libcroco 0.6.12 – Denial of Service

• Exploit Database
• 14 阅读

• 作者： qflb.wu
  日期： 2017-06-09
• 类别：

  • dos
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/42147/

• libcroco multiple vulnerabilities
  ================
  Author : qflb.wu
  ===============
  
  
  Introduction:
  =============
  Libcroco is a standalone css2 parsing and manipulation library.
  The parser provides a low level event driven SAC like api and a css object model like api.
  Libcroco provides a CSS2 selection engine and an experimental xml/css rendering engine.
  
  
  Affected version:
  =====
  0.6.12
  
  
  Vulnerability Description:
  ==========================
  1. 
  the cr_tknzr_parse_comment function in cr-tknzr.c in libcroco 0.6.12 can cause a denial of service (memory allocation error) via a crafted CSS file.
  
  
  ./csslint-0.6 --dump-location libcroco_0_6_12_memory_allocation_error.css
  
  
  ==21841==ERROR: AddressSanitizer failed to allocate 0x20002000 (536879104) bytes of LargeMmapAllocator: 12
  ...
  ==21841==AddressSanitizer CHECK failed: /build/buildd/llvm-toolchain-3.4-3.4/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:68 "(("unable to mmap" && 0)) != (0)" (0x0, 0x0)
  ...
  #10 0x7fd78c2fcb4d in cr_tknzr_parse_comment /home/a/Downloads/libcroco-0.6.12/src/cr-tknzr.c:462
  #11 0x7fd78c2fcb4d in cr_tknzr_get_next_token /home/a/Downloads/libcroco-0.6.12/src/cr-tknzr.c:2218
  #12 0x7fd78c356f6e in cr_parser_try_to_skip_spaces_and_comments /home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:634
  #13 0x7fd78c368a43 in cr_parser_parse_stylesheet /home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:2538
  #14 0x7fd78c368a43 in cr_parser_parse /home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:4381
  #15 0x480a8e in sac_parse_and_display_locations /home/a/Downloads/libcroco-0.6.12/csslint/csslint.c:960
  #16 0x480a8e in main /home/a/Downloads/libcroco-0.6.12/csslint/csslint.c:1001
  #17 0x7fd78b397f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
  #18 0x47c95c in _start (/home/a/Downloads/libcroco-0.6.12/csslint/.libs/lt-csslint-0.6+0x47c95c)
  
  
  Reproducer:
  libcroco_0_6_12_memory_allocation_error.css
  CVE:
  CVE-2017-8834
  
  
  2.
  The cr_parser_parse_selector_core function in cr-parser.c in libcroco 0.6.12 can cause a denial of service(infinite loop and CPU consumption) via a crafted CSS file.
  
  
  ./csslint-0.6 --dump-location libcroco_0_6_12_infinite_loop.css
  
  
  Reproducer:
  libcroco_0_6_12_infinite_loop.css
  CVE:
  CVE-2017-8871
  
  
  ===============================
  
  
  qflb.wu () dbappsecurity com cn
  
  
  Proofs of Concept:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42147.zip