libjpeg-turbo 1.5.1 - Denial of Service

2017.07.29
Credit: qflb.wu
Risk: Medium
Local: Yes
Remote: Yes
CWE: N/A


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

libjpeg-turbo denial of service vulnerability ====================== Author : qflb.wu CVE : CVE-2017-9614 ====================== Introduction: ============= libjpeg-turbo is a JPEG image codec that uses SIMD instructions (MMX, SSE2, AVX2, NEON, AltiVec) to accelerate baseline JPEG compression and decompression on x86, x86-64, ARM, and PowerPC systems. Affected version: ===== 1.5.1 Vulnerability Description: ========================== the fill_input_buffer function in jdatasrc.c in libjpeg-turbo 1.5.1 can cause a denial of service(invalid address and application crash) via a crafted jpg file. I found this bug when I test stills2dv-alpha-0.601 which used the libjpeg-turbo. ./stills2dv exampleworkfile.s2d (the exampleworkfile.s2d contains the path of the poc jpg file) ----debug info:---- gdb-peda$ bt #0 __memcpy_sse2 () at ../sysdeps/x86_64/multiarch/../memcpy.S:166 #1 0x00007ffff6d82323 in __GI__IO_file_xsgetn (fp=0x61c370, data=<optimized out>, n=0x1000) at fileops.c:1387 #2 0x00007ffff6d7786f in __GI__IO_fread (buf=<optimized out>, size=0x1, count=0x1000, fp=0x61c370) at iofread.c:42 #3 0x00007ffff7b6e23b in fill_input_buffer (cinfo=0x7fffffffe190) at jdatasrc.c:107 #4 0x00007ffff7b7beef in get_dqt (cinfo=0x7fffffffe190) at jdmarker.c:516 #5 0x00007ffff7b7dba3 in read_markers (cinfo=0x7fffffffe190) at jdmarker.c:1050 #6 0x00007ffff7b795fd in consume_markers (cinfo=0x7fffffffe190) at jdinput.c:320 #7 0x00007ffff7b6c853 in jpeg_finish_decompress (cinfo=0x7fffffffe190) at jdapimin.c:399 #8 0x0000000000402da0 in readjpg ( fn=fn@entry=0x61c2f4 "example_data_files/test.jpg") at s2d_jpg.c:148 #9 0x0000000000403c5b in openImage ( fn=0x61c2f4 "example_data_files/test.jpg", cache=0xffffffff) at s2d_main.c:202 #10 0x00000000004063a5 in splitted2struct (p=p@entry=0x60acc0 <ms>, strs=strs@entry=0x61c2a0) at s2d_main.c:1139 #11 0x000000000040240b in main (argc=argc@entry=0x2, argv=argv@entry=0x7fffffffe5f8) at s2d_main.c:1404 #12 0x00007ffff6d2af45 in __libc_start_main (main=0x402040 <main>, argc=0x2, argv=0x7fffffffe5f8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe5e8) at libc-start.c:287 #13 0x0000000000402500 in _start () ================================================================================= [------------------------------------------------------------------------------] Legend: code, data, rodata, value 0x00007ffff7b6e233107 nbytes = JFREAD(src->infile, src->buffer, INPUT_BUF_SIZE); gdb-peda$ [----------------------------------registers-----------------------------------] RAX: 0x61ce30 --> 0x464a1000e0ffd8ff RBX: 0x7fffffffe190 --> 0x7fffffffe0e0 --> 0x7ffff7b89ce0 (<error_exit>:push rbp) RCX: 0x61c370 ("example_data_files/test.jpg") RDX: 0x1000 RSI: 0x1 RDI: 0x61ce30 --> 0x464a1000e0ffd8ff RBP: 0x7fffffffdff0 --> 0x7fffffffe050 --> 0x7fffffffe070 --> 0x7fffffffe0a0 --> 0x7fffffffe0c0 --> 0x61c370 ("example_data_files/test.jpg") RSP: 0x7fffffffdfd0 --> 0x7fffffffe030 --> 0x0 RIP: 0x7ffff7b6e236 (<fill_input_buffer+56> R8 : 0x67706a2e747365 ('est.jpg') R9 : 0x7ffff70ca7b8 --> 0x623770 --> 0x0 R10: 0x7fffffffde90 --> 0x0 R11: 0x7ffff7b6c74c (<jpeg_finish_decompress>:push rbp) R12: 0x61c2f4 ("example_data_files/test.jpg") R13: 0x61c5b0 --> 0x61c370 ("example_data_files/test.jpg") R14: 0xc00 ('') R15: 0x3 EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x7ffff7b6e229 <fill_input_buffer+43>:mov edx,0x1000 0x7ffff7b6e22e <fill_input_buffer+48>:mov esi,0x1 0x7ffff7b6e233 <fill_input_buffer+53>:mov rdi,rax => 0x7ffff7b6e236 <fill_input_buffer+56>: call 0x7ffff7b477f0 <fread@plt> 0x7ffff7b6e23b <fill_input_buffer+61>:mov QWORD PTR [rbp-0x10],rax 0x7ffff7b6e23f <fill_input_buffer+65>:cmp QWORD PTR [rbp-0x10],0x0 0x7ffff7b6e244 <fill_input_buffer+70>: jne 0x7ffff7b6e2bb <fill_input_buffer+189> 0x7ffff7b6e246 <fill_input_buffer+72>:mov rax,QWORD PTR [rbp-0x8] Guessed arguments: arg[0]: 0x61ce30 --> 0x464a1000e0ffd8ff arg[1]: 0x1 arg[2]: 0x1000 arg[3]: 0x61c370 ("example_data_files/test.jpg") [------------------------------------stack-------------------------------------] 0000| 0x7fffffffdfd0 --> 0x7fffffffe030 --> 0x0 0008| 0x7fffffffdfd8 --> 0x7fffffffe190 --> 0x7fffffffe0e0 --> 0x7ffff7b89ce0 (<error_exit>:push rbp) 0016| 0x7fffffffdfe0 --> 0x5bffffe0bc 0024| 0x7fffffffdfe8 --> 0x61c880 --> 0x61d028 --> 0x0 0032| 0x7fffffffdff0 --> 0x7fffffffe050 --> 0x7fffffffe070 --> 0x7fffffffe0a0 --> 0x7fffffffe0c0 --> 0x61c370 ("example_data_files/test.jpg") 0040| 0x7fffffffdff8 --> 0x7ffff7b7beef (<get_dqt+71>:test eax,eax) 0048| 0x7fffffffe000 --> 0x0 0056| 0x7fffffffe008 --> 0x7fffffffe190 --> 0x7fffffffe0e0 --> 0x7ffff7b89ce0 (<error_exit>:push rbp) [------------------------------------------------------------------------------] Legend: code, data, rodata, value 0x00007ffff7b6e236107 nbytes = JFREAD(src->infile, src->buffer, INPUT_BUF_SIZE); gdb-peda$ x/20x $rdi 0x61ce30:0x464a1000e0ffd8ff0x1c00020101004649 0x61ce40:0x4300dbff00001c000x28191e231e1c2800 0x61ce50:0x3c30282b2d2321230x587b3c37373c4164 0x61ce60:0x8f9699809164495d0xa0c3e6b4a08a8c80 0x61ce70:0xcbffc88c8aaddaaa0xc19bfffffff5eeda 0x61ce80:0xfffde6fffaffffff0x2d2b014300dbfff8 0x61ce90:0x764141763c353c2d0xf8f8f8f8a58ca5f8 0x61cea0:0xf8f8f8f8f8f8f8f80xf8f8f8f8f8f8f8f8 0x61ceb0:0xf8f8f8f8f8f8f8f80xf8f8f8f8f8f8f8f8 0x61cec0:0xf8f8f8f8f8f8f8f80xc0fff8f8f8f8f8f8 gdb-peda$ ni Program received signal SIGSEGV, Segmentation fault. POC: test.jpg;exampleworkfile.s2d CVE: CVE-2017-9614 Proof of Concept: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42391.zip


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top