CVE-2015-3205
published 2015-06-16CVE-2015-3205: libmimedir allows remote attackers to execute arbitrary code via a VCF file with two NULL bytes at the end of the file, related to "free" function calls in the…
PriorityP354high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
10.67%
95.2th percentile
libmimedir allows remote attackers to execute arbitrary code via a VCF file with two NULL bytes at the end of the file, related to "free" function calls in the "lexer's memory clean-up procedure."
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Bugzilla
CVE-2015-3205 libmimedir: stack buffer overflow in _mdir_mem_forget() [fedora-all]
bugzilla·2015-06-23·CVSS 7.5
CVE-2015-3205 [HIGH] CVE-2015-3205 libmimedir: stack buffer overflow in _mdir_mem_forget() [fedora-all]
CVE-2015-3205 libmimedir: stack buffer overflow in _mdir_mem_forget() [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported version
Bugzilla
CVE-2015-3205 libmimedir: stack buffer overflow in _mdir_mem_forget()
bugzilla·2015-05-20·CVSS 7.5
CVE-2015-3205 [HIGH] CVE-2015-3205 libmimedir: stack buffer overflow in _mdir_mem_forget()
CVE-2015-3205 libmimedir: stack buffer overflow in _mdir_mem_forget()
It was reported that an application using libmimedir will crash while processing a crafted VCF file.
Steps to reproduce are available at https://bugzilla.redhat.com/show_bug.cgi?id=1222251
No patch available at the time of writing.
Discussion:
This affects Fedora only and has a tracker and someone working on it, so nothing for us to do here other than make this public at some point.
---
Public via:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=789197
---
Created libmimedir tracking bugs for this issue:
Affects: fedora-all [bug 1234689]
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the de
Bugzilla
Libmimedir VCF Parsing Memory Corruption
bugzilla·2015-05-16·CVSS 7.5
[HIGH] Libmimedir VCF Parsing Memory Corruption
Libmimedir VCF Parsing Memory Corruption
Created attachment 1026348
PoC to create the malformed VCF
Description of problem:
Adding a NULL short to the end of a VCF file allows a user to manipulate free() calls which occur during it's lexer's memory clean-up procedure.
Version-Release number of selected component (if applicable):
libmimedir-static 0.4-13.fc21
How reproducible: crashes every time with PoC
Steps to Reproduce:
1. Run the attached script which produces a malformed VCF file
2. Open the created VCF file with a libmimedir consumer, or a psuedo-consumer:
#include
int main()
{
mdir_parse_file("free.vcf");
return 0;
}
3. Observe crash
Actual results:
Program received signal SIGSEGV, Segmentation fault.
__GI___libc_free (mem=0x4141414141414141) at malloc.c:2934
293
http://packetstormsecurity.com/files/132257/Libmimedir-VCF-Memory-Corruption-Proof-Of-Concept.htmlhttp://www.securityfocus.com/bid/75147https://www.exploit-db.com/exploits/37249/http://packetstormsecurity.com/files/132257/Libmimedir-VCF-Memory-Corruption-Proof-Of-Concept.htmlhttp://www.securityfocus.com/bid/75147https://www.exploit-db.com/exploits/37249/
2015-06-16
Published