities
================
Author : Webin security lab - dbapp security Ltd
===============
Introduction:
=============
liblnk is a library to access the Windows Shortcut File (LNK) format.
Affected version:
=====
20180419
Vulnerability Description:
==========================
1. The liblnk_data_string_get_utf8_string_size function in
liblnk_data_string.c in liblnk through 2018-04-19 allows remote attackers to
cause an information disclosure (heap-based buffer over-read) via a crafted lnk
file.
./lnkinfo liblnk_data_string_get_utf8_string_size
==8006==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000006f at pc 0x00000058f617 bp 0x7fffe851ecb0 sp 0x7fffe851eca8
READ of size 1 at 0x60200000006f thread T0
#0 0x58f616 in libuna_utf8_string_size_from_byte_stream
/home/xxx/liblnk/libuna/libuna_utf8_string.c:82:6
#1 0x606cf0 in liblnk_data_string_get_utf8_string_size
/home/xxx/liblnk/liblnk/liblnk_data_string.c:434:12
#2 0x5ea89c in liblnk_file_get_utf8_command_line_arguments_size
/home/xxx/liblnk/liblnk/liblnk_file.c:5301:6
#3 0x52cdc9 in info_handle_command_line_arguments_fprint
/home/xxx/liblnk/lnktools/info_handle.c:1792:11
#4 0x52ecf4 in info_handle_file_fprint
/home/xxx/liblnk/lnktools/info_handle.c:2624:6
#5 0x52fc63 in main /home/xxx/liblnk/lnktools/lnkinfo.c:277:6
#6 0x7f79fb92282f in __libc_start_main
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#7 0x42c678 in _start (/home/xxx/liblnk/lnktools/lnkinfo+0x42c678)
0x60200000006f is located 1 bytes to the left of 1-byte region
[0x602000000070,0x602000000071)
allocated by thread T0 here:
#0 0x4f08a8 in malloc (/home/xxx/liblnk/lnktools/lnkinfo+0x4f08a8)
#1 0x6067fc in liblnk_data_string_read
/home/xxx/liblnk/liblnk/liblnk_data_string.c:273:34
#2 0x5df733 in liblnk_file_open_read
/home/xxx/liblnk/liblnk/liblnk_file.c:1317:16
#3 0x5de9ab in liblnk_file_open_file_io_handle
/home/xxx/liblnk/liblnk/liblnk_file.c:627:6
#4 0x7f79fb93b785 in getenv
/build/glibc-Cl5G7W/glibc-2.23/stdlib/getenv.c:35
Reproducer:
liblnk_data_string_get_utf8_string_size
CVE:
CVE-2018-12096
2. The liblnk_location_information_read_data function in
liblnk_location_information.c in liblnk through 2018-04-19 allows remote
attackers to cause an information disclosure (heap-based buffer over-read) via
a crafted lnk file.
./lnkinfo liblnk_location_information_read_data
==8015==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60b00000020a at pc 0x0000004ef72d bp 0x7ffc0f581380 sp 0x7ffc0f580b30
READ of size 2 at 0x60b00000020a thread T0
#0 0x4ef72c in __asan_memcpy (/home/xxx/liblnk/lnktools/lnkinfo+0x4ef72c)
#1 0x5f3910 in liblnk_location_information_read_data
/home/xxx/liblnk/liblnk/liblnk_location_information.c:1661:7
#2 0x5f4aa4 in liblnk_location_information_read
/home/xxx/liblnk/liblnk/liblnk_location_information.c:1907:6
#3 0x5df231 in liblnk_file_open_read
/home/xxx/liblnk/liblnk/liblnk_file.c:1149:16
#4 0x5de9ab in liblnk_file_open_file_io_handle
/home/xxx/liblnk/liblnk/liblnk_file.c:627:6
#5 0x5de33e in liblnk_file_open /home/xxx/liblnk/liblnk/liblnk_file.c:345:6
#6 0x529078 in info_handle_open_input
/home/xxx/liblnk/lnktools/info_handle.c:415:6
#7 0x52fc2e in main /home/xxx/liblnk/lnktools/lnkinfo.c:265:6
#8 0x7f0ac292082f in __libc_start_main
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#9 0x42c678 in _start (/home/xxx/liblnk/lnktools/lnkinfo+0x42c678)
0x60b00000020a is located 0 bytes to the right of 106-byte region
[0x60b0000001a0,0x60b00000020a)
allocated by thread T0 here:
#0 0x4f08a8 in malloc (/home/xxx/liblnk/lnktools/lnkinfo+0x4f08a8)
#1 0x5f4a1a in liblnk_location_information_read
/home/xxx/liblnk/liblnk/liblnk_location_information.c:1876:42
#2 0x5df231 in liblnk_file_open_read
/home/xxx/liblnk/liblnk/liblnk_file.c:1149:16
#3 0x5de9ab in liblnk_file_open_file_io_handle
/home/xxx/liblnk/liblnk/liblnk_file.c:627:6
Reproducer:
liblnk_location_information_read_data
CVE:
CVE-2018-12097
3. The liblnk_data_block_read function in liblnk_data_block.c in liblnk
through 2018-04-19 allows remote attackers to cause an information disclosure
(heap-based buffer over-read) via a crafted lnk file.
./lnkinfo liblnk_data_block_read
==8039==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000000093 at pc 0x00000060537b bp 0x7ffc89001270 sp 0x7ffc89001268
READ of size 1 at 0x602000000093 thread T0
#0 0x60537a in liblnk_data_block_read
/home/xxx/liblnk/liblnk/liblnk_data_block.c:296:3
#1 0x5dfa5a in liblnk_file_open_read
/home/xxx/liblnk/liblnk/liblnk_file.c:1409:17
#2 0x5de9ab in liblnk_file_open_file_io_handle
/home/xxx/liblnk/liblnk/liblnk_file.c:627:6
#3 0x5de33e in liblnk_file_open /home/xxx/liblnk/liblnk/liblnk_file.c:345:6
#4 0x529078 in info_handle_open_input
/home/xxx/liblnk/lnktools/info_handle.c:415:6
#5 0x52fc2e in main /home/xxx/liblnk/lnktools/lnkinfo.c:265:6
#6 0x7f5ad442d82f in __libc_start_main
/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#7 0x42c678 in _start (/home/xxx/liblnk/lnktools/lnkinfo+0x42c678)
0x602000000093 is located 2 bytes to the right of 1-byte region
[0x602000000090,0x602000000091)
allocated by thread T0 here:
#0 0x4f08a8 in malloc (/home/xxx/liblnk/lnktools/lnkinfo+0x4f08a8)
#1 0x604ff0 in liblnk_data_block_read
/home/xxx/liblnk/liblnk/liblnk_data_block.c:263:34
#2 0x5dfa5a in liblnk_file_open_read
/home/xxx/liblnk/liblnk/liblnk_file.c:1409:17
#3 0x5de9ab in liblnk_file_open_file_io_handle
/home/xxx/liblnk/liblnk/liblnk_file.c:627:6
#4 0x7f5ad4446785 in getenv
/build/glibc-Cl5G7W/glibc-2.23/stdlib/getenv.c:35
Reproducer:
liblnk_data_block_read
CVE:
CVE-2018-12098
===============================
Webin security lab - dbapp security LtdAttachment:
pocs.zip
Description: Zip compressed data
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/