Mageia Bugzilla – Attachment 10345 Details for
Bug 23501
sleuthkit new security issues CVE-2017-1375[56], CVE-2017-13760, CVE-2018-1173[7-9], CVE-2018-11740
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
New Account
|
Forgot Password
POC tests before update
sleuthkit.before (text/plain), 3.43 KB, created by
Len Lawrence
on 2018-09-01 11:13:33 CEST
(
hide
)
Description:
POC tests before update
Filename:
MIME Type:
Creator:
Len Lawrence
Created:
2018-09-01 11:13:33 CEST
Size:
3.43 KB
patch
obsolete
>Mageia 6, x86_64 > >Before updating sleuthkit-4.4.0-1.mga6 >-------------------------------------- >CVE-2017-13755 >https://github.com/sleuthkit/sleuthkit/issues/913 >$ unzip segfault.zip >$ fls segfault.img >Segmentation fault (core dumped) > >CVE-2017-13756 >https://github.com/sleuthkit/sleuthkit/issues/914 >$ base64 -d > hang.zip >UEsDBBQAAAAIADVqGUtBe/v3KgAAAAAGAAAIABwA >aGFuZy5pbWdVVAkAA+aFoFnshaBZdXgLAAEEYTkC >AASIEwAAY2AYBUMRpOyvLQbRTAzNQMwIZDHiUMkK >pRuwyIWuooHTRsEoGAVDBAAAUEsBAh4DFAAAAAgA >NWoZS0F7+/cqAAAAAAYAAAgAGAAAAAAAAAAAAICB >AAAAAGhhbmcuaW1nVVQFAAPmhaBZdXgLAAEEYTkC >AASIEwAAUEsFBgAAAAABAAEATgAAAGwAAAAAAA== ><Ctrl-D> >$ unzip hang.zip >$ mmls -t dos hang.img >Hangs here - <Ctrl-C> > >Note: hang.img attached. > >CVE-2017-13760 >https://github.com/sleuthkit/sleuthkit/issues/906 >$ fls hang.img >Cannot determine file system type > >This differs from the upstream result - expected hang. > >CVE-2018-11737 >https://github.com/sleuthkit/sleuthkit/issues/1266 >Follow the POC link and unzip the file. >$ unzip ntfsdent_crashes.zip >$ fls -lrp id:000002,sig:06,src:000000,op:flip1,pos:33797 >Error in metadata structure (fix_idxrec: Incorrect update sequence value in index buffer >Update Value: 0x0 Actual Value: 0x28 Replacement Value: 0x0 >This is typically because of a corrupted entry) > >CVE-2018-11738 >https://github.com/sleuthkit/sleuthkit/issues/1265 >Follow the POC link and unzip the file. >$ fls -lrp id:000001,sig:06,src:000000,op:flip1,pos:6937 >Cannot determine file system type >$ fls -lrp id:000020,sig:06,src:000019,op:int32,pos:15925,val:-100663046 >Cannot determine file system type > >CVE-2018-11739 >https://github.com/sleuthkit/sleuthkit/issues/1267 >Follow the POC link and unzip the file. > >$ fls -lrp id:000015,sig:06,src:000001,op:flip32,pos:1113 >d/d 17: $OrphanFiles 0000-00-00 00:00:00 (UTC) 0000-00-00 00:00:00 (UTC) 0000-00-00 00:00:00 (UTC) 0000-00-00 00:00:00 (UTC) 0 00 > >$ fls -lrp id:000017,sig:06,src:000005,op:arith8,pos:13,val:+7 >Cannot determine file system type > >$ fls -lrp id:000016,sig:06,src:000001,op:havoc,rep:32 >d/d 17: $OrphanFiles 0000-00-00 00:00:00 (UTC) 0000-00-00 00:00:00 (UTC) 0000-00-00 00:00:00 (UTC) 0000-00-00 00:00:00 (UTC) 0 00 > >$ fls -lrp id:000007,sig:06,src:000000,op:arith8,pos:64,val:-21 >Cannot determine file system type > >$ fls -lrp id:000014,sig:06,src:000001,op:flip8,pos:1113 >d/d 17: $OrphanFiles 0000-00-00 00:00:00 (UTC) 0000-00-00 00:00:00 (UTC) 0000-00-00 00:00:00 (UTC) 0000-00-00 00:00:00 (UTC) 0 00 > >These results look like random access as would be expected to follow from out of bounds reads, somewhat indeterminate. > >CVE-2018-11740 >https://github.com/sleuthkit/sleuthkit/issues/1264 >Follow the POC link and unzip the file. This contains 15 test files. > >13 of these gave similar output to the following: >$ fls -lrp id:000023,sig:06,src:000055,op:flip4,pos:4732 >r/r 4: $AttrDef 2031-09-23 19:49:43 (BST) 2031-09-23 19:49:43 (BST) 2031-09-23 19:49:43 (BST) 2031-09-23 19:49:43 (BST) 0 048 >[...] > >$ fls -lrp id:000019,sig:06,src:000011,op:havoc,rep:64 >File system is corrupt (ntfs_attr_walk: Resident attribute 5-0 starting offset and length too large) ( - ntfs_dir_open_meta) > >$ fls -lrp id:000003,sig:06,src:000000,op:flip4,pos:660 >Cannot determine file system type > > > > > > > >It is worth noting here that most of the upstream tests are compiled for the ASAN framework using clang. > >CC=clang CXX=clang++ CFLAGS='-fsanitize=address -g -O2 -fno-omit-frame-pointer' CXXFLAGS=$CFLAGS make > >This might be useful in any further experiments to incorporate ASAN in local builds.
Mageia 6, x86_64 Before updating sleuthkit-4.4.0-1.mga6 -------------------------------------- CVE-2017-13755 https://github.com/sleuthkit/sleuthkit/issues/913 $ unzip segfault.zip $ fls segfault.img Segmentation fault (core dumped) CVE-2017-13756 https://github.com/sleuthkit/sleuthkit/issues/914 $ base64 -d > hang.zip UEsDBBQAAAAIADVqGUtBe/v3KgAAAAAGAAAIABwA aGFuZy5pbWdVVAkAA+aFoFnshaBZdXgLAAEEYTkC AASIEwAAY2AYBUMRpOyvLQbRTAzNQMwIZDHiUMkK pRuwyIWuooHTRsEoGAVDBAAAUEsBAh4DFAAAAAgA NWoZS0F7+/cqAAAAAAYAAAgAGAAAAAAAAAAAAICB AAAAAGhhbmcuaW1nVVQFAAPmhaBZdXgLAAEEYTkC AASIEwAAUEsFBgAAAAABAAEATgAAAGwAAAAAAA== <Ctrl-D> $ unzip hang.zip $ mmls -t dos hang.img Hangs here - <Ctrl-C> Note: hang.img attached. CVE-2017-13760 https://github.com/sleuthkit/sleuthkit/issues/906 $ fls hang.img Cannot determine file system type This differs from the upstream result - expected hang. CVE-2018-11737 https://github.com/sleuthkit/sleuthkit/issues/1266 Follow the POC link and unzip the file. $ unzip ntfsdent_crashes.zip $ fls -lrp id:000002,sig:06,src:000000,op:flip1,pos:33797 Error in metadata structure (fix_idxrec: Incorrect update sequence value in index buffer Update Value: 0x0 Actual Value: 0x28 Replacement Value: 0x0 This is typically because of a corrupted entry) CVE-2018-11738 https://github.com/sleuthkit/sleuthkit/issues/1265 Follow the POC link and unzip the file. $ fls -lrp id:000001,sig:06,src:000000,op:flip1,pos:6937 Cannot determine file system type $ fls -lrp id:000020,sig:06,src:000019,op:int32,pos:15925,val:-100663046 Cannot determine file system type CVE-2018-11739 https://github.com/sleuthkit/sleuthkit/issues/1267 Follow the POC link and unzip the file. $ fls -lrp id:000015,sig:06,src:000001,op:flip32,pos:1113 d/d 17: $OrphanFiles 0000-00-00 00:00:00 (UTC) 0000-00-00 00:00:00 (UTC) 0000-00-00 00:00:00 (UTC) 0000-00-00 00:00:00 (UTC) 0 00 $ fls -lrp id:000017,sig:06,src:000005,op:arith8,pos:13,val:+7 Cannot determine file system type $ fls -lrp id:000016,sig:06,src:000001,op:havoc,rep:32 d/d 17: $OrphanFiles 0000-00-00 00:00:00 (UTC) 0000-00-00 00:00:00 (UTC) 0000-00-00 00:00:00 (UTC) 0000-00-00 00:00:00 (UTC) 0 00 $ fls -lrp id:000007,sig:06,src:000000,op:arith8,pos:64,val:-21 Cannot determine file system type $ fls -lrp id:000014,sig:06,src:000001,op:flip8,pos:1113 d/d 17: $OrphanFiles 0000-00-00 00:00:00 (UTC) 0000-00-00 00:00:00 (UTC) 0000-00-00 00:00:00 (UTC) 0000-00-00 00:00:00 (UTC) 0 00 These results look like random access as would be expected to follow from out of bounds reads, somewhat indeterminate. CVE-2018-11740 https://github.com/sleuthkit/sleuthkit/issues/1264 Follow the POC link and unzip the file. This contains 15 test files. 13 of these gave similar output to the following: $ fls -lrp id:000023,sig:06,src:000055,op:flip4,pos:4732 r/r 4: $AttrDef 2031-09-23 19:49:43 (BST) 2031-09-23 19:49:43 (BST) 2031-09-23 19:49:43 (BST) 2031-09-23 19:49:43 (BST) 0 048 [...] $ fls -lrp id:000019,sig:06,src:000011,op:havoc,rep:64 File system is corrupt (ntfs_attr_walk: Resident attribute 5-0 starting offset and length too large) ( - ntfs_dir_open_meta) $ fls -lrp id:000003,sig:06,src:000000,op:flip4,pos:660 Cannot determine file system type It is worth noting here that most of the upstream tests are compiled for the ASAN framework using clang. CC=clang CXX=clang++ CFLAGS='-fsanitize=address -g -O2 -fno-omit-frame-pointer' CXXFLAGS=$CFLAGS make This might be useful in any further experiments to incorporate ASAN in local builds.
View Attachment As Raw
Actions:
View
Attachments on
bug 23501
:
10344
| 10345 |
10346