libtiff bmp file Heap Overflow

2015.12.29
Credit: riusksk
Risk: High
Local: Yes
Remote: No
CWE: CWE-119


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Details ======= Product: libtiff Affected Versions: <= 4.0.6 Vulnerability Type: Heap Overflow Security Risk: High Vendor URL: http://www.libtiff.org/ CVE ID: CVE-2015-8668 Credit: riusksk of Tencent Security Platform Department Introduction ============ libtiff v4.0.6 bmp2tiff function PackBitsPreEncode() (./libtiff/tif_packbits.c ) handle malicious bmp file (Width = 65663) to cause memory corruption. An attacker could exploit this issue to execute arbitrary code in the context of the application using the library. Failed exploit attempts may result in denial-of-service conditions. ╭─riusksk@MacBook ~/Downloads ?? ╰─➤$ ./tiff-4.0.6/tools/bmp2tiff ./libtiff-poc.bmp out.tif 255 ↵ ================================================================= ==54340==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63100001087f at pc 0x00010cdc0532 bp 0x7fff52f459b0 sp 0x7fff52f459a8 READ of size 1 at 0x63100001087f thread T0 #0 0x10cdc0531 in PackBitsEncode (/Users/riusksk/Downloads/./tiff-4.0.6/tools/bmp2tiff+0x100108531) #1 0x10cdfaa18 in TIFFWriteScanline (/Users/riusksk/Downloads/./tiff-4.0.6/tools/bmp2tiff+0x100142a18) #2 0x10ccbde7b in main (/Users/riusksk/Downloads/./tiff-4.0.6/tools/bmp2tiff+0x100005e7b) #3 0x7fff8dcbc5ac in start (/usr/lib/system/libdyld.dylib+0x35ac) #4 0x2 (<unknown module>) 0x63100001087f is located 0 bytes to the right of 65663-byte region [0x631000000800,0x63100001087f) allocated by thread T0 here: #0 0x10cefdf60 in wrap_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xcto olchain/usr/lib/clang/7.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dyli b+0x42f60) #1 0x10ce073bf in _TIFFmalloc (/Users/riusksk/Downloads/./tiff-4.0.6/tools/bmp2tiff+0x10014f3bf) #2 0x10ccbc9d5 in main (/Users/riusksk/Downloads/./tiff-4.0.6/tools/bmp2tiff+0x1000049d5) #3 0x7fff8dcbc5ac in start (/usr/lib/system/libdyld.dylib+0x35ac) #4 0x2 (<unknown module>) SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 PackBitsEncode Shadow bytes around the buggy address: 0x1c62000020b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1c62000020c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1c62000020d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1c62000020e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1c62000020f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x1c6200002100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[07] 0x1c6200002110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x1c6200002120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x1c6200002130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x1c6200002140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x1c6200002150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==54340==ABORTING [1] 54340 abort ./tiff-4.0.6/tools/bmp2tiff ./libtiff-poc.bmp out.tif


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top