CVE-2018-18398

Posted on by 0xd0ff9

Description: Xfce Thunar 1.6.15, when Xfce 4.12 is used, mishandles the IBus-Unikey input method for file searches within File Manager, leading to an out-of-bounds read and SEGV. This could potentially be exploited by an arbitrary local user who creates files in /tmp before the victim uses this input method.
Additional Information:
VirtualBox POC: https://drive.google.com/open?id=1MMjgybKioy2evO8ywzderTT60MwjA11Z
Core Dump: https://drive.google.com/open?id=1Vz3rezkQiOf_b-q6x3RZ7C4nSkje9GhU
Stack trace:

> gdb-peda$ run
> Starting program: /tmp/thunar 
> 
> Thread debugging using libthread_db enabled
> 
> Using host libthread_db library "/usr/lib/libthread_db.so.1".
> [New Thread 0x7fffed6c9700 (LWP 3439)]
> [New Thread 0x7fffecec8700 (LWP 3440)]
> [New Thread 0x7fffe7b8f700 (LWP 3441)]
> [New Thread 0x7fffe738e700 (LWP 3442)]
> 
> (thunar:3438): Gdk-WARNING **: gdk_window_set_icon_list: icons too large
> 
> Thread 0x7fffe738e700 (LWP 3442) exited
> 
> Thread 1 "thunar" received signal SIGSEGV, Segmentation fault.
> 
> RAX: 0x7400000061 ('a')
> RBX: 0x0 
> RCX: 0x7fffffffce90 --> 0x5555558a41e0 --> 0x4 
> RDX: 0x555555892490 --> 0x55555589b9a0 --> 0x55555589b800 --> 0x2 
> RSI: 0x555555aebbf0 --> 0x555555aa0061 --> 0x0 
> RDI: 0x5555559d13f0 --> 0x5555558a2740 --> 0x5555558a41e0 --> 0x4 
> RBP: 0x555555aa19f0 --> 0x40000002 
> RSP: 0x7fffffffccc8 --> 0x7ffff4e06c5d (<g_closure_invoke+413>:    mov    rax,QWORD PTR [rbp+0x0])
> RIP: 0x7ffff79a1fb4 (mov    edi,DWORD PTR [rax+0x154])
> R8 : 0x7fffffffce10 --> 0x135 
> R9 : 0x0 
> R10: 0x555555804758 --> 0x700070 ('p')
> R11: 0x7fffffffd060 --> 0x3000000020 (' ')
> R12: 0x2 
> R13: 0x7fffffffce90 --> 0x5555558a41e0 --> 0x4 
> R14: 0x7fffffffce10 --> 0x135 
> R15: 0x7ffff6a32770 (<g_cclosure_marshal_VOID__STRING>:    cmp    edx,0x2)
> EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
> 
>    0x7ffff79a1fa1:    call   QWORD PTR [rip+0x229919]        # 0x7ffff7bcb8c0
>    0x7ffff79a1fa7:    nop    WORD PTR [rax+rax*1+0x0]
>    0x7ffff79a1fb0:    mov    rax,QWORD PTR [rsi+0x70]
> => 0x7ffff79a1fb4:    mov    edi,DWORD PTR [rax+0x154]
>    0x7ffff79a1fba:    or     BYTE PTR [rax+0x148],0x2
>    0x7ffff79a1fc

VulnerabilityType
Out of Bound
Vendor of Product
XFCE
Affected Product Code Base
Thunar – < 1.6.15 and Xfce < 4.12
Reference
Exploit:

Discoverer
0xd0ff9

Trả lời

Điền thông tin vào ô dưới đây hoặc nhấn vào một biểu tượng để đăng nhập:

Gravatar
WordPress.com Logo

Bạn đang bình luận bằng tài khoản WordPress.com Đăng xuất /  Thay đổi )

Twitter picture

Bạn đang bình luận bằng tài khoản Twitter Đăng xuất /  Thay đổi )

Facebook photo

Bạn đang bình luận bằng tài khoản Facebook Đăng xuất /  Thay đổi )

Hủy bỏ

Connecting to %s