Links buffer over-read vulnerability ================ Author : qflb.wu =============== Introduction: ============= Links is a text and graphics mode WWW browser. It includes support for rendering tables and frames, features background downloads, can display colors and has many other features. Affected version: ===== 2.14 Vulnerability Description: ========================== the put_chars function in html_r.c in Links 2.14 can cause a denial of service(buffer over-read) via a crafted html file. ./links -dump links_2.14_buffer_over_read.html ================================================================= ==10690==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000002303d00 at pc 0x667c5e bp 0x7ffca2e786f0 sp 0x7ffca2e786e8 READ of size 1 at 0x000002303d00 thread T0 #0 0x667c5d in put_chars /home/a/Documents/links-2.14/html_r.c:662 #1 0x635815 in put_chars_conv /home/a/Documents/links-2.14/html.c:725 #2 0x5e92ec in put_chrs /home/a/Documents/links-2.14/html.c:764 #3 0x5d23f0 in parse_html /home/a/Documents/links-2.14/html.c:2865 #4 0x64814e in do_format /home/a/Documents/links-2.14/html_r.c:1015 #5 0x64814e in format_html_part /home/a/Documents/links-2.14/html_r.c:1092 #6 0x64c42b in really_format_html /home/a/Documents/links-2.14/html_r.c:1248 #7 0x7e528e in format_html /home/a/Documents/links-2.14/session.c:1177 #8 0x7e528e in cached_format_html /home/a/Documents/links-2.14/session.c:1420 #9 0x73fe2a in end_dump /home/a/Documents/links-2.14/main.c:306 #10 0x77a08e in object_timer /home/a/Documents/links-2.14/objreq.c:425 #11 0x7beaf2 in check_timers /home/a/Documents/links-2.14/select.c:468 #12 0x7bc09d in select_loop /home/a/Documents/links-2.14/select.c:890 #13 0x73bdc9 in main /home/a/Documents/links-2.14/main.c:616 #14 0x7f2765871ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) #15 0x48619c in _start (/home/a/Documents/links-2.14/links+0x48619c) 0x000002303d00 is located 0 bytes to the right of global variable 'put_chars_conv.buffer' from 'html.c' (0x2303c00) of size 256 SUMMARY: AddressSanitizer: global-buffer-overflow /home/a/Documents/links-2.14/html_r.c:662 put_chars Shadow bytes around the buggy address: 0x000080458750: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 0x000080458760: 01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 0x000080458770: 00 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 0x000080458780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x000080458790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0000804587a0:[f9]f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 0x0000804587b0: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 0x0000804587c0: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 0x0000804587d0: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 0x0000804587e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000804587f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==10690==ABORTING POC: links_2.14_buffer_over_read.html CVE: CVE-2017-11114 =============================== qflb.wu () dbappsecurity com cn
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment