Full Disclosure mailing list archives
libfsntfs 20180420 vulns
From: 熊文彬 <bear.xiong () dbappsecurity com cn>
Date: Wed, 6 Jun 2018 09:52:52 +0800 (GMT+08:00)
libfsntfs multiple vulnerabilities
================
Author : Webin security lab - dbapp security Ltd
===============
Introduction:
=============
libfsntfs is a library to access the New Technology File System (NTFS).
Affected version:
=====
20180420
Vulnerability Description:
==========================
1. The libfsntfs_attribute_read_from_mft function in libfsntfs_attribute.c in libfsntfs through 2018-04-20 allows
remote attackers to cause an information disclosure (heap-based buffer over-read) via a crafted ntfs file.
fsntfsinfo libfsntfs_attribute_read_from_mft
==4965==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000480 at pc 0x0000004efa6d bp 0x7ffde64b3670
sp 0x7ffde64b2e20
READ of size 402653184 at 0x619000000480 thread T0
#0 0x4efa6c in __asan_memcpy (/home/xxx/libfsntfs/fsntfstools/fsntfsinfo+0x4efa6c)
#1 0x5f8dfe in libfsntfs_attribute_read_from_mft /home/xxx/libfsntfs/libfsntfs/libfsntfs_attribute.c:1325:8
#2 0x61d812 in libfsntfs_mft_entry_read_attributes /home/xxx/libfsntfs/libfsntfs/libfsntfs_mft_entry.c:1121:16
#3 0x61bf0a in libfsntfs_mft_entry_read /home/xxx/libfsntfs/libfsntfs/libfsntfs_mft_entry.c:487:7
#4 0x619761 in libfsntfs_mft_read_mft_entry /home/xxx/libfsntfs/libfsntfs/libfsntfs_mft.c:506:6
#5 0x639c41 in libfsntfs_internal_volume_open_read /home/xxx/libfsntfs/libfsntfs/libfsntfs_volume.c:961:6
#6 0x639447 in libfsntfs_volume_open_file_io_handle /home/xxx/libfsntfs/libfsntfs/libfsntfs_volume.c:652:6
#7 0x52bfbc in info_handle_open_input /home/xxx/libfsntfs/fsntfstools/info_handle.c:738:7
#8 0x5293cd in main /home/xxx/libfsntfs/fsntfstools/fsntfsinfo.c:295:6
#9 0x7ff40a01f82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#10 0x42c9b8 in _start (/home/xxx/libfsntfs/fsntfstools/fsntfsinfo+0x42c9b8)
0x619000000480 is located 0 bytes to the right of 1024-byte region [0x619000000080,0x619000000480)
allocated by thread T0 here:
#0 0x4f0be8 in malloc (/home/xxx/libfsntfs/fsntfstools/fsntfsinfo+0x4f0be8)
#1 0x61c094 in libfsntfs_mft_entry_read_header /home/xxx/libfsntfs/libfsntfs/libfsntfs_mft_entry.c:584:32
Reproducer:
libfsntfs_attribute_read_from_mft
CVE:
CVE-2018-11727
2. The libfsntfs_reparse_point_values_read_data function in libfsntfs_reparse_point_values.c in libfsntfs through
2018-04-20 allows remote attackers to cause an information disclosure (heap-based buffer over-read) via a crafted ntfs
file.
fsntfsinfo libfsntfs_reparse_point_values_read_data
==4994==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000393 at pc 0x00000062bdf6 bp 0x7ffdfd83c4c0
sp 0x7ffdfd83c4b8
READ of size 1 at 0x602000000393 thread T0
#0 0x62bdf5 in libfsntfs_reparse_point_values_read_data
/home/xxx/libfsntfs/libfsntfs/libfsntfs_reparse_point_values.c:209:2
#1 0x5fbca1 in libfsntfs_attribute_read_value /home/xxx/libfsntfs/libfsntfs/libfsntfs_attribute.c:2045:9
#2 0x61eb07 in libfsntfs_mft_entry_append_attribute /home/xxx/libfsntfs/libfsntfs/libfsntfs_mft_entry.c:3011:8
#3 0x61d9bd in libfsntfs_mft_entry_read_attributes /home/xxx/libfsntfs/libfsntfs/libfsntfs_mft_entry.c:1194:7
#4 0x625d34 in libfsntfs_mft_entry_read /home/xxx/libfsntfs/libfsntfs/libfsntfs_mft_entry.c:487:7
#5 0x625d34 in libfsntfs_mft_entry_read_element_data /home/xxx/libfsntfs/libfsntfs/libfsntfs_mft_entry.c:3678
#6 0x66b4a9 in libfdata_vector_get_element_value_by_index /home/xxx/libfsntfs/libfdata/libfdata_vector.c:1613:7
#7 0x61adac in libfsntfs_mft_get_mft_entry_by_index /home/xxx/libfsntfs/libfsntfs/libfsntfs_mft.c:959:6
#8 0x63a54f in libfsntfs_internal_volume_read_bitmap /home/xxx/libfsntfs/libfsntfs/libfsntfs_volume.c:2644:6
#9 0x639d61 in libfsntfs_internal_volume_open_read /home/xxx/libfsntfs/libfsntfs/libfsntfs_volume.c:1036:6
#10 0x639447 in libfsntfs_volume_open_file_io_handle /home/xxx/libfsntfs/libfsntfs/libfsntfs_volume.c:652:6
#11 0x52bfbc in info_handle_open_input /home/xxx/libfsntfs/fsntfstools/info_handle.c:738:7
#12 0x5293cd in main /home/xxx/libfsntfs/fsntfstools/fsntfsinfo.c:295:6
#13 0x7f8c0b19382f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#14 0x42c9b8 in _start (/home/xxx/libfsntfs/fsntfstools/fsntfsinfo+0x42c9b8)
Reproducer:
libfsntfs_reparse_point_values_read_data
CVE:
CVE-2018-11728
3. The libfsntfs_mft_entry_read_header function in libfsntfs_mft_entry.c in libfsntfs through 2018-04-20 allows remote
attackers to cause an information disclosure (heap-based buffer over-read) via a crafted ntfs file.
fsntfsinfo libfsntfs_mft_entry_read_header
==5284==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000115 at pc 0x00000061cfc3 bp 0x7fff101dfdb0
sp 0x7fff101dfda8
READ of size 1 at 0x602000000115 thread T0
#0 0x61cfc2 in libfsntfs_mft_entry_read_header /home/xxx/libfsntfs/libfsntfs/libfsntfs_mft_entry.c:637:2
#1 0x61be4e in libfsntfs_mft_entry_read /home/xxx/libfsntfs/libfsntfs/libfsntfs_mft_entry.c:453:11
#2 0x619761 in libfsntfs_mft_read_mft_entry /home/xxx/libfsntfs/libfsntfs/libfsntfs_mft.c:506:6
#3 0x639c41 in libfsntfs_internal_volume_open_read /home/xxx/libfsntfs/libfsntfs/libfsntfs_volume.c:961:6
#4 0x639447 in libfsntfs_volume_open_file_io_handle /home/xxx/libfsntfs/libfsntfs/libfsntfs_volume.c:652:6
#5 0x52bfbc in info_handle_open_input /home/xxx/libfsntfs/fsntfstools/info_handle.c:738:7
#6 0x5293cd in main /home/xxx/libfsntfs/fsntfstools/fsntfsinfo.c:295:6
#7 0x7f1b4a62182f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#8 0x42c9b8 in _start (/home/xxx/libfsntfs/fsntfstools/fsntfsinfo+0x42c9b8)
0x602000000115 is located 1 bytes to the right of 4-byte region [0x602000000110,0x602000000114)
allocated by thread T0 here:
#0 0x4f0be8 in malloc (/home/xxx/libfsntfs/fsntfstools/fsntfsinfo+0x4f0be8)
#1 0x61c094 in libfsntfs_mft_entry_read_header /home/xxx/libfsntfs/libfsntfs/libfsntfs_mft_entry.c:584:32
Reproducer:
libfsntfs_mft_entry_read_header
CVE:
CVE-2018-11729
4. The libfsntfs_security_descriptor_values_free function in libfsntfs_security_descriptor_values.c in libfsntfs
through 2018-04-20 allows remote attackers to cause a denial of service (double-free) via a crafted ntfs file.
fsntfsinfo libfsntfs_security_descriptor_values_free
==5371==ERROR: AddressSanitizer: attempting double-free on 0x62b000000200 in thread T0:
#0 0x4f0a28 in __interceptor_cfree.localalias.0 (/home/xxx/libfsntfs/fsntfstools/fsntfsinfo+0x4f0a28)
#1 0x630108 in libfsntfs_security_descriptor_values_free
/home/xxx/libfsntfs/libfsntfs/libfsntfs_security_descriptor_values.c:130:4
#2 0x5fcca5 in libfsntfs_attribute_read_value /home/xxx/libfsntfs/libfsntfs/libfsntfs_attribute.c:2502:3
#3 0x61eb07 in libfsntfs_mft_entry_append_attribute /home/xxx/libfsntfs/libfsntfs/libfsntfs_mft_entry.c:3011:8
#4 0x61d9bd in libfsntfs_mft_entry_read_attributes /home/xxx/libfsntfs/libfsntfs/libfsntfs_mft_entry.c:1194:7
#5 0x61bf0a in libfsntfs_mft_entry_read
...
#12 0x42c9b8 in _start (/home/xxx/libfsntfs/fsntfstools/fsntfsinfo+0x42c9b8)
0x62b000000200 is located 0 bytes inside of 27648-byte region [0x62b000000200,0x62b000006e00)
freed by thread T0 here:
#0 0x4f0a28 in __interceptor_cfree.localalias.0 (/home/xxx/libfsntfs/fsntfstools/fsntfsinfo+0x4f0a28)
#1 0x630c9e in libfsntfs_security_descriptor_values_read_stream
/home/xxx/libfsntfs/libfsntfs/libfsntfs_security_descriptor_values.c:494:3
#2 0x5fc511 in libfsntfs_attribute_read_value /home/xxx/libfsntfs/libfsntfs/libfsntfs_attribute.c:2292:9
previously allocated by thread T0 here:
#0 0x4f0be8 in malloc (/home/xxx/libfsntfs/fsntfstools/fsntfsinfo+0x4f0be8)
#1 0x630ac4 in libfsntfs_security_descriptor_values_read_stream
/home/xxx/libfsntfs/libfsntfs/libfsntfs_security_descriptor_values.c:439:49
#2 0x5fc511 in libfsntfs_attribute_read_value /home/xxx/libfsntfs/libfsntfs/libfsntfs_attribute.c:2292:9
Reproducer:
libfsntfs_security_descriptor_values_free
CVE:
CVE-2018-11730
5. The libfsntfs_mft_entry_read_attributes function in libfsntfs_mft_entry.c in libfsntfs through 2018-04-20 allows
remote attackers to cause an information disclosure (heap-based buffer over-read) via a crafted ntfs file.
fsntfsinfo libfsntfs_mft_entry_read_attributes
==5385==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x615000000503 at pc 0x00000061e7c9 bp 0x7ffc26e98ed0
sp 0x7ffc26e98ec8
READ of size 1 at 0x615000000503 thread T0
#0 0x61e7c8 in libfsntfs_mft_entry_read_attributes /home/xxx/libfsntfs/libfsntfs/libfsntfs_mft_entry.c:1216:3
#1 0x625d34 in libfsntfs_mft_entry_read /home/xxx/libfsntfs/libfsntfs/libfsntfs_mft_entry.c:487:7
#2 0x625d34 in libfsntfs_mft_entry_read_element_data /home/xxx/libfsntfs/libfsntfs/libfsntfs_mft_entry.c:3678
#3 0x66b4a9 in libfdata_vector_get_element_value_by_index /home/xxx/libfsntfs/libfdata/libfdata_vector.c:1613:7
#4 0x61adac in libfsntfs_mft_get_mft_entry_by_index /home/xxx/libfsntfs/libfsntfs/libfsntfs_mft.c:959:6
#5 0x63a54f in libfsntfs_internal_volume_read_bitmap /home/xxx/libfsntfs/libfsntfs/libfsntfs_volume.c:2644:6
#6 0x639d61 in libfsntfs_internal_volume_open_read /home/xxx/libfsntfs/libfsntfs/libfsntfs_volume.c:1036:6
#7 0x639447 in libfsntfs_volume_open_file_io_handle /home/xxx/libfsntfs/libfsntfs/libfsntfs_volume.c:652:6
#8 0x52bfbc in info_handle_open_input /home/xxx/libfsntfs/fsntfstools/info_handle.c:738:7
#9 0x5293cd in main /home/xxx/libfsntfs/fsntfstools/fsntfsinfo.c:295:6
#10 0x7f4c44ae582f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#11 0x42c9b8 in _start (/home/xxx/libfsntfs/fsntfstools/fsntfsinfo+0x42c9b8)
0x615000000503 is located 3 bytes to the right of 512-byte region [0x615000000300,0x615000000500)
allocated by thread T0 here:
#0 0x4f0be8 in malloc (/home/xxx/libfsntfs/fsntfstools/fsntfsinfo+0x4f0be8)
#1 0x61c094 in libfsntfs_mft_entry_read_header /home/xxx/libfsntfs/libfsntfs/libfsntfs_mft_entry.c:584:32
Reproducer:
libfsntfs_mft_entry_read_attributes
CVE:
CVE-2018-11731
==============================
Webin security lab - dbapp security LtdAttachment:
pocs.zip
Description:
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- libfsntfs 20180420 vulns 熊文彬 (Jun 08)