DB: 2017-07-07

3 new exploits

LibTIFF - 'tif_dirwrite.c' Denial of Service
LibTIFF - 'tif_jbig.c' Denial of Service
LibTIFF - '_TIFFVGetField (tiffsplit)' Out-of-Bounds Read

files.csv

@@ -5605,6 +5605,9 @@ id,file,description,date,author,platform,type,port
 42279,platforms/freebsd_x86/dos/42279.c,"FreeBSD - 'setrlimit' Stack Clash (PoC)",2017-06-28,"Qualys Corporation",freebsd_x86,dos,0
 42285,platforms/android/dos/42285.txt,"LG MRA58K - 'ASFParser::SetMetaData' Stack Overflow",2017-06-30,"Google Security Research",android,dos,0
 42286,platforms/multiple/dos/42286.txt,"Google Chrome - Out-of-Bounds Access in RegExp Stubs",2017-06-30,"Google Security Research",multiple,dos,0
+42299,platforms/linux/dos/42299.txt,"LibTIFF - 'tif_dirwrite.c' Denial of Service",2017-07-06,"team OWL337",linux,dos,0
+42300,platforms/linux/dos/42300.txt,"LibTIFF - 'tif_jbig.c' Denial of Service",2017-07-06,"team OWL337",linux,dos,0
+42301,platforms/linux/dos/42301.txt,"LibTIFF - '_TIFFVGetField (tiffsplit)' Out-of-Bounds Read",2017-07-06,zhangtan,linux,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0

platforms/linux/dos/42299.txt

@@ -0,0 +1,87 @@
+Source: http://bugzilla.maptools.org/show_bug.cgi?id=2712
+
+Triggered by  "./tiffset POC1"
+
+$ ./tiffset POC1
+TIFFReadDirectory: Warning, Unknown field with tag 302 (0x12e) encountered.
+TIFFReadDirectory: Warning, Unknown field with tag 61961 (0xf209) encountered.
+poc3: AdobeDeflate compression support is not configured.
+tiffset: tif_dirwrite.c:2127: int TIFFWriteDirectoryTagCheckedLong8Array(TIFF
+*, uint32 *, TIFFDirEntry *, uint16, uint32, uint64 *): Assertion
+`tif->tif_flags&TIFF_BIGTIFF' failed.
+Aborted
+
+The gdb debugging information is listed below:
+(gdb) set args POC1
+(gdb) r
+...
+(gdb) c
+Continuing.
+TIFFReadDirectory: Warning, Unknown field with tag 302 (0x12e) encountered.
+TIFFReadDirectory: Warning, Unknown field with tag 61961 (0xf209) encountered.
+poc2: AdobeDeflate compression support is not configured.
+
+Breakpoint 2, TIFFWriteDirectoryTagCheckedLong8Array (tif=<optimized out>,
+ndir=<optimized out>, count=1, 
+    value=0x615c20, dir=<optimized out>, tag=<optimized out>) at
+tif_dirwrite.c:2127
+2127        assert(tif->tif_flags&TIFF_BIGTIFF);
+(gdb) bt
+#0  0x00007ffff746a428 in __GI_raise (sig=sig@entry=6) at
+../sysdeps/unix/sysv/linux/raise.c:54
+#1  0x00007ffff746c02a in __GI_abort () at abort.c:89
+#2  0x00007ffff7462bd7 in __assert_fail_base (fmt=<optimized out>, 
+    assertion=assertion@entry=0x7ffff7baf949 "tif->tif_flags&TIFF_BIGTIFF", 
+    file=file@entry=0x7ffff7baf5c0 "tif_dirwrite.c", line=line@entry=2127, 
+    function=function@entry=0x7ffff7baf8e2 "int
+TIFFWriteDirectoryTagCheckedLong8Array(TIFF *, uint32 *, TIFFDirEntry *,
+uint16, uint32, uint64 *)") at assert.c:92
+#3  0x00007ffff7462c82 in __GI___assert_fail (assertion=0x7ffff7baf949
+"tif->tif_flags&TIFF_BIGTIFF", 
+    file=0x7ffff7baf5c0 "tif_dirwrite.c", line=2127, 
+    function=0x7ffff7baf8e2 "int TIFFWriteDirectoryTagCheckedLong8Array(TIFF *,
+uint32 *, TIFFDirEntry *, uint16, uint32, uint64 *)") at assert.c:101
+#4  0x00007ffff7b4e9cb in TIFFWriteDirectoryTagCheckedLong8Array (tif=0x615010,
+ndir=<optimized out>, count=1, 
+    value=0x615c20, dir=<optimized out>, tag=<optimized out>) at
+tif_dirwrite.c:2127
+#5  TIFFWriteDirectoryTagLong8Array (count=1, value=0x615c20, tif=<optimized
+out>, ndir=<optimized out>, 
+    dir=<optimized out>, tag=<optimized out>) at tif_dirwrite.c:1462
+#6  TIFFWriteDirectorySec (tif=<optimized out>, isimage=<optimized out>,
+imagedone=<optimized out>, 
+    pdiroff=<optimized out>) at tif_dirwrite.c:746
+#7  0x00007ffff7b4f6b5 in TIFFWriteDirectory (tif=0x615010) at
+tif_dirwrite.c:184
+#8  TIFFRewriteDirectory (tif=<optimized out>) at tif_dirwrite.c:360
+#9  0x0000000000402bc7 in main (argc=<optimized out>, argv=<optimized out>) at
+tiffset.c:344
+
+Trigged in line tif_dirwrite.c:2127 at function
+TIFFWriteDirectoryTagCheckedLong8Array()
+2122 static int
+2123 TIFFWriteDirectoryTagCheckedLong8Array(TIFF* tif, uint32* ndir,
+TIFFDirEntry* dir, uint16 tag, uint32 count, uint64*      value)
+2124 {       
+2125         assert(count<0x20000000);
+2126         assert(sizeof(uint64)==8);
+2127         assert(tif->tif_flags&TIFF_BIGTIFF);
+2128         if (tif->tif_flags&TIFF_SWAB)
+2129                 TIFFSwabArrayOfLong8(value,count);
+2130        
+return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_LONG8,count,count*8,value));
+2131 }
+
+[note]: Tiffset sets the value of a TIFF header to a specified value.It will
+modify the raw POC file,so you'd better make a backup file every time you are
+going to run.
+
+Credits:
+
+This vulnerability is detected by team OWL337, with our custom fuzzer collAFL.
+Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need
+more info about the team, the tool or the vulnerability.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42299.zip

platforms/linux/dos/42300.txt

@@ -0,0 +1,42 @@
+Source: http://bugzilla.maptools.org/show_bug.cgi?id=2706
+
+Triggered by “./tiff2ps $POC” or “./tiff2pdf $POC”
+
+Triggered by “./tiff2ps $POC” or “./tiff2pdf $POC”
+
+The asan debug information is below:
+
+$./tiff2ps $POC  
+
+
+=================================================================
+==26627==ERROR: LeakSanitizer: detected memory leaks
+
+Direct leak of 1792 byte(s) in 7 object(s) allocated from:
+    #0 0x7f7c4f1a19aa in malloc
+(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x989aa)
+    #1 0x7f7c4dca72fd  (/usr/lib/x86_64-linux-gnu/libjbig.so.0+0x12fd)
+    #2 0x3ea  (<unknown module>)
+
+Indirect leak of 170491316224 byte(s) in 223 object(s) allocated from:
+    #0 0x7f7c4f1a19aa in malloc
+(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x989aa)
+    #1 0x7f7c4dca72fd  (/usr/lib/x86_64-linux-gnu/libjbig.so.0+0x12fd)
+    #2 0x3ea  (<unknown module>)
+
+SUMMARY: AddressSanitizer: 170491318016 byte(s) leaked in 230 allocation(s).
+
+
+Affected version:
+<=the Latest version (4.0.8)
+
+
+Credits:
+
+This vulnerability is detected by team OWL337, with our custom fuzzer coll AFL.
+Please contact ganshuitao@gmail.com  and chaoz@tsinghua.edu.cn if you need more
+info about the team, the tool or the vulnerability.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42300.zip

platforms/linux/dos/42301.txt

@@ -0,0 +1,91 @@
+Source: http://bugzilla.maptools.org/show_bug.cgi?id=2693
+
+On 4.0.7:
+
+# tiffsplit $FILE
+
+==2007== Invalid read of size 4
+==2007==    at 0x40CD1A: _TIFFVGetField (tif_dir.c:1072)
+==2007==    by 0x41B2C5: TIFFVGetField (tif_dir.c:1198)
+==2007==    by 0x41B2C5: TIFFGetField (tif_dir.c:1182)
+==2007==    by 0x404CCF: tiffcp (tiffsplit.c:220)
+==2007==    by 0x404CCF: main (tiffsplit.c:89)
+==2007==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
+
+------- Comment #1 From zhangtan 2017-05-15 01:20:26 -------
+
+The place of Out of bound read:
+
+ret_val = 0;
+for (i = 0; i < td->td_customValueCount; i++) {
+    TIFFTagValue *tv = td->td_customValues + i;
+
+if (tv->info->field_tag != tag)
+                        continue;
+
+------- Comment #2 From zhangtan 2017-05-15 01:29:10 -------
+
+The place of Out of bound read:
+
+The 1072 line of tif_dir.c
+
+1068     ret_val = 0;
+1069     for (i = 0; i < td->td_customValueCount; i++) {
+1070             TIFFTagValue *tv = td->td_customValues + i;
+1071                    
+1072             if (tv->info->field_tag != tag)
+1073                     continue;
+
+As tv increased in 1070, Out of bound read happened in 1072 when the pointer tv
+was referenced.
+
+------- Comment #3 From zhangtan 2017-05-15 01:46:33 -------
+
+PoC:
+
+Detailed information of the bug can be reproduced using the valgrind tool:
+
+# valgrind tiffsplit $File(the testcase in the attachment)
+
+Error Message:
+==23520== Invalid read of size 4
+==23520==    at 0x40CD1A: _TIFFVGetField (tif_dir.c:1072)
+==23520==    by 0x41B2C5: TIFFVGetField (tif_dir.c:1198)
+==23520==    by 0x41B2C5: TIFFGetField (tif_dir.c:1182)
+==23520==    by 0x404CCF: tiffcp (tiffsplit.c:220)
+==23520==    by 0x404CCF: main (tiffsplit.c:89)
+==23520==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
+==23520== 
+==23520== 
+==23520== Process terminating with default action of signal 11 (SIGSEGV)
+==23520==  Access not within mapped region at address 0x0
+==23520==    at 0x40CD1A: _TIFFVGetField (tif_dir.c:1072)
+==23520==    by 0x41B2C5: TIFFVGetField (tif_dir.c:1198)
+==23520==    by 0x41B2C5: TIFFGetField (tif_dir.c:1182)
+==23520==    by 0x404CCF: tiffcp (tiffsplit.c:220)
+==23520==    by 0x404CCF: main (tiffsplit.c:89)
+==23520==  If you believe this happened as a result of a stack
+==23520==  overflow in your program's main thread (unlikely but
+==23520==  possible), you can try to increase the size of the
+==23520==  main thread stack using the --main-stacksize= flag.
+==23520==  The main thread stack size used in this run was 8388608.
+==23520== 
+==23520== HEAP SUMMARY:
+==23520==     in use at exit: 17,821 bytes in 42 blocks
+==23520==   total heap usage: 96 allocs, 54 frees, 59,223 bytes allocated
+==23520== 
+==23520== LEAK SUMMARY:
+==23520==    definitely lost: 0 bytes in 0 blocks
+==23520==    indirectly lost: 0 bytes in 0 blocks
+==23520==      possibly lost: 0 bytes in 0 blocks
+==23520==    still reachable: 17,821 bytes in 42 blocks
+==23520==         suppressed: 0 bytes in 0 blocks
+==23520== Rerun with --leak-check=full to see details of leaked memory
+==23520== 
+==23520== For counts of detected and suppressed errors, rerun with: -v
+==23520== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
+Segmentation fault
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42301.zip