libcroco 0.6.12 - Denial of Service

EDB-ID:

42147


Author:

qflb.wu

Type:

dos


Platform:

Linux

Date:

2017-06-09


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

libcroco multiple vulnerabilities
================
Author : qflb.wu
===============


Introduction:
=============
Libcroco is a standalone css2 parsing and manipulation library.
The parser provides a low level event driven SAC like api and a css object model like api.
Libcroco provides a CSS2 selection engine and an experimental xml/css rendering engine.


Affected version:
=====
0.6.12


Vulnerability Description:
==========================
1. 
the cr_tknzr_parse_comment function in cr-tknzr.c in libcroco 0.6.12 can cause a denial of service (memory allocation error) via a crafted CSS file.


./csslint-0.6 --dump-location libcroco_0_6_12_memory_allocation_error.css


==21841==ERROR: AddressSanitizer failed to allocate 0x20002000 (536879104) bytes of LargeMmapAllocator: 12
...
==21841==AddressSanitizer CHECK failed: /build/buildd/llvm-toolchain-3.4-3.4/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:68 "(("unable to mmap" && 0)) != (0)" (0x0, 0x0)
    ...
    #10 0x7fd78c2fcb4d in cr_tknzr_parse_comment /home/a/Downloads/libcroco-0.6.12/src/cr-tknzr.c:462
    #11 0x7fd78c2fcb4d in cr_tknzr_get_next_token /home/a/Downloads/libcroco-0.6.12/src/cr-tknzr.c:2218
    #12 0x7fd78c356f6e in cr_parser_try_to_skip_spaces_and_comments /home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:634
    #13 0x7fd78c368a43 in cr_parser_parse_stylesheet /home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:2538
    #14 0x7fd78c368a43 in cr_parser_parse /home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:4381
    #15 0x480a8e in sac_parse_and_display_locations /home/a/Downloads/libcroco-0.6.12/csslint/csslint.c:960
    #16 0x480a8e in main /home/a/Downloads/libcroco-0.6.12/csslint/csslint.c:1001
    #17 0x7fd78b397f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #18 0x47c95c in _start (/home/a/Downloads/libcroco-0.6.12/csslint/.libs/lt-csslint-0.6+0x47c95c)


    Reproducer:
    libcroco_0_6_12_memory_allocation_error.css
    CVE:
    CVE-2017-8834


2.
The cr_parser_parse_selector_core function in cr-parser.c in libcroco 0.6.12 can cause a denial of service(infinite loop and CPU consumption) via a crafted CSS file.


./csslint-0.6 --dump-location libcroco_0_6_12_infinite_loop.css


Reproducer:
libcroco_0_6_12_infinite_loop.css
CVE:
CVE-2017-8871


===============================


qflb.wu () dbappsecurity com cn


Proofs of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/42147.zip