Vulnerabilities > CVE-2017-16883 - NULL Pointer Dereference vulnerability in Libming

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
libming
CWE-476
nessus
NVD
Published: 2017-11-18
Updated: 2018-02-04

Summary

The outputSWF_TEXT_RECORD function in util/outputscript.c in libming <= 0.4.8 is vulnerable to a NULL pointer dereference, which may allow attackers to cause a denial of service via a crafted swf file.

Vulnerable Configurations

Part Description Count
Application
Libming
13

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1240.NASL
    descriptionMultiple vulnerabilities have been discovered in Ming : CVE-2017-11732 heap-based buffer overflow vulnerability in the function dcputs (util/decompile.c) in Ming <= 0.4.8, which allows attackers to cause a denial of service via a crafted SWF file. CVE-2017-16883 NULL pointer dereference vulnerability in the function outputSWF_TEXT_RECORD (util/outputscript.c) in Ming <= 0.4.8, which allows attackers to cause a denial of service via a crafted SWF file. CVE-2017-16898 global buffer overflow vulnerability in the function printMP3Headers (util/listmp3.c) in Ming <= 0.4.8, which allows attackers to cause a denial of service via a crafted SWF file. For Debian 7
    last seen2020-03-17
    modified2018-01-12
    plugin id105753
    published2018-01-12
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105753
    titleDebian DLA-1240-1 : ming security update
    code
    #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory DLA-1240-1. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(105753);
  script_version("3.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");

  script_cve_id("CVE-2017-11732", "CVE-2017-16883", "CVE-2017-16898");

  script_name(english:"Debian DLA-1240-1 : ming security update");
  script_summary(english:"Checks dpkg output for the updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Multiple vulnerabilities have been discovered in Ming :

CVE-2017-11732

heap-based buffer overflow vulnerability in the function dcputs
(util/decompile.c) in Ming <= 0.4.8, which allows attackers to cause a
denial of service via a crafted SWF file.

CVE-2017-16883

NULL pointer dereference vulnerability in the function
outputSWF_TEXT_RECORD (util/outputscript.c) in Ming <= 0.4.8, which
allows attackers to cause a denial of service via a crafted SWF file.

CVE-2017-16898

global buffer overflow vulnerability in the function printMP3Headers
(util/listmp3.c) in Ming <= 0.4.8, which allows attackers to cause a
denial of service via a crafted SWF file.

For Debian 7 'Wheezy', these problems have been fixed in version
1:0.4.4-1.1+deb7u6.

We recommend that you upgrade your ming packages.

NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://lists.debian.org/debian-lts-announce/2018/01/msg00014.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/wheezy/ming"
  );
  script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libming-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libming-util");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libming1");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libswf-perl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:ming-fonts-dejavu");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:ming-fonts-opensymbol");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php5-ming");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:python-ming");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2018/01/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/12");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"7.0", prefix:"libming-dev", reference:"1:0.4.4-1.1+deb7u6")) flag++;
if (deb_check(release:"7.0", prefix:"libming-util", reference:"1:0.4.4-1.1+deb7u6")) flag++;
if (deb_check(release:"7.0", prefix:"libming1", reference:"1:0.4.4-1.1+deb7u6")) flag++;
if (deb_check(release:"7.0", prefix:"libswf-perl", reference:"1:0.4.4-1.1+deb7u6")) flag++;
if (deb_check(release:"7.0", prefix:"ming-fonts-dejavu", reference:"1:0.4.4-1.1+deb7u6")) flag++;
if (deb_check(release:"7.0", prefix:"ming-fonts-opensymbol", reference:"1:0.4.4-1.1+deb7u6")) flag++;
if (deb_check(release:"7.0", prefix:"php5-ming", reference:"1:0.4.4-1.1+deb7u6")) flag++;
if (deb_check(release:"7.0", prefix:"python-ming", reference:"1:0.4.4-1.1+deb7u6")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-38A0E1E6F5.NASL
    descriptionSecurity fixes for: CVE-2017-8782, CVE-2017-9988, CVE-2017-9989, CVE-2017-11704, CVE-2017-11728, CVE-2017-11729, CVE-2017-11730, CVE-2017-11731, CVE-2017-11732, CVE-2017-11733, CVE-2017-11734, CVE-2017-16883, CVE-2017-16898, CVE-2018-5251, CVE-2018-5294, CVE-2018-6315, CVE-2018-6359 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-03-21
    plugin id108496
    published2018-03-21
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108496
    titleFedora 27 : ming (2018-38a0e1e6f5)
    code
    #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory FEDORA-2018-38a0e1e6f5.
#

include("compat.inc");

if (description)
{
  script_id(108496);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2017-11704", "CVE-2017-11728", "CVE-2017-11729", "CVE-2017-11730", "CVE-2017-11731", "CVE-2017-11732", "CVE-2017-11733", "CVE-2017-11734", "CVE-2017-16883", "CVE-2017-16898", "CVE-2017-8782", "CVE-2017-9988", "CVE-2017-9989", "CVE-2018-5251", "CVE-2018-5294", "CVE-2018-6315", "CVE-2018-6359");
  script_xref(name:"FEDORA", value:"2018-38a0e1e6f5");

  script_name(english:"Fedora 27 : ming (2018-38a0e1e6f5)");
  script_summary(english:"Checks rpm output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Security fixes for: CVE-2017-8782, CVE-2017-9988, CVE-2017-9989,
CVE-2017-11704, CVE-2017-11728, CVE-2017-11729, CVE-2017-11730,
CVE-2017-11731, CVE-2017-11732, CVE-2017-11733, CVE-2017-11734,
CVE-2017-16883, CVE-2017-16898, CVE-2018-5251, CVE-2018-5294,
CVE-2018-6315, CVE-2018-6359

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bodhi.fedoraproject.org/updates/FEDORA-2018-38a0e1e6f5"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected ming package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:ming");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:27");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/31");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/03/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/21");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! preg(pattern:"^27([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 27", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);


flag = 0;
if (rpm_check(release:"FC27", reference:"ming-0.4.8-5.fc27")) flag++;


if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ming");
}
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-8BE89D9AD6.NASL
    descriptionSecurity fixes for: CVE-2017-8782, CVE-2017-9988, CVE-2017-9989, CVE-2017-11704, CVE-2017-11728, CVE-2017-11729, CVE-2017-11730, CVE-2017-11731, CVE-2017-11732, CVE-2017-11733, CVE-2017-11734, CVE-2017-16883, CVE-2017-16898, CVE-2018-5251, CVE-2018-5294, CVE-2018-6315, CVE-2018-6359 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-03-21
    plugin id108503
    published2018-03-21
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108503
    titleFedora 26 : ming (2018-8be89d9ad6)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-5F31E1002A.NASL
    descriptionSecurity fixes for: CVE-2017-8782, CVE-2017-9988, CVE-2017-9989, CVE-2017-11704, CVE-2017-11728, CVE-2017-11729, CVE-2017-11730, CVE-2017-11731, CVE-2017-11732, CVE-2017-11733, CVE-2017-11734, CVE-2017-16883, CVE-2017-16898, CVE-2018-5251, CVE-2018-5294, CVE-2018-6315, CVE-2018-6359 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2019-01-03
    plugin id120460
    published2019-01-03
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120460
    titleFedora 28 : ming (2018-5f31e1002a)

References