Closed leonzhao7 closed 6 years ago
Thx for the report, I'll have a look when time permits.
Another two pocs to help fix.
so_libpff_item_descriptor.c:66_1.input.txt so_libpff_item_descriptor.c:66_2.input.txt
Lastest (cloned from github)
FYI git HEAD is work in progress
The issue here is that there are cyclic index nodes. Added a maximum recursion bound.
@HongxuChen FYI the POC so_libpff_item_descriptor.c:66_2.input.txt is not representative for this issue. To be verbose POC so_libpff_item_descriptor.c:66_1.input.txt is representative.
From so_libpff_item_descriptor.c:66_2.input.txt
libpff_index_node_read_footer_data: unsupported index node type: 0x00.
libpff_index_node_read_data: unable to read index node footer.
libpff_index_node_read_file_io_handle: unable to read index node.
...
CVE-2018-20348 was assigned to this issue.
@abergmann
I again refer to the CWE definition of vulnerability https://cwe.mitre.org/about/faq.html#A.2 not the arbitrary definition uphold by Mitre CVE (see libyal/libevt#5 for context).
The current claims "libpff_item_tree_create_node in libpff_item_tree.c in libpff before experimental-20180714 allows attackers to cause a denial of service (infinite recursion) via a crafted file, related to libfdata_tree_get_node_value in libfdata_tree.c."
This is very hypothetical, libpff is a library that runs locally, not a network service. So this assessment is incomplete and useless as security advisory.
So these claims are dependent on many factors:
Where is the analysis of these?
And again a completely worthless assessment by NIST-NVD https://nvd.nist.gov/vuln/detail/CVE-2018-20348
CVSS v2.0 Severity and Metrics:
Base Score: 4.3 MEDIUM
Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) (V2 legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (AU): None
Confidentiality (C): None
Integrity (I): None
Availability (A): Partial
Additional Information:
Victim must voluntarily interact with attack mechanism
Allows disruption of service
This library has no network capabilities, so this assessment is BS. Seeing that NIST NVD has been informed about the lack of network capabilities in this library before I can only conclude that they are incapable of making accurate "vulnerability" impact assessments.
If you're here about CVE-2018-20348 please read https://github.com/libyal/libpff/issues/66.
Note that the work done by Mitre-CVE and NIST-NVD for CVE-2018-20348 to provide security advise is incomplete and useless.
Tested Version
Lastest (cloned from github)
Command and argument
./pffexport ${POCfile}
Crash Information
The output of pffexport with address sanitizer enabled, it seems the program falls into an infinite loop.
gdb and backtrace
POC file
libpff-libpff_item_tree_create_node-798.zip
CREDIT
Zhao Liang, Huawei Weiran Labs