gif2apng 1.9 .gif Stack Buffer Overflow

2018.04.28
Credit: Hamm3r.py
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-119

# Exploit Title: gif2apng 1.9 '.gif' Stack-Buffer Overflow # Date: 20 April 2018 # Exploit Author: Hamm3r.py # Vendor Homepage: http://gif2apng.sourceforge.net/ # Version: 1.9 # Tested on: Ubuntu 16.04 # CVE : gif2apng is vulnerable to a stack based buffer overflow when a malformed gif is supplied. Following is the stack trace: $ ./gif2apng fuzz.gif gif2apng 1.9 using 7ZIP with 15 iterations Reading 'fuzz.gif'... ================================================================= ==3674==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffb183bcf1 at pc 0x0000004ebdce bp 0x7fffb1837a90 sp 0x7fffb1837a88 WRITE of size 1 at 0x7fffb183bcf1 thread T0 #0 0x4ebdcd (/home/shyam/FUZZ/gif2apng+0x4ebdcd) #1 0x4ee926 (/home/shyam/FUZZ/gif2apng+0x4ee926) #2 0x7f4e5642282f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #3 0x4199a8 (/home/shyam/FUZZ/gif2apng+0x4199a8) Address 0x7fffb183bcf1 is located in stack of thread T0 at offset 16977 in frame #0 0x4eb23f (/home/shyam/FUZZ/gif2apng+0x4eb23f) This frame has 6 object(s): [32, 36) 'size' [48, 8242) 'prefix' [8512, 12609) 'suffix' [12880, 16977) 'str' <== Memory access at offset 16977 overflows this variable [17248, 18272) 'data' [18400, 18401) 'mincodesize' HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/shyam/FUZZ/gif2apng+0x4ebdcd) Shadow bytes around the buggy address: 0x1000762ff740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000762ff750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000762ff760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000762ff770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000762ff780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x1000762ff790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[01]f2 0x1000762ff7a0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 0x1000762ff7b0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 0x1000762ff7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000762ff7d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000762ff7e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==3674==ABORTING Version of software in use: ./gif2apng gif2apng 1.9 #This issue is identified by Hamm3r.py, a general purpose fuzzer! https://github.com/0xshyam/hamm3r.py Proof of Concept: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44519.zip


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top