EulerOS Virtualization 3.0.1.0 : libpng (EulerOS-SA-2019-1421) - Nessus

High   Plugin ID: 124924

This page contains detailed information about the EulerOS Virtualization 3.0.1.0 : libpng (EulerOS-SA-2019-1421) Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Table Of Contents
hide

Plugin Overview

ID: 124924
Name: EulerOS Virtualization 3.0.1.0 : libpng (EulerOS-SA-2019-1421)
Filename: EulerOS_SA-2019-1421.nasl
Vulnerability Published: N/A
This Plugin Published: 2019-05-14
Last Modification Time: 2021-01-06
Plugin Version: 1.6
Plugin Type: local
Plugin Family: Huawei Local Security Checks
Dependencies: ssh_get_info.nasl
Required KB Items [?]: Host/cpu, Host/EulerOS/release, Host/EulerOS/rpm-list, Host/EulerOS/uvp_version, Host/local_checks_enabled

Vulnerability Information

Severity: High
Vulnerability Published: N/A
Patch Published: 2019-05-07
CVE [?]: CVE-2011-2501, CVE-2011-2690, CVE-2011-2691, CVE-2011-2692, CVE-2011-3026, CVE-2011-3048, CVE-2015-7981, CVE-2015-8472, CVE-2015-8540
CPE [?]: cpe:/o:huawei:euleros:uvp:3.0.1.0, p-cpe:/a:huawei:euleros:libpng

Synopsis

The remote EulerOS Virtualization host is missing multiple security updates.

Description

According to the versions of the libpng package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

- The png_set_text_2 function in pngset.c in libpng 1.0.x before 1.0.59, 1.2.x before 1.2.49, 1.4.x before 1.4.11, and 1.5.x before 1.5.10 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted text chunk in a PNG image file, which triggers a memory allocation failure that is not properly handled, leading to a heap-based buffer overflow.(CVE-2011-3048)

- The png_handle_sCAL function in pngrutil.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 does not properly handle invalid sCAL chunks, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted PNG image that triggers the reading of uninitialized memory.(CVE-2011-2692)

- It was discovered that the png_get_PLTE() and png_set_PLTE() functions of libpng did not correctly calculate the maximum palette sizes for bit depths of less than 8. In case an application tried to use these functions in combination with properly calculated palette sizes, this could lead to a buffer overflow or out-of-bounds reads. An attacker could exploit this to cause a crash or potentially execute arbitrary code by tricking an unsuspecting user into processing a specially crafted PNG image. However, the exact impact is dependent on the application using the library.(CVE-2015-8472)

- The png_err function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 makes a function call using a NULL pointer argument instead of an empty-string argument, which allows remote attackers to cause a denial of service (application crash) via a crafted PNG image.(CVE-2011-2691)

- Integer underflow in the png_check_keyword function in pngwutil.c in libpng 0.90 through 0.99, 1.0.x before 1.0.66, 1.1.x and 1.2.x before 1.2.56, 1.3.x and 1.4.x before 1.4.19, and 1.5.x before 1.5.26 allows remote attackers to have unspecified impact via a space character as a keyword in a PNG image, which triggers an out-of-bounds read.(CVE-2015-8540)

- Integer overflow in libpng, as used in Google Chrome before 17.0.963.56, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that trigger an integer truncation.(CVE-2011-3026)

- An array-indexing error was discovered in the png_convert_to_rfc1123() function of libpng. An attacker could possibly use this flaw to cause an out-of-bounds read by tricking an unsuspecting user into processing a specially crafted PNG image.(CVE-2015-7981)

- Buffer overflow in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4, when used by an application that calls the png_rgb_to_gray function but not the png_set_expand function, allows remote attackers to overwrite memory with an arbitrary amount of data, and possibly have unspecified other impact, via a crafted PNG image.(CVE-2011-2690)

- The png_format_buffer function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 allows remote attackers to cause a denial of service (application crash) via a crafted PNG image that triggers an out-of-bounds read during the copying of error-message data. NOTE: this vulnerability exists because of a CVE-2004-0421 regression. NOTE: this is called an off-by-one error by some sources.(CVE-2011-2501)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected libpng packages.

Public Exploits

Target Network Port(s): N/A
Target Asset(s): N/A
Exploit Available: True (GitHub)
Exploit Ease: Exploits (PoCs) are available

Here's the list of publicly known exploits and PoCs for verifying the EulerOS Virtualization 3.0.1.0 : libpng (EulerOS-SA-2019-1421) vulnerability:

  1. GitHub: https://github.com/jan0/isslfix
    [CVE-2011-3026]
  2. GitHub: https://github.com/project-zot/zot
    [CVE-2015-8540]
  3. GitHub: https://github.com/argp/cve-2011-3026-firefox
    [CVE-2011-3026: Example of exploiting CVE-2011-3026 on Firefox (Linux/x86)]

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

CVSS V2 Vector [?]: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C
CVSS Base Score:9.3 (High)
Impact Subscore:10.0
Exploitability Subscore:8.6
CVSS Temporal Score:6.9 (Medium)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:6.9 (Medium)
CVSS V3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
CVSS Base Score:8.8 (High)
Impact Subscore:5.9
Exploitability Subscore:2.8
CVSS Temporal Score:7.7 (High)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:7.7 (High)

Go back to menu.

Plugin Source

This is the EulerOS_SA-2019-1421.nasl nessus plugin source code. This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof. 

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(124924);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/06");

  script_cve_id(
    "CVE-2011-2501",
    "CVE-2011-2690",
    "CVE-2011-2691",
    "CVE-2011-2692",
    "CVE-2011-3026",
    "CVE-2011-3048",
    "CVE-2015-7981",
    "CVE-2015-8472",
    "CVE-2015-8540"
  );
  script_bugtraq_id(
    48474,
    48618,
    48660,
    52031,
    52049,
    52830
  );

  script_name(english:"EulerOS Virtualization 3.0.1.0 : libpng (EulerOS-SA-2019-1421)");
  script_summary(english:"Checks the rpm output for the updated packages.");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing multiple security
updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the libpng package installed, the
EulerOS Virtualization installation on the remote host is affected by
the following vulnerabilities :

  - The png_set_text_2 function in pngset.c in libpng 1.0.x
    before 1.0.59, 1.2.x before 1.2.49, 1.4.x before
    1.4.11, and 1.5.x before 1.5.10 allows remote attackers
    to cause a denial of service (crash) or execute
    arbitrary code via a crafted text chunk in a PNG image
    file, which triggers a memory allocation failure that
    is not properly handled, leading to a heap-based buffer
    overflow.(CVE-2011-3048)

  - The png_handle_sCAL function in pngrutil.c in libpng
    1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before
    1.4.8, and 1.5.x before 1.5.4 does not properly handle
    invalid sCAL chunks, which allows remote attackers to
    cause a denial of service (memory corruption and
    application crash) or possibly have unspecified other
    impact via a crafted PNG image that triggers the
    reading of uninitialized memory.(CVE-2011-2692)

  - It was discovered that the png_get_PLTE() and
    png_set_PLTE() functions of libpng did not correctly
    calculate the maximum palette sizes for bit depths of
    less than 8. In case an application tried to use these
    functions in combination with properly calculated
    palette sizes, this could lead to a buffer overflow or
    out-of-bounds reads. An attacker could exploit this to
    cause a crash or potentially execute arbitrary code by
    tricking an unsuspecting user into processing a
    specially crafted PNG image. However, the exact impact
    is dependent on the application using the
    library.(CVE-2015-8472)

  - The png_err function in pngerror.c in libpng 1.0.x
    before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8,
    and 1.5.x before 1.5.4 makes a function call using a
    NULL pointer argument instead of an empty-string
    argument, which allows remote attackers to cause a
    denial of service (application crash) via a crafted PNG
    image.(CVE-2011-2691)

  - Integer underflow in the png_check_keyword function in
    pngwutil.c in libpng 0.90 through 0.99, 1.0.x before
    1.0.66, 1.1.x and 1.2.x before 1.2.56, 1.3.x and 1.4.x
    before 1.4.19, and 1.5.x before 1.5.26 allows remote
    attackers to have unspecified impact via a space
    character as a keyword in a PNG image, which triggers
    an out-of-bounds read.(CVE-2015-8540)

  - Integer overflow in libpng, as used in Google Chrome
    before 17.0.963.56, allows remote attackers to cause a
    denial of service or possibly have unspecified other
    impact via unknown vectors that trigger an integer
    truncation.(CVE-2011-3026)

  - An array-indexing error was discovered in the
    png_convert_to_rfc1123() function of libpng. An
    attacker could possibly use this flaw to cause an
    out-of-bounds read by tricking an unsuspecting user
    into processing a specially crafted PNG
    image.(CVE-2015-7981)

  - Buffer overflow in libpng 1.0.x before 1.0.55, 1.2.x
    before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before
    1.5.4, when used by an application that calls the
    png_rgb_to_gray function but not the png_set_expand
    function, allows remote attackers to overwrite memory
    with an arbitrary amount of data, and possibly have
    unspecified other impact, via a crafted PNG
    image.(CVE-2011-2690)

  - The png_format_buffer function in pngerror.c in libpng
    1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before
    1.4.8, and 1.5.x before 1.5.4 allows remote attackers
    to cause a denial of service (application crash) via a
    crafted PNG image that triggers an out-of-bounds read
    during the copying of error-message data. NOTE: this
    vulnerability exists because of a CVE-2004-0421
    regression. NOTE: this is called an off-by-one error by
    some sources.(CVE-2011-2501)

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1421
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d1d8567b");
  script_set_attribute(attribute:"solution", value:
"Update the affected libpng packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/14");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libpng");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);

flag = 0;

pkgs = ["libpng-1.5.13-7.1.h2.eulerosv2r7"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libpng");
}

The latest version of this script can be found in these locations depending on your platform:

  • Linux / Unix:
    /opt/nessus/lib/nessus/plugins/EulerOS_SA-2019-1421.nasl
  • Windows:
    C:\ProgramData\Tenable\Nessus\nessus\plugins\EulerOS_SA-2019-1421.nasl
  • Mac OS X:
    /Library/Nessus/run/lib/nessus/plugins/EulerOS_SA-2019-1421.nasl

Go back to menu.

How to Run

Here is how to run the EulerOS Virtualization 3.0.1.0 : libpng (EulerOS-SA-2019-1421) as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

  1. Click to start a New Scan.
  2. Select Advanced Scan.
  3. Navigate to the Plugins tab.
  4. On the top right corner click to Disable All plugins.
  5. On the left side table select Huawei Local Security Checks plugin family.
  6. On the right side table select EulerOS Virtualization 3.0.1.0 : libpng (EulerOS-SA-2019-1421) plugin ID 124924.
  7. Specify the target on the Settings tab and click to Save the scan.
  8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl EulerOS_SA-2019-1421.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a EulerOS_SA-2019-1421.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - EulerOS_SA-2019-1421.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state EulerOS_SA-2019-1421.nasl -t <IP/HOST>

Go back to menu.

References

BID | SecurityFocus Bugtraq ID: See also: Similar and related Nessus plugins:
  • 62242 - Apple iOS < 6.0 Multiple Vulnerabilities
  • 62357 - Apple TV < 5.1 Multiple Vulnerabilities
  • 58189 - Fedora 17 : xulrunner-10.0.1-3.fc17 (2012-1800)
  • 58253 - Fedora 15 : xulrunner-10.0.1-3.fc15 (2012-1845)
  • 58706 - Fedora 17 : thunderbird-11.0.1-1.fc17 (2012-4910)
  • 58555 - Fedora 16 : thunderbird-11.0.1-1.fc16 (2012-5028)
  • 58634 - Fedora 15 : thunderbird-11.0.1-1.fc15 (2012-5068)
  • 59668 - GLSA-201206-15 : libpng: Multiple vulnerabilities
  • 57974 - Google Chrome < 17.0.963.56 Multiple Vulnerabilities
  • 64379 - IBM Informix Genero < 2.41 png_decompress_chunk Integer Overflow
  • 56480 - Mac OS X 10.7.x < 10.7.2 Multiple Vulnerabilities
  • 62214 - Mac OS X 10.7.x < 10.7.5 Multiple Vulnerabilities (BEAST)
  • 58074 - Firefox < 10.0.2 png_decompress_chunk Integer Overflow (Mac OS X)
  • 58072 - Firefox 3.6.x < 3.6.27 png_decompress_chunk Integer Overflow (Mac OS X)
  • 56481 - Mac OS X Multiple Vulnerabilities (Security Update 2011-006)
  • 59067 - Mac OS X Multiple Vulnerabilities (Security Update 2012-002) (BEAST)
  • 62213 - Mac OS X Multiple Vulnerabilities (Security Update 2012-004) (BEAST)
  • 58075 - Thunderbird 10.x < 10.0.2 png_decompress_chunk Integer Overflow (Mac OS X)
  • 58073 - Thunderbird 3.1.x < 3.1.19 png_decompress_chunk Integer Overflow (Mac OS X)
  • 58082 - Mandriva Linux Security Advisory : mozilla (MDVSA-2012:022-1)
  • 58005 - Firefox 10.x < 10.0.2 'png_decompress_chunk' Integer Overflow
  • 58006 - Firefox 3.6.x < 3.6.27 'png_decompress_chunk' Integer Overflow
  • 58007 - Mozilla Thunderbird 10.x < 10.0.2 'png_decompress_chunk' Integer Overflow
  • 58008 - Mozilla Thunderbird 3.1.x < 3.1.19 'png_decompress_chunk' Integer Overflow
  • 68485 - Oracle Linux 4 / 5 / 6 : libpng (ELSA-2012-0317)
  • 58009 - SeaMonkey < 2.7.2 'png_decompress_chunk' Integer Overflow
  • 55735 - Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 12.1 / 12.2 / 13.0 / 13.1 / 13.37 / 8.1 / 9.0 / 9.1 / current : libpng (SSA:2011-210-01)
  • 57998 - Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.04 / 11.10 : libpng vulnerabilities (USN-1367-1)
  • 58034 - Ubuntu 10.04 LTS / 10.10 / 11.04 / 11.10 : firefox vulnerability (USN-1367-2)
  • 58035 - Ubuntu 10.04 LTS / 10.10 / 11.04 : thunderbird vulnerability (USN-1367-3)
  • 70885 - ESXi 5.0 < Build 912577 Multiple Vulnerabilities (remote check)
  • 70888 - ESXi 5.1 < Build 911593 Multiple Vulnerabilities (remote check)

Version

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file EulerOS_SA-2019-1421.nasl version 1.6. For more plugins, visit the Nessus Plugin Library.

Go back to menu.