libcroco 安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1124008 漏洞类型 资源管理错误
发布时间 2017-06-09 更新时间 2019-06-19
CVE编号 CVE-2017-8871 CNNVD-ID CNNVD-201705-543
漏洞平台 Linux CVSS评分 7.1
|漏洞来源
https://www.exploit-db.com/exploits/42147
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201705-543
|漏洞详情
libcroco是一个CSS2解析库。 libcroco 0.6.12版本中的cr-parser.c文件存在资源管理错误漏洞。该漏洞源于网络系统或产品对系统资源(如内存、磁盘空间、文件等)的管理不当。
|漏洞EXP
libcroco multiple vulnerabilities
================
Author : qflb.wu
===============


Introduction:
=============
Libcroco is a standalone css2 parsing and manipulation library.
The parser provides a low level event driven SAC like api and a css object model like api.
Libcroco provides a CSS2 selection engine and an experimental xml/css rendering engine.


Affected version:
=====
0.6.12


Vulnerability Description:
==========================
1. 
the cr_tknzr_parse_comment function in cr-tknzr.c in libcroco 0.6.12 can cause a denial of service (memory allocation error) via a crafted CSS file.


./csslint-0.6 --dump-location libcroco_0_6_12_memory_allocation_error.css


==21841==ERROR: AddressSanitizer failed to allocate 0x20002000 (536879104) bytes of LargeMmapAllocator: 12
...
==21841==AddressSanitizer CHECK failed: /build/buildd/llvm-toolchain-3.4-3.4/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:68 "(("unable to mmap" && 0)) != (0)" (0x0, 0x0)
    ...
    #10 0x7fd78c2fcb4d in cr_tknzr_parse_comment /home/a/Downloads/libcroco-0.6.12/src/cr-tknzr.c:462
    #11 0x7fd78c2fcb4d in cr_tknzr_get_next_token /home/a/Downloads/libcroco-0.6.12/src/cr-tknzr.c:2218
    #12 0x7fd78c356f6e in cr_parser_try_to_skip_spaces_and_comments /home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:634
    #13 0x7fd78c368a43 in cr_parser_parse_stylesheet /home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:2538
    #14 0x7fd78c368a43 in cr_parser_parse /home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:4381
    #15 0x480a8e in sac_parse_and_display_locations /home/a/Downloads/libcroco-0.6.12/csslint/csslint.c:960
    #16 0x480a8e in main /home/a/Downloads/libcroco-0.6.12/csslint/csslint.c:1001
    #17 0x7fd78b397f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #18 0x47c95c in _start (/home/a/Downloads/libcroco-0.6.12/csslint/.libs/lt-csslint-0.6+0x47c95c)


    Reproducer:
    libcroco_0_6_12_memory_allocation_error.css
    CVE:
    CVE-2017-8834


2.
The cr_parser_parse_selector_core function in cr-parser.c in libcroco 0.6.12 can cause a denial of service(infinite loop and CPU consumption) via a crafted CSS file.


./csslint-0.6 --dump-location libcroco_0_6_12_infinite_loop.css


Reproducer:
libcroco_0_6_12_infinite_loop.css
CVE:
CVE-2017-8871


===============================


qflb.wu () dbappsecurity com cn


Proofs of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/42147.zip
|参考资料

来源:MISC
链接:https://bugzilla.gnome.org/show_bug.cgi?id=782649
来源:EXPLOIT-DB
链接:https://www.exploit-db.com/exploits/42147/