Vulnerabilities > CVE-2016-8384 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Marklogic 8.05.5

047910
CVSS 8.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
marklogic
CWE-119

Summary

An exploitable heap corruption vulnerability exists in the DHFSummary functionality of AntennaHouse DMC HTMLFilter.

Vulnerable Configurations

Part Description Count
Application
Marklogic
1

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Seebug

bulletinFamilyexploit
description### Summary An exploitable heap corruption vulnerability exists in the DHFSummary functionality of AntennaHouse DMC HTMLFilter. A specially crafted doc file can cause a heap corruption resulting in arbitrary code execution. An attacker can provide a malicious doc file to trigger this vulnerability. ### Tested Versions AntennaHouse DMC HTMLFilter shipped with MarkLogic 8.0-5.5 ``` 1415cbc784f05db0e9db424636df581a libdhf_comm.so 81db1b55e18a0cb70a78410147f50b9c libdhf_htmlif.so fb1a22fa08c986ec3614284f4e912b0a libdhf_rdoc.so b2622da4ce1aa7fa4aac10ee7d3407cf libdhf_rppt.so 1eabb31236c675f9856a7d001b339334 libdhf_rxls.so d716dd77c8e9ee88df435e74fad687e6 libdhf_whtml.so 15b0acc464fba28335239f722a62037f libdmc_comm.so 4ae366fbd4540dd4c750e6679eb63dd4 libdmc_conf.so 84009641f744d88fd1737d59b7c71ab1 libdmc_dtct.so ``` ### Product URLs https://www.antennahouse.com/antenna1/ ### CVSSv3 Score 8.3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H ### Details This vulnerability is present in the AntennaHouse DMC HTMLFilter which is used among others to convert doc files to (x)html form. This product is mainly used by MarkLogic for doc document conversions as part of their web based document search and rendering engine. A specially crafted DOC file can lead to heap corruption and ultimately to remote code execution. Let’s investigate this vulnerability. After executing the DOC to html converter with a malformed doc file as an input we can easily observe a couple of flaws using Valgrind: ``` icewall@ubuntu:~/bugs/cvtofc$ valgrind ./convert config_doc ==7273== Memcheck, a memory error detector ==7273== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==7273== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info ==7273== Command: ./convert config_doc ==7273== input=/home/icewall/bugs/cvtofc/config_doc/toconv.doc output=/home/icewall/bugs/cvtofc/config_doc/conv.html type=1 info.options='0' Return from GetFileInfo=0 HtmlInfo.GroupName=UTF-8 HtmlInfo.DefLangName=English HtmlInfo.bBigEndian=0 HtmlInfo.options=0 HtmlInfo.SheetId=0 HtmlInfo.SlideId=0 HtmlInfo.lpFunc=(nil) HtmlInfo.szImageFolder= ==7273== Invalid write of size 4 ==7273== at 0x402EE82: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==7273== by 0x42DD3D2: DMC_2OLEreadStream (in /home/icewall/bugs/cvtofc/libdmc_comm.so) ==7273== by 0x433B1C5: DHFSummary (in /home/icewall/bugs/cvtofc/libdhf_comm.so) ==7273== by 0x433B5B3: DHF_SummaryInfo (in /home/icewall/bugs/cvtofc/libdhf_comm.so) ==7273== by 0x638D736: Doc_PutSummaryInfo (in /home/icewall/bugs/cvtofc/libdhf_rdoc.so) ==7273== by 0x635D308: SimReadText (in /home/icewall/bugs/cvtofc/libdhf_rdoc.so) ==7273== by 0x6342C7E: DHF_ROpen (in /home/icewall/bugs/cvtofc/libdhf_rdoc.so) ==7273== by 0x4039765: FilterToHtml (in /home/icewall/bugs/cvtofc/libdhf_htmlif.so) ==7273== by 0x4038AFB: DHF_GetHtml_V11 (in /home/icewall/bugs/cvtofc/libdhf_htmlif.so) ==7273== by 0x8049AF7: main (in /home/icewall/bugs/cvtofc/convert) ==7273== Address 0x443da64 is 2 bytes after a block of size 2 alloc'd ==7273== at 0x402A17C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==7273== by 0x42DACB1: DMC_malloc (in /home/icewall/bugs/cvtofc/libdmc_comm.so) ==7273== by 0x433B19B: DHFSummary (in /home/icewall/bugs/cvtofc/libdhf_comm.so) ==7273== by 0x433B5B3: DHF_SummaryInfo (in /home/icewall/bugs/cvtofc/libdhf_comm.so) ==7273== by 0x638D736: Doc_PutSummaryInfo (in /home/icewall/bugs/cvtofc/libdhf_rdoc.so) ==7273== by 0x635D308: SimReadText (in /home/icewall/bugs/cvtofc/libdhf_rdoc.so) ==7273== by 0x6342C7E: DHF_ROpen (in /home/icewall/bugs/cvtofc/libdhf_rdoc.so) ==7273== by 0x4039765: FilterToHtml (in /home/icewall/bugs/cvtofc/libdhf_htmlif.so) ==7273== by 0x4038AFB: DHF_GetHtml_V11 (in /home/icewall/bugs/cvtofc/libdhf_htmlif.so) ==7273== by 0x8049AF7: main (in /home/icewall/bugs/cvtofc/convert) ==7273== ==7273== Invalid read of size 1 ==7273== at 0x433A6C0: DHFSum_GetDWord (in /home/icewall/bugs/cvtofc/libdhf_comm.so) ==7273== by 0x433B1D1: DHFSummary (in /home/icewall/bugs/cvtofc/libdhf_comm.so) ==7273== by 0x433B5B3: DHF_SummaryInfo (in /home/icewall/bugs/cvtofc/libdhf_comm.so) ==7273== by 0x638D736: Doc_PutSummaryInfo (in /home/icewall/bugs/cvtofc/libdhf_rdoc.so) ==7273== by 0x635D308: SimReadText (in /home/icewall/bugs/cvtofc/libdhf_rdoc.so) ==7273== by 0x6342C7E: DHF_ROpen (in /home/icewall/bugs/cvtofc/libdhf_rdoc.so) ==7273== by 0x4039765: FilterToHtml (in /home/icewall/bugs/cvtofc/libdhf_htmlif.so) ==7273== by 0x4038AFB: DHF_GetHtml_V11 (in /home/icewall/bugs/cvtofc/libdhf_htmlif.so) ==7273== by 0x8049AF7: main (in /home/icewall/bugs/cvtofc/convert) ==7273== Address 0x443da64 is 2 bytes after a block of size 2 alloc'd ==7273== at 0x402A17C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==7273== by 0x42DACB1: DMC_malloc (in /home/icewall/bugs/cvtofc/libdmc_comm.so) ==7273== by 0x433B19B: DHFSummary (in /home/icewall/bugs/cvtofc/libdhf_comm.so) ==7273== by 0x433B5B3: DHF_SummaryInfo (in /home/icewall/bugs/cvtofc/libdhf_comm.so) ==7273== by 0x638D736: Doc_PutSummaryInfo (in /home/icewall/bugs/cvtofc/libdhf_rdoc.so) ==7273== by 0x635D308: SimReadText (in /home/icewall/bugs/cvtofc/libdhf_rdoc.so) ==7273== by 0x6342C7E: DHF_ROpen (in /home/icewall/bugs/cvtofc/libdhf_rdoc.so) ==7273== by 0x4039765: FilterToHtml (in /home/icewall/bugs/cvtofc/libdhf_htmlif.so) ==7273== by 0x4038AFB: DHF_GetHtml_V11 (in /home/icewall/bugs/cvtofc/libdhf_htmlif.so) ==7273== by 0x8049AF7: main (in /home/icewall/bugs/cvtofc/convert) ==7273== ==7273== Invalid read of size 1 ==7273== at 0x433A6C4: DHFSum_GetDWord (in /home/icewall/bugs/cvtofc/libdhf_comm.so) ==7273== by 0x433B1D1: DHFSummary (in /home/icewall/bugs/cvtofc/libdhf_comm.so) ==7273== by 0x433B5B3: DHF_SummaryInfo (in /home/icewall/bugs/cvtofc/libdhf_comm.so) ==7273== by 0x638D736: Doc_PutSummaryInfo (in /home/icewall/bugs/cvtofc/libdhf_rdoc.so) ==7273== by 0x635D308: SimReadText (in /home/icewall/bugs/cvtofc/libdhf_rdoc.so) ==7273== by 0x6342C7E: DHF_ROpen (in /home/icewall/bugs/cvtofc/libdhf_rdoc.so) ==7273== by 0x4039765: FilterToHtml (in /home/icewall/bugs/cvtofc/libdhf_htmlif.so) ==7273== by 0x4038AFB: DHF_GetHtml_V11 (in /home/icewall/bugs/cvtofc/libdhf_htmlif.so) ==7273== by 0x8049AF7: main (in /home/icewall/bugs/cvtofc/convert) ==7273== Address 0x443da65 is 3 bytes after a block of size 2 alloc'd ==7273== at 0x402A17C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==7273== by 0x42DACB1: DMC_malloc (in /home/icewall/bugs/cvtofc/libdmc_comm.so) ==7273== by 0x433B19B: DHFSummary (in /home/icewall/bugs/cvtofc/libdhf_comm.so) ==7273== by 0x433B5B3: DHF_SummaryInfo (in /home/icewall/bugs/cvtofc/libdhf_comm.so) ==7273== by 0x638D736: Doc_PutSummaryInfo (in /home/icewall/bugs/cvtofc/libdhf_rdoc.so) ==7273== by 0x635D308: SimReadText (in /home/icewall/bugs/cvtofc/libdhf_rdoc.so) ==7273== by 0x6342C7E: DHF_ROpen (in /home/icewall/bugs/cvtofc/libdhf_rdoc.so) ==7273== by 0x4039765: FilterToHtml (in /home/icewall/bugs/cvtofc/libdhf_htmlif.so) ==7273== by 0x4038AFB: DHF_GetHtml_V11 (in /home/icewall/bugs/cvtofc/libdhf_htmlif.so) ==7273== by 0x8049AF7: main (in /home/icewall/bugs/cvtofc/convert) ==7273== ==7273== Invalid read of size 1 ==7273== at 0x433A6CA: DHFSum_GetDWord (in /home/icewall/bugs/cvtofc/libdhf_comm.so) ==7273== by 0x433B1D1: DHFSummary (in /home/icewall/bugs/cvtofc/libdhf_comm.so) ==7273== by 0x433B5B3: DHF_SummaryInfo (in /home/icewall/bugs/cvtofc/libdhf_comm.so) ==7273== by 0x638D736: Doc_PutSummaryInfo (in /home/icewall/bugs/cvtofc/libdhf_rdoc.so) ==7273== by 0x635D308: SimReadText (in /home/icewall/bugs/cvtofc/libdhf_rdoc.so) ==7273== by 0x6342C7E: DHF_ROpen (in /home/icewall/bugs/cvtofc/libdhf_rdoc.so) ==7273== by 0x4039765: FilterToHtml (in /home/icewall/bugs/cvtofc/libdhf_htmlif.so) ==7273== by 0x4038AFB: DHF_GetHtml_V11 (in /home/icewall/bugs/cvtofc/libdhf_htmlif.so) ==7273== by 0x8049AF7: main (in /home/icewall/bugs/cvtofc/convert) ==7273== Address 0x443da66 is 4 bytes after a block of size 2 alloc'd ==7273== at 0x402A17C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==7273== by 0x42DACB1: DMC_malloc (in /home/icewall/bugs/cvtofc/libdmc_comm.so) ==7273== by 0x433B19B: DHFSummary (in /home/icewall/bugs/cvtofc/libdhf_comm.so) ==7273== by 0x433B5B3: DHF_SummaryInfo (in /home/icewall/bugs/cvtofc/libdhf_comm.so) ==7273== by 0x638D736: Doc_PutSummaryInfo (in /home/icewall/bugs/cvtofc/libdhf_rdoc.so) ==7273== by 0x635D308: SimReadText (in /home/icewall/bugs/cvtofc/libdhf_rdoc.so) ==7273== by 0x6342C7E: DHF_ROpen (in /home/icewall/bugs/cvtofc/libdhf_rdoc.so) ==7273== by 0x4039765: FilterToHtml (in /home/icewall/bugs/cvtofc/libdhf_htmlif.so) ==7273== by 0x4038AFB: DHF_GetHtml_V11 (in /home/icewall/bugs/cvtofc/libdhf_htmlif.so) ==7273== by 0x8049AF7: main (in /home/icewall/bugs/cvtofc/convert) ==7273== ==7273== Invalid read of size 1 ==7273== at 0x433A6D0: DHFSum_GetDWord (in /home/icewall/bugs/cvtofc/libdhf_comm.so) ==7273== by 0x433B1D1: DHFSummary (in /home/icewall/bugs/cvtofc/libdhf_comm.so) ==7273== by 0x433B5B3: DHF_SummaryInfo (in /home/icewall/bugs/cvtofc/libdhf_comm.so) ==7273== by 0x638D736: Doc_PutSummaryInfo (in /home/icewall/bugs/cvtofc/libdhf_rdoc.so) ==7273== by 0x635D308: SimReadText (in /home/icewall/bugs/cvtofc/libdhf_rdoc.so) ==7273== by 0x6342C7E: DHF_ROpen (in /home/icewall/bugs/cvtofc/libdhf_rdoc.so) ==7273== by 0x4039765: FilterToHtml (in /home/icewall/bugs/cvtofc/libdhf_htmlif.so) ==7273== by 0x4038AFB: DHF_GetHtml_V11 (in /home/icewall/bugs/cvtofc/libdhf_htmlif.so) ==7273== by 0x8049AF7: main (in /home/icewall/bugs/cvtofc/convert) ==7273== Address 0x443da67 is 5 bytes after a block of size 2 alloc'd ==7273== at 0x402A17C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==7273== by 0x42DACB1: DMC_malloc (in /home/icewall/bugs/cvtofc/libdmc_comm.so) ==7273== by 0x433B19B: DHFSummary (in /home/icewall/bugs/cvtofc/libdhf_comm.so) ==7273== by 0x433B5B3: DHF_SummaryInfo (in /home/icewall/bugs/cvtofc/libdhf_comm.so) ==7273== by 0x638D736: Doc_PutSummaryInfo (in /home/icewall/bugs/cvtofc/libdhf_rdoc.so) ==7273== by 0x635D308: SimReadText (in /home/icewall/bugs/cvtofc/libdhf_rdoc.so) ==7273== by 0x6342C7E: DHF_ROpen (in /home/icewall/bugs/cvtofc/libdhf_rdoc.so) ==7273== by 0x4039765: FilterToHtml (in /home/icewall/bugs/cvtofc/libdhf_htmlif.so) ==7273== by 0x4038AFB: DHF_GetHtml_V11 (in /home/icewall/bugs/cvtofc/libdhf_htmlif.so) ==7273== by 0x8049AF7: main (in /home/icewall/bugs/cvtofc/convert) ==7273== ==7273== Syscall param write(buf) points to uninitialised byte(s) ==7273== at 0x41DD003: __write_nocancel (syscall-template.S:81) ==7273== by 0x4170D20: _IO_file_write@@GLIBC_2.1 (fileops.c:1261) ==7273== by 0x416FF5E: new_do_write (fileops.c:538) ==7273== by 0x4171CCD: _IO_do_write@@GLIBC_2.1 (fileops.c:511) ==7273== by 0x417159F: _IO_file_close_it@@GLIBC_2.1 (fileops.c:165) ==7273== by 0x416567F: fclose@@GLIBC_2.1 (iofclose.c:59) ==7273== by 0x42DAA49: DMC_FileClose (in /home/icewall/bugs/cvtofc/libdmc_comm.so) ==7273== by 0x636221E: SimReadText (in /home/icewall/bugs/cvtofc/libdhf_rdoc.so) ==7273== by 0x6342C7E: DHF_ROpen (in /home/icewall/bugs/cvtofc/libdhf_rdoc.so) ==7273== by 0x4039765: FilterToHtml (in /home/icewall/bugs/cvtofc/libdhf_htmlif.so) ==7273== by 0x4038AFB: DHF_GetHtml_V11 (in /home/icewall/bugs/cvtofc/libdhf_htmlif.so) ==7273== by 0x8049AF7: main (in /home/icewall/bugs/cvtofc/convert) ==7273== Address 0x40403fe is not stack'd, malloc'd or (recently) free'd ==7273== ==7273== Source and destination overlap in strcpy(0x43df78d, 0x43df78d) ==7273== at 0x402D56F: strcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==7273== by 0x63B686F: DHF_WOpen (in /home/icewall/bugs/cvtofc/libdhf_whtml.so) ==7273== by 0x4039779: FilterToHtml (in /home/icewall/bugs/cvtofc/libdhf_htmlif.so) ==7273== by 0x4038AFB: DHF_GetHtml_V11 (in /home/icewall/bugs/cvtofc/libdhf_htmlif.so) ==7273== by 0x8049AF7: main (in /home/icewall/bugs/cvtofc/convert) ==7273== ``` We see in the first couple lines of the Valgrind output that in the `DHFSummary` function the argument passed to malloc is equal 2: ``` `Address 0x443da64 is 2 bytes after a block of size 2 alloc'd` ``` The argument value is quite small and it can be the result of a malformed field coming directly from the document. Let’s take a glance at the pseudo code of this function and investigate origin of malloc argument. The pseudo code looks in the following way: ``` Line 1 signed int cdecl DHFSummary(structa1 *a1, int a2, int a3) Line 2 { Line 3 (...) Line 4 if ( (!v7 && !v8) == v7 ) Line 5 { Line 6 DMC2OLEreadStream(a1->streamHandle, (char )&bufferPtr, 4u); Line 7 offset = DHFSumGetDWord((int)a1, (int)&bufferPtr); Line 8 DMC2OLEseekStream(a1->streamHandle, offset, 0); Line 9 DMC_2OLEreadStream(a1->streamHandle, (char )&bufferPtr, 4u); Line 10 someSize = DHFSumGetDWord((int)a1, (int)&bufferPtr); Line 11 v35 = DMCmalloc(someSize + 2); Line 12 if ( !v35 ) Line 13 { Line 14 DMC2OLEcloseStream(a1->streamHandle, v29, v31, 8202); Line 15 return 12; Line 16 } Line 17 DMC2OLEreadStream(a1->streamHandle, (char *)(v35 + 4), (unsigned int16)(someSize - 4)); Line 18 (...) ``` At `line 10` the DWORD value `someSize` is read directly from the file and is later use as a malloc argument. In our case `someSize` equals 0 which corresponds to the Valgrind output (since `someSize` + 2 = 2). From which region of the file is this value coming from and with what structure is it related? The name of the function suggests that the value comes from the Document Summary Information: ``` 3C00h: FE FF 00 00 03 0A 01 00 00 00 00 00 00 00 00 00 þÿ.............. 3C10h: 00 00 00 00 00 00 00 00 01 00 00 00 02 D5 CD D5 .............ÕÍÕ 3C20h: 9C 2E 1B 10 93 97 08 00 2B 2C F9 AE B0 00 00 00 œ...“—..+,ù®°... 3C30h: E8 00 00 00 0C 00 00 00 01 00 00 00 68 00 00 00 è...........h... 3C40h: 0F 00 00 00 70 00 00 00 05 00 00 00 7C 00 00 00 ....p.......|... 3C50h: 06 00 00 00 84 00 DD FF 11 00 00 00 8C 00 00 00 ....„.Ýÿ....Œ... 3C60h: 17 00 00 00 94 00 00 00 0B 00 00 00 9C 00 00 00 ....”.......œ... 3C70h: 10 00 00 00 A4 00 00 00 13 00 00 00 AC 00 00 00 ....¤.......¬... 3C80h: 16 00 00 00 B4 00 00 00 0D 00 00 00 BC 00 00 00 ....´.......¼... 3C90h: 0C 00 00 00 C9 00 00 00 02 00 00 00 10 27 00 00 ....É........'.. 3CA0h: 1E 00 00 00 1E 00 00 00 7A 00 00 00 03 00 00 00 ........z....... 3CB0h: 00 00 00 00 03 00 00 00 00 00 00 00 03 00 00 00 ................ 3CC0h: 00 00 00 00 03 00 00 00 00 00 0E 00 0B 00 00 00 ................ 3CD0h: 00 00 00 00 0B 00 00 00 00 00 00 00 0B 00 00 00 ................ 3CE0h: 00 00 00 00 0B 00 00 00 00 00 00 00 1E 10 00 00 ................ 3CF0h: 01 00 00 00 01 00 00 00 00 0C 10 00 00 02 00 00 ................ ``` The value of `someSize` is read from offset 0x3cb0. `Line 17` is the place where the integer underflow appears and causes further issues. At `line 11`, `someSize -4` bytes are read from the file into the buffer `v35`. Because `someSize` equals 0, the result of the substraction is: `0xfffffffc`, but since it gets cast to `unsigned __int16` so we end up with the value `0xfffc`. The size of the `v35` buffer is `2`, while in the function `DMC_2OLEreadStream`, `0xfffc` bytes are being read into that buffer, causing a heap-based buffer overflow resulting in heap corruption. ### Crash Information ``` Starting program: /home/icewall/bugs/cvtofc/convert config_doc/ [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". input=/home/icewall/bugs/cvtofc/config_doc/toconv.doc output=/home/icewall/bugs/cvtofc/config_doc/conv.html type=1 info.options='0' Return from GetFileInfo=0 HtmlInfo.GroupName=UTF-8 HtmlInfo.DefLangName=English HtmlInfo.bBigEndian=0 HtmlInfo.options=0 HtmlInfo.SheetId=0 HtmlInfo.SlideId=0 HtmlInfo.lpFunc=(nil) HtmlInfo.szImageFolder= *** Error in `/home/icewall/bugs/cvtofc/convert': free(): corrupted unsorted chunks: 0x080a4ec8 *** Program received signal SIGABRT, Aborted. [----------------------------------registers-----------------------------------] EAX: 0x0 EBX: 0x8d65 ECX: 0x8d65 EDX: 0x6 ESI: 0x64 ('d') EDI: 0xf7f08000 --> 0x1aada8 EBP: 0xfffe85f8 --> 0x80a52f0 --> 0x410 ESP: 0xfffe8334 --> 0xfffe85f8 --> 0x80a52f0 --> 0x410 EIP: 0xf7fdace0 (pop ebp) EFLAGS: 0x296 (carry PARITY ADJUST zero SIGN trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0xf7fdacdc: nop 0xf7fdacdd: nop 0xf7fdacde: int 0x80 => 0xf7fdace0: pop ebp 0xf7fdace1: pop edx 0xf7fdace2: pop ecx 0xf7fdace3: ret 0xf7fdace4: int3 [------------------------------------stack-------------------------------------] 0000| 0xfffe8334 --> 0xfffe85f8 --> 0x80a52f0 --> 0x410 0004| 0xfffe8338 --> 0x6 0008| 0xfffe833c --> 0x8d65 0012| 0xfffe8340 --> 0xf7d8b687 (xchg ebx,edi) 0016| 0xfffe8344 --> 0xf7f08000 --> 0x1aada8 0020| 0xfffe8348 --> 0xfffe83e4 --> 0x0 0024| 0xfffe834c --> 0xf7d8eab3 (mov edx,DWORD PTR gs:0x8) 0028| 0xfffe8350 --> 0x6 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGABRT 0xf7fdace0 in ?? () gdb-peda$ bt #0 0xf7fdace0 in ?? () #1 0xf7dd04ba in malloc_printerr (action=<optimized out>, str=0xf7ec2e14 "free(): corrupted unsorted chunks", ptr=0x80a4ec8) at malloc.c:4996 #2 0xf7dd112d in _int_free (av=0xf7f08420 <main_arena>, p=<optimized out>, have_lock=0x0) at malloc.c:3840 #3 0xf7cdbcd6 in DMC_free () from ./libdmc_comm.so #4 0xf7cde285 in DMC_2OLEcloseStream () from ./libdmc_comm.so #5 0xf7cd3092 in DHFSummary () from ./libdhf_comm.so #6 0xf7cd35b4 in DHF_SummaryInfo () from ./libdhf_comm.so #7 0xf7cb7737 in Doc_PutSummaryInfo () from ./libdhf_rdoc.so #8 0xf7c87309 in SimReadText () from ./libdhf_rdoc.so #9 0xf7c6cc7f in DHF_ROpen () from ./libdhf_rdoc.so #10 0xf7fd4766 in FilterToHtml () from ./libdhf_htmlif.so #11 0xf7fd3afc in DHF_GetHtml_V11 () from ./libdhf_htmlif.so #12 0x08049af8 in main () #13 0xf7d76af3 in __libc_start_main (main=0x8049730 <main>, argc=0x2, argv=0xffffd124, init=0x8049f70 <__libc_csu_init>, fini=0x8049f60 <__libc_csu_fini>, rtld_fini=0xf7feb160 <_dl_fini>, stack_end=0xffffd11c) at libc-start.c:287 #14 0x08048ad1 in _start () gdb-peda$ exploitable -m Warning: machine string printing is deprecated and may be removed in a future release. EXCEPTION_FAULTING_ADDRESS:0x00000000008d65 EXCEPTION_CODE:0x6 FAULTING_INSTRUCTION:pop ebp MAJOR_HASH:66b5fa9a480d4fac19e9e6f0d702e905 MINOR_HASH:9ba04a1737476eab9f719eecd62f92b1 STACK_DEPTH:13 STACK_FRAME:[vdso]+0x0 STACK_FRAME:/lib/i386-linux-gnu/libc-2.19.so!malloc_printerr+0x0 STACK_FRAME:/lib/i386-linux-gnu/libc-2.19.so!_int_free+0x0 STACK_FRAME:/home/icewall/bugs/cvtofc/libdmc_comm.so!DMC_free+0x0 STACK_FRAME:/home/icewall/bugs/cvtofc/libdmc_comm.so!DMC_2OLEcloseStream+0x0 STACK_FRAME:/home/icewall/bugs/cvtofc/libdhf_comm.so!DHFSummary+0x0 STACK_FRAME:/home/icewall/bugs/cvtofc/libdhf_comm.so!DHF_SummaryInfo+0x0 STACK_FRAME:/home/icewall/bugs/cvtofc/libdhf_rdoc.so!Doc_PutSummaryInfo+0x0 STACK_FRAME:/home/icewall/bugs/cvtofc/libdhf_rdoc.so!SimReadText+0x0 STACK_FRAME:/home/icewall/bugs/cvtofc/libdhf_rdoc.so!DHF_ROpen+0x0 STACK_FRAME:/home/icewall/bugs/cvtofc/libdhf_htmlif.so!FilterToHtml+0x0 STACK_FRAME:/home/icewall/bugs/cvtofc/libdhf_htmlif.so!DHF_GetHtml_V11+0x0 STACK_FRAME:/home/icewall/bugs/cvtofc/convert!main+0x0 INSTRUCTION_ADDRESS:0x000000f7fdace0 INVOKING_STACK_FRAME:0 DESCRIPTION:Heap error SHORT_DESCRIPTION:HeapError (15/29) OTHER_RULES:AbortSignal (27/29) CLASSIFICATION:EXPLOITABLE ``` ### Timeline * 2016-10-10 - Vendor Disclosure * 2017-05-04 - Public Release ### CREDIT * Discovered by Marcin 'Icewall' Noga of Cisco Talos.
idSSV:96524
last seen2017-11-19
modified2017-09-19
published2017-09-19
reporterRoot
titleAntennaHouse DMC HTMLFilter DHFSummary Code Execution Vulnerability(CVE-2016-8384)

Talos

idTALOS-2016-0209
last seen2019-05-29
published2017-05-04
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0209
titleAntennaHouse DMC HTMLFilter DHFSummary Code Execution Vulnerability