ed0e1e4d44
1979 changes to exploits/shellcodes Couchdb 1.5.0 - 'uuids' Denial of Service Apache CouchDB 1.5.0 - 'uuids' Denial of Service Beyond Remote 2.2.5.3 - Denial of Service (PoC) udisks2 2.8.0 - Denial of Service (PoC) Termite 3.4 - Denial of Service (PoC) SoftX FTP Client 3.3 - Denial of Service (PoC) Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection Silverstripe CMS 3.0.2 - Multiple Vulnerabilities SilverStripe CMS 3.0.2 - Multiple Vulnerabilities Silverstripe CMS 2.4 - File Renaming Security Bypass SilverStripe CMS 2.4 - File Renaming Security Bypass Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload Silverstripe CMS 2.4.x - 'BackURL' Open Redirection SilverStripe CMS 2.4.x - 'BackURL' Open Redirection Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure Silverstripe CMS - Multiple HTML Injection Vulnerabilities SilverStripe CMS - Multiple HTML Injection Vulnerabilities Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation Monstra CMS before 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (2) Monstra CMS < 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (1) Navigate CMS 2.8 - Cross-Site Scripting Collectric CMU 1.0 - 'lang' SQL injection Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection LG SuperSign EZ CMS 2.5 - Remote Code Execution MyBB Visual Editor 1.8.18 - Cross-Site Scripting Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection RICOH Aficio MP 301 Printer - Cross-Site Scripting Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection RICOH MP C6003 Printer - Cross-Site Scripting Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes) Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
133 lines
No EOL
9.8 KiB
Text
133 lines
No EOL
9.8 KiB
Text
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1124
|
|
|
|
There are multiple paths in mkvparser::Block::Block(...) that result in heap buffer overflows. See attached for sample files that trigger the overflow conditions - these will not reliably crash the process, since the overflows are small and don't deterministically corrupt interesting data.
|
|
|
|
All offsets correspond to the version of the library I have, with md5sum 6708b7a76313c0a51df34c3cec5a0e0d.
|
|
|
|
Attached are crashers for the testcases which repeatedly cause the parsing of the files by the mediaserver process (via binder ipc), which will eventually cause the mediaserver to crash when the corrupted data is used.
|
|
|
|
1) (000035.mkv) Writing outside the bounds of a new[0] allocation.
|
|
|
|
In mkvparser::Block::Block, there is a call to new[] (0xfd44) with an attacker controlled count. By setting this count to 0, this will be passed by _Znaj/_Znwj as a call to malloc(1). In jemalloc, this will result in a minimum-sized allocation of 8 bytes.
|
|
|
|
The result of this new[] call is stored in the mkvparser::Block structure at offset 0x1c, and if we take the path resulting in a call to mkvparser::Block::BlockWithEbml (0xfe50), this function will write into this allocation at an offset of 8, overwriting the dword immediately following the allocation (0xfb54).
|
|
|
|
Due to the behaviour of jemalloc, this will be the first dword of another allocation of size 8.
|
|
|
|
Build fingerprint: 'lge/p1_global_com/p1:6.0/MRA58K/1624210305d45:user/release-keys'
|
|
Revision: '11'
|
|
AM write failed: Broken pipe
|
|
ABI: 'arm'
|
|
pid: 14682, tid: 14791, name: Binder_2 >>> /system/bin/mediaserver <<<
|
|
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xe3617e2e
|
|
r0 f153f250 r1 f003f4e8 r2 00000000 r3 e3617e22
|
|
r4 f003f500 r5 f153f250 r6 f003f4e8 r7 f1a59d58
|
|
r8 f05008f4 r9 00000000 sl 000003f5 fp f050081c
|
|
ip f6680e04 sp f05006a0 lr f667800b pc f714f742 cpsr 600f0030
|
|
|
|
backtrace:
|
|
#00 pc 0000e742 /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+33)
|
|
#01 pc 00008007 /system/lib/libLGCodecParserUtils.so (_ZN7android20MediaExtractorHelperD2Ev+22)
|
|
#02 pc 0000801d /system/lib/libLGCodecParserUtils.so (_ZN7android20MediaExtractorHelperD0Ev+4)
|
|
#03 pc 0000e753 /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+50)
|
|
#04 pc 000273f1 /system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractorD1Ev+124)
|
|
#05 pc 00027425 /system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractorD0Ev+4)
|
|
#06 pc 0000e753 /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+50)
|
|
#07 pc 000d64af /system/lib/libstagefright.so (_ZN7android28StagefrightMetadataRetrieverD1Ev+118)
|
|
#08 pc 000d6515 /system/lib/libstagefright.so (_ZN7android28StagefrightMetadataRetrieverD0Ev+4)
|
|
#09 pc 0000e753 /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+50)
|
|
#10 pc 00058ee5 /system/lib/libmediaplayerservice.so (_ZN7android23MetadataRetrieverClient10disconnectEv+24)
|
|
#11 pc 0008e19d /system/lib/libmedia.so (_ZN7android24BnMediaMetadataRetriever10onTransactEjRKNS_6ParcelEPS1_j+72)
|
|
#12 pc 00019931 /system/lib/libbinder.so (_ZN7android7BBinder8transactEjRKNS_6ParcelEPS1_j+60)
|
|
#13 pc 0001eccb /system/lib/libbinder.so (_ZN7android14IPCThreadState14executeCommandEi+550)
|
|
#14 pc 0001ee35 /system/lib/libbinder.so (_ZN7android14IPCThreadState20getAndExecuteCommandEv+64)
|
|
#15 pc 0001ee99 /system/lib/libbinder.so (_ZN7android14IPCThreadState14joinThreadPoolEb+48)
|
|
#16 pc 00023909 /system/lib/libbinder.so
|
|
#17 pc 000100d1 /system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+112)
|
|
#18 pc 0003f9ab /system/lib/libc.so (_ZL15__pthread_startPv+30)
|
|
#19 pc 0001a0c5 /system/lib/libc.so (__start_thread+6)
|
|
|
|
2) (000038.mkv) Writing outside the bounds of a new[16] allocation.
|
|
|
|
Following a similar path through the code, but instead letting the count resolve to 1, we get an allocation of size 16. We will then write outside the bounds of this allocation in mkvparser::Block::BlockWithEbml at (0xfbe0).
|
|
|
|
Build fingerprint: 'lge/p1_global_com/p1:6.0/MRA58K/1624210305d45:user/release-keys'
|
|
Revision: '11'
|
|
ABI: 'arm'
|
|
pid: 16410, tid: 16516, name: Binder_2 >>> /system/bin/mediaserver <<<
|
|
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x6ec
|
|
r0 000006ec r1 f06dd3fc r2 00000002 r3 efba11c4
|
|
AM write failed: Broken pipe
|
|
r4 00000000 r5 00000800 r6 f19cf6c0 r7 00000800
|
|
r8 00000000 r9 00000812 sl efba12e0 fp 00001000
|
|
ip 00000000 sp f06dd410 lr 00000001 pc f6f31cb8 cpsr 200f0030
|
|
|
|
backtrace:
|
|
#00 pc 00093cb8 /system/lib/libstagefright.so (_ZN7android18CallbackDataSource6readAtExPvj+39)
|
|
#01 pc 00093e97 /system/lib/libstagefright.so (_ZN7android15TinyCacheSource6readAtExPvj+230)
|
|
#02 pc 000262c9 /system/lib/libLGParserOSAL.so (_ZN19LGDataSourceAdaptor4ReadEPhPm+28)
|
|
#03 pc 00014737 /system/lib/liblg_parser_mkv.so (_ZN9MkvReader4ReadExlPh+62)
|
|
#04 pc 0000e1ed /system/lib/liblg_parser_mkv.so (_ZN9mkvparser7Segment17DoLoadClusterInfoERxRlS1_S1_+212)
|
|
#05 pc 00013c71 /system/lib/liblg_parser_mkv.so (_ZN9mkvparser7Segment13DoLoadClusterERxRl+140)
|
|
#06 pc 00013e43 /system/lib/liblg_parser_mkv.so (_ZN9mkvparser7Segment11LoadClusterERxRl+14)
|
|
#07 pc 0000aa73 /system/lib/liblg_parser_mkv.so (_ZN13BlockIterator3eosEv+42)
|
|
#08 pc 0000b16f /system/lib/liblg_parser_mkv.so (_ZN13BlockIterator7advanceEv+66)
|
|
#09 pc 0000b765 /system/lib/liblg_parser_mkv.so (_ZN8MkvTrackC2EP12MkvExtractorm+164)
|
|
#10 pc 0000b7d9 /system/lib/liblg_parser_mkv.so (_ZN12MkvExtractor8addTrackEm+24)
|
|
#11 pc 00009c81 /system/lib/liblg_parser_mkv.so (_ZN9MKVParser8GetTrackEi+8)
|
|
#12 pc 00009dc1 /system/lib/liblg_parser_mkv.so (_ZN9MKVParser4OpenEP11IDataSource+248)
|
|
#13 pc 000271f9 /system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractorC2ERKNS_2spINS_10DataSourceEEE+200)
|
|
#14 pc 00022a85 /system/lib/libLGParserOSAL.so (_ZN7android15LGExtractorOSAL17CreateLGExtractorERKNS_2spINS_10DataSourceEEEPKcRKNS1_INS_8AMessageEEE+68)
|
|
#15 pc 000c033b /system/lib/libstagefright.so (_ZN7android14MediaExtractor6CreateERKNS_2spINS_10DataSourceEEEPKc+242)
|
|
#16 pc 000d66db /system/lib/libstagefright.so (_ZN7android28StagefrightMetadataRetriever13setDataSourceERKNS_2spINS_10DataSourceEEE+34)
|
|
#17 pc 000591e3 /system/lib/libmediaplayerservice.so (_ZN7android23MetadataRetrieverClient13setDataSourceERKNS_2spINS_11IDataSourceEEE+82)
|
|
#18 pc 0008e329 /system/lib/libmedia.so (_ZN7android24BnMediaMetadataRetriever10onTransactEjRKNS_6ParcelEPS1_j+468)
|
|
#19 pc 00019931 /system/lib/libbinder.so (_ZN7android7BBinder8transactEjRKNS_6ParcelEPS1_j+60)
|
|
#20 pc 0001eccb /system/lib/libbinder.so (_ZN7android14IPCThreadState14executeCommandEi+550)
|
|
#21 pc 0001ee35 /system/lib/libbinder.so (_ZN7android14IPCThreadState20getAndExecuteCommandEv+64)
|
|
#22 pc 0001ee99 /system/lib/libbinder.so (_ZN7android14IPCThreadState14joinThreadPoolEb+48)
|
|
#23 pc 00023909 /system/lib/libbinder.so
|
|
#24 pc 000100d1 /system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+112)
|
|
#25 pc 0003f9ab /system/lib/libc.so (_ZL15__pthread_startPv+30)
|
|
#26 pc 0001a0c5 /system/lib/libc.so (__start_thread+6)
|
|
|
|
3) (000128.mkv) Writing outside the bounds of a new[1] allocation.
|
|
|
|
Similarly to 1) but writing out of bounds at (0xfdd0) without calling through to BlockWithEbml.
|
|
|
|
Build fingerprint: 'lge/p1_global_com/p1:6.0/MRA58K/1624210305d45:user/release-keys'
|
|
Revision: '11'
|
|
ABI: 'arm'
|
|
pid: 16661, tid: 18181, name: Binder_6 >>> /system/bin/mediaserver <<<
|
|
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x1ac
|
|
r0 f134e130 r1 e9a3b0d8 r2 00000000 r3 000001a0
|
|
AM write failed: Broken pipe
|
|
r4 e9a3b0f0 r5 f134e130 r6 e9a3b0d8 r7 ef8b94e8
|
|
r8 ee5bf8f4 r9 00000000 sl 000003f5 fp ee5bf81c
|
|
ip f61fae04 sp ee5bf6a0 lr f61f200b pc f6cc9742 cpsr 600f0030
|
|
|
|
backtrace:
|
|
#00 pc 0000e742 /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+33)
|
|
#01 pc 00008007 /system/lib/libLGCodecParserUtils.so (_ZN7android20MediaExtractorHelperD2Ev+22)
|
|
#02 pc 0000801d /system/lib/libLGCodecParserUtils.so (_ZN7android20MediaExtractorHelperD0Ev+4)
|
|
#03 pc 0000e753 /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+50)
|
|
#04 pc 000273f1 /system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractorD1Ev+124)
|
|
#05 pc 00027425 /system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractorD0Ev+4)
|
|
#06 pc 0000e753 /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+50)
|
|
#07 pc 000d64af /system/lib/libstagefright.so (_ZN7android28StagefrightMetadataRetrieverD1Ev+118)
|
|
#08 pc 000d6515 /system/lib/libstagefright.so (_ZN7android28StagefrightMetadataRetrieverD0Ev+4)
|
|
#09 pc 0000e753 /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+50)
|
|
#10 pc 00058ee5 /system/lib/libmediaplayerservice.so (_ZN7android23MetadataRetrieverClient10disconnectEv+24)
|
|
#11 pc 0008e19d /system/lib/libmedia.so (_ZN7android24BnMediaMetadataRetriever10onTransactEjRKNS_6ParcelEPS1_j+72)
|
|
#12 pc 00019931 /system/lib/libbinder.so (_ZN7android7BBinder8transactEjRKNS_6ParcelEPS1_j+60)
|
|
#13 pc 0001eccb /system/lib/libbinder.so (_ZN7android14IPCThreadState14executeCommandEi+550)
|
|
#14 pc 0001ee35 /system/lib/libbinder.so (_ZN7android14IPCThreadState20getAndExecuteCommandEv+64)
|
|
#15 pc 0001ee99 /system/lib/libbinder.so (_ZN7android14IPCThreadState14joinThreadPoolEb+48)
|
|
#16 pc 00023909 /system/lib/libbinder.so
|
|
#17 pc 000100d1 /system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+112)
|
|
#18 pc 0003f9ab /system/lib/libc.so (_ZL15__pthread_startPv+30)
|
|
#19 pc 0001a0c5 /system/lib/libc.so (__start_thread+6)
|
|
|
|
|
|
Proof of Concept:
|
|
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41983.zip |