Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-23850: [Bug Report]stack-buffer-overflow in Function epub2txt_do_file() AT src/epub2txt.c · Issue #17 · kevinboone/epub2txt2

xhtml_translate_entity in xhtml.c in epub2txt (aka epub2txt2) through 2.02 allows a stack-based buffer overflow via a crafted EPUB document.

CVE
Open in Source
#ubuntu#linux#git#c++#buffer_overflow

Description

A stack-buffer-overflow was discovered in epub2txt2.
The issue is being triggered in function xhtml_translate_entity() at src/xhtml.c:576

Version

Version 2.02 (Lastest)

Environment

Ubuntu 18.04, 64bit

Reproduce****Command

git clone the Lastest Version firstly.
make && make install
./epub2txt poc

POC file at the bottom of this report.

With ASAN

Note: You can use ASAN for more direct verification.

Compile program with address sanitizer with this command:
VERSION := 2.02
CC      := gcc
CFLAGS  := -Wall -fPIC -fPIE
LDLAGS  := -pie 
DESTDIR :=
PREFIX  := /usr
BINDIR  := /bin
MANDIR  := /share/man
APPNAME := epub2txt

TARGET  := epub2txt 
SOURCES := $(shell find src/ -type f -name *.c)
OBJECTS := $(patsubst src/%,build/%,$(SOURCES:.c=.o))
DEPS    := $(OBJECTS:.o=.deps)

$(TARGET): $(OBJECTS)
    $(CC) -fsanitize=address -o $(TARGET) $(LDFLAGS) $(OBJECTS) 

build/%.o: src/%.c
    @mkdir -p build/
    $(CC) $(CFLAGS) -fsanitize=address -g -DVERSION=\"$(VERSION)\" -DAPPNAME=\"$(APPNAME)\" -MD -MF $(@:.o=.deps) -c -o $@ $< 

clean:
    $(RM) -r build/ $(TARGET) 

install:
    install -D -m 755 $(APPNAME) $(DESTDIR)/$(PREFIX)/$(BINDIR)/$(APPNAME)
    install -D -m 644 man1/epub2txt.1 $(DESTDIR)/$(PREFIX)/$(MANDIR)/man1/epub2txt.1

uninstall:
    rm -f $(DESTDIR)/$(PREFIX)/$(BINDIR)/$(APPNAME)
    rm -f $(DESTDIR)/$(PREFIX)/$(MANDIR)/man1/epub2txt.1

-include $(DEPS)

.PHONY: clean install

ASAN Report

warning [./input/id:000029,sig:11,src:000553,time:174169875,op:havoc,rep:4]:  3 extra bytes at beginning or within zipfile
  (attempting to process anyway)
file #1:  bad zipfile offset (local header sig):  3
  (attempting to re-compensate)
/tmp/epub2txt14993/OEBPS/cover.xml  bad CRC aa74ee30  (should be 4874d916)
  error:  invalid compressed data to inflate /tmp/epub2txt14993/OEBPS/images/GeographyofBli-cover.jpg
file #8:  bad zipfile offset (local header sig):  163411
  (attempting to re-compensate)
file #8:  bad zipfile offset (local header sig):  163411
file #9:  bad zipfile offset (local header sig):  181495
/tmp/epub2txt14993/OEBPS/GeographyofBli_toc.html  bad CRC 0938f2f2  (should be 64dedce7)
/tmp/epub2txt14993/OEBPS/GeographyofBli_copyright.html  bad CRC 5d8cbd1a  (should be 9b5bfa5d)
/tmp/epub2txt14993/OEBPS/GeographyofBli_body_split_001.html  bad CRC 1a36209f  (should be 81fec8f3)
=================================================================
==14993==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffcb14 at pc 0x7ffff6e7e3a6 bp 0x7fffffffca60 sp 0x7fffffffc208
WRITE of size 305 at 0x7fffffffcb14 thread T0
    #0 0x7ffff6e7e3a5  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x663a5)
    #1 0x55555558000e in xhtml_translate_entity src/xhtml.c:576
    #2 0x555555580b34 in xhtml_to_stdout src/xhtml.c:789
    #3 0x555555580680 in xhtml_file_to_stdout src/xhtml.c:700
    #4 0x555555560476 in epub2txt_do_file src/epub2txt.c:494
    #5 0x55555555d3c9 in main src/main.c:187
    #6 0x7ffff6a48bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #7 0x55555555c219 in _start (/home/nisl1/nisl8121/Asteriska/fuzz/projects/epub2txt2-master/valid/epub2txt+0x8219)

Address 0x7fffffffcb14 is located in stack of thread T0 at offset 116 in frame
    #0 0x55555557fad4 in xhtml_translate_entity src/xhtml.c:532

  This frame has 2 object(s):
    [32, 36) 'v'
    [96, 116) 'out' <== Memory access at offset 116 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x663a5) 
Shadow bytes around the buggy address:
  0x10007fff7910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7950: 00 00 00 00 f1 f1 f1 f1 04 f2 f2 f2 f2 f2 f2 f2
=>0x10007fff7960: 00 00[04]f2 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7980: 00 00 f1 f1 f1 f1 f8 f2 f2 f2 00 00 00 00 00 00
  0x10007fff7990: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2
  0x10007fff79a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff79b0: 00 00 00 00 00 00 f1 f1 f1 f1 f8 f2 f2 f2 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==14993==ABORTING

POC

POC

Any issue plz contact with me:
[email protected]
OR:
twitter: @Asteriska8

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE