Menu

Search for hundreds of thousands of exploits

"ICU library 52 < 54 - Multiple Vulnerabilities"

Author

Exploit author

"Pedro Ribeiro"

Platform

Exploit platform

multiple

Release date

Exploit published date

2015-06-10

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
>> Heap overflow and integer overflow in ICU library (v52 to v54)
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
=================================================================================
Disclosure: 04/05/2015 / Last updated: 07/05/2015

>> Background on the affected products:
ICU is a mature, widely used set of C/C++ and Java libraries providing Unicode and Globalization support for software applications. ICU is widely portable and gives applications the same results on all platforms and between C/C++ and Java software.


>> Summary:
While fuzzing LibreOffice an integer overflow and a heap overflow were found in the ICU library. This library is used by LibreOffice and hundreds of other software packages.
Proof of concept files can be downloaded from [1]. These files have been tested with LibreOffice 4.3.3.2 and LibreOffice 4.4.0-beta2 and ICU 52.
Note that at this point in time it is unknown whether these vulnerabilities are exploitable.
Thanks to CERT [2] for helping disclose these vulnerabilities.


>> Technical details:
#1
Vulnerability: Heap overflow
CVE-2014-8146

The code to blame is the following (from ubidi.c:2148 in ICU 52):
    dirProp=dirProps[limit-1];
    if((dirProp==LRI || dirProp==RLI) && limit<pBiDi->length) {
        pBiDi->isolateCount++;
        pBiDi->isolates[pBiDi->isolateCount].stateImp=stateImp;
        pBiDi->isolates[pBiDi->isolateCount].state=levState.state;
        pBiDi->isolates[pBiDi->isolateCount].start1=start1;
    }
    else
        processPropertySeq(pBiDi, &levState, eor, limit, limit);

Under certain conditions isolateCount is incremented too many times, which results in several out of bounds writes. See [1] for a more detailed analysis.


#2
Vulnerability: Integer overflow
CVE-2014-8147

The overflow is on the resolveImplicitLevels function (ubidi.c:2248):
        pBiDi->isolates[pBiDi->isolateCount].state=levState.state;

pBiDi->isolates[].state is a int16, while levState.state is a int32.
The overflow causes an error when performing a malloc on pBiDi->insertPoints->points because insertPoints is adjacent in memory to isolates[].

The Isolate struct is defined in ubidiimp.h:184
typedef struct Isolate {
    int32_t startON;
    int32_t start1;
    int16_t stateImp;
    int16_t state;
} Isolate;

LevState is defined in ubidi.c:1748
typedef struct {
    const ImpTab * pImpTab;             /* level table pointer          */
    const ImpAct * pImpAct;             /* action map array             */
    int32_t startON;                    /* start of ON sequence         */
    int32_t startL2EN;                  /* start of level 2 sequence    */
    int32_t lastStrongRTL;              /* index of last found R or AL  */
    int32_t state;                      /* current state                */
    int32_t runStart;                   /* start position of the run    */
    UBiDiLevel runLevel;                /* run level before implicit solving */
} LevState;


>> Fix: 
All ICU releases between 52 and 54 are affected. Upgrade to ICU 55.1 to fix these vulnerabilities.
There are many other software packages which embed the ICU code and will need to be updated.
Patches that fix these vulnerabilities can be obtained from the ICU project in [3] and [4].


>> References:
[1] https://github.com/pedrib/PoC/raw/master/generic/i-c-u-fail.7z (EDB Mirror: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/43887.zip)
[2] https://www.kb.cert.org/vuls/id/602540
[3] http://bugs.icu-project.org/trac/changeset/37080
[4] http://bugs.icu-project.org/trac/changeset/37162


================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "Expense Management System - 'description' Stored Cross Site Scripting" webapps multiple "Nikhil Kumar"
2020-12-02 "Bakeshop Online Ordering System 1.0 - 'Owner' Persistent Cross-site scripting" webapps multiple "Parshwa Bhavsar"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "ILIAS Learning Management System 4.3 - SSRF" webapps multiple Dot
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "Under Construction Page with CPanel 1.0 - SQL injection" webapps multiple "Mayur Parmar"
Release Date Title Type Platform Author
2019-08-21 "Cisco UCS Director_ Cisco Integrated Management Controller Supervisor and Cisco UCS Director Express for Big Data - Multiple Vulnerabilities" remote multiple "Pedro Ribeiro"
2018-01-22 "AsusWRT Router < 3.0.0.4.380.7743 - LAN Remote Code Execution" remote hardware "Pedro Ribeiro"
2017-03-24 "NETGEAR WNR2000v5 - 'hidden_lang_avi' Remote Stack Overflow (Metasploit)" remote hardware "Pedro Ribeiro"
2017-01-31 "Billion / TrueOnline / ZyXEL Routers - Multiple Vulnerabilities" webapps hardware "Pedro Ribeiro"
2016-12-21 "NETGEAR WNR2000v5 - Remote Code Execution" remote cgi "Pedro Ribeiro"
2016-08-10 "WebNMS Framework Server 5.2/5.2 SP1 - Multiple Vulnerabilities" webapps jsp "Pedro Ribeiro"
2016-08-05 "NUUO NVRmini2 / NVRsolo / Crystal Devices / NETGEAR ReadyNAS Surveillance Application - Multiple Vulnerabilities" remote hardware "Pedro Ribeiro"
2016-04-11 "Novell ServiceDesk 6.5/7.0.3/7.1.0 - Multiple Vulnerabilities" webapps jsp "Pedro Ribeiro"
2016-02-04 "NETGEAR NMS300 ProSafe Network Management System - Multiple Vulnerabilities" webapps hardware "Pedro Ribeiro"
2015-09-29 "Kaseya Virtual System Administrator (VSA) - Multiple Vulnerabilities (2)" webapps asp "Pedro Ribeiro"
2015-09-28 "Kaseya Virtual System Administrator (VSA) 7.0 < 9.1 - (Authenticated) Arbitrary File Upload" webapps asp "Pedro Ribeiro"
2015-09-28 "BMC Track-It! 11.4 - Multiple Vulnerabilities" webapps windows "Pedro Ribeiro"
2015-07-15 "Kaseya Virtual System Administrator (VSA) - Multiple Vulnerabilities (1)" webapps windows "Pedro Ribeiro"
2015-06-10 "SysAid Help Desk 14.4 - Multiple Vulnerabilities" webapps hardware "Pedro Ribeiro"
2015-06-10 "ICU library 52 < 54 - Multiple Vulnerabilities" local multiple "Pedro Ribeiro"
2015-04-08 "Novell ZENworks Configuration Management 11.3.1 - Remote Code Execution" webapps jsp "Pedro Ribeiro"
2015-02-09 "ManageEngine OpManager / Applications Manager / IT360 - 'FailOverServlet' Multiple Vulnerabilities" webapps multiple "Pedro Ribeiro"
2015-01-18 "Lorex LH300 Series - ActiveX Buffer Overflow (PoC)" dos hardware "Pedro Ribeiro"
2015-01-15 "ManageEngine Desktop Central - Create Administrator" webapps multiple "Pedro Ribeiro"
2014-12-03 "ManageEngine Netflow Analyzer / IT360 - Arbitrary File Download" webapps multiple "Pedro Ribeiro"
2014-11-10 "ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities" webapps jsp "Pedro Ribeiro"
2014-11-10 "Password Manager Pro / Pro MSP - Blind SQL Injection" webapps multiple "Pedro Ribeiro"
2014-11-09 "ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities" webapps multiple "Pedro Ribeiro"
2014-11-05 "ManageEngine EventLog Analyzer - Multiple Vulnerabilities (2)" webapps multiple "Pedro Ribeiro"
2014-10-12 "CMS Made Simple 1.11.9 - Multiple Vulnerabilities" webapps php "Pedro Ribeiro"
2014-10-12 "Pimcore CMS 1.4.9 <2.1.0 - Multiple Vulnerabilities" webapps hardware "Pedro Ribeiro"
2014-10-12 "GetSimple CMS 3.3.1 - Cross-Site Scripting" webapps php "Pedro Ribeiro"
2014-10-09 "BMC Track-It! - Multiple Vulnerabilities" webapps windows "Pedro Ribeiro"
2014-10-02 "ManageEngine OpManager / Social IT - Arbitrary File Upload (Metasploit)" remote java "Pedro Ribeiro"
2014-09-01 "ManageEngine Desktop Central - Arbitrary File Upload / Remote Code Execution" webapps jsp "Pedro Ribeiro" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected