DB: 2017-07-07
3 new exploits LibTIFF - 'tif_dirwrite.c' Denial of Service LibTIFF - 'tif_jbig.c' Denial of Service LibTIFF - '_TIFFVGetField (tiffsplit)' Out-of-Bounds Read
This commit is contained in:
parent
9a0992d704
commit
d3536f6bef
4 changed files with 223 additions and 0 deletions
|
@ -5605,6 +5605,9 @@ id,file,description,date,author,platform,type,port
|
|||
42279,platforms/freebsd_x86/dos/42279.c,"FreeBSD - 'setrlimit' Stack Clash (PoC)",2017-06-28,"Qualys Corporation",freebsd_x86,dos,0
|
||||
42285,platforms/android/dos/42285.txt,"LG MRA58K - 'ASFParser::SetMetaData' Stack Overflow",2017-06-30,"Google Security Research",android,dos,0
|
||||
42286,platforms/multiple/dos/42286.txt,"Google Chrome - Out-of-Bounds Access in RegExp Stubs",2017-06-30,"Google Security Research",multiple,dos,0
|
||||
42299,platforms/linux/dos/42299.txt,"LibTIFF - 'tif_dirwrite.c' Denial of Service",2017-07-06,"team OWL337",linux,dos,0
|
||||
42300,platforms/linux/dos/42300.txt,"LibTIFF - 'tif_jbig.c' Denial of Service",2017-07-06,"team OWL337",linux,dos,0
|
||||
42301,platforms/linux/dos/42301.txt,"LibTIFF - '_TIFFVGetField (tiffsplit)' Out-of-Bounds Read",2017-07-06,zhangtan,linux,dos,0
|
||||
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
|
||||
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
|
||||
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
|
||||
|
|
Can't render this file because it is too large.
|
87
platforms/linux/dos/42299.txt
Executable file
87
platforms/linux/dos/42299.txt
Executable file
|
@ -0,0 +1,87 @@
|
|||
Source: http://bugzilla.maptools.org/show_bug.cgi?id=2712
|
||||
|
||||
Triggered by "./tiffset POC1"
|
||||
|
||||
$ ./tiffset POC1
|
||||
TIFFReadDirectory: Warning, Unknown field with tag 302 (0x12e) encountered.
|
||||
TIFFReadDirectory: Warning, Unknown field with tag 61961 (0xf209) encountered.
|
||||
poc3: AdobeDeflate compression support is not configured.
|
||||
tiffset: tif_dirwrite.c:2127: int TIFFWriteDirectoryTagCheckedLong8Array(TIFF
|
||||
*, uint32 *, TIFFDirEntry *, uint16, uint32, uint64 *): Assertion
|
||||
`tif->tif_flags&TIFF_BIGTIFF' failed.
|
||||
Aborted
|
||||
|
||||
The gdb debugging information is listed below:
|
||||
(gdb) set args POC1
|
||||
(gdb) r
|
||||
...
|
||||
(gdb) c
|
||||
Continuing.
|
||||
TIFFReadDirectory: Warning, Unknown field with tag 302 (0x12e) encountered.
|
||||
TIFFReadDirectory: Warning, Unknown field with tag 61961 (0xf209) encountered.
|
||||
poc2: AdobeDeflate compression support is not configured.
|
||||
|
||||
Breakpoint 2, TIFFWriteDirectoryTagCheckedLong8Array (tif=<optimized out>,
|
||||
ndir=<optimized out>, count=1,
|
||||
value=0x615c20, dir=<optimized out>, tag=<optimized out>) at
|
||||
tif_dirwrite.c:2127
|
||||
2127 assert(tif->tif_flags&TIFF_BIGTIFF);
|
||||
(gdb) bt
|
||||
#0 0x00007ffff746a428 in __GI_raise (sig=sig@entry=6) at
|
||||
../sysdeps/unix/sysv/linux/raise.c:54
|
||||
#1 0x00007ffff746c02a in __GI_abort () at abort.c:89
|
||||
#2 0x00007ffff7462bd7 in __assert_fail_base (fmt=<optimized out>,
|
||||
assertion=assertion@entry=0x7ffff7baf949 "tif->tif_flags&TIFF_BIGTIFF",
|
||||
file=file@entry=0x7ffff7baf5c0 "tif_dirwrite.c", line=line@entry=2127,
|
||||
function=function@entry=0x7ffff7baf8e2 "int
|
||||
TIFFWriteDirectoryTagCheckedLong8Array(TIFF *, uint32 *, TIFFDirEntry *,
|
||||
uint16, uint32, uint64 *)") at assert.c:92
|
||||
#3 0x00007ffff7462c82 in __GI___assert_fail (assertion=0x7ffff7baf949
|
||||
"tif->tif_flags&TIFF_BIGTIFF",
|
||||
file=0x7ffff7baf5c0 "tif_dirwrite.c", line=2127,
|
||||
function=0x7ffff7baf8e2 "int TIFFWriteDirectoryTagCheckedLong8Array(TIFF *,
|
||||
uint32 *, TIFFDirEntry *, uint16, uint32, uint64 *)") at assert.c:101
|
||||
#4 0x00007ffff7b4e9cb in TIFFWriteDirectoryTagCheckedLong8Array (tif=0x615010,
|
||||
ndir=<optimized out>, count=1,
|
||||
value=0x615c20, dir=<optimized out>, tag=<optimized out>) at
|
||||
tif_dirwrite.c:2127
|
||||
#5 TIFFWriteDirectoryTagLong8Array (count=1, value=0x615c20, tif=<optimized
|
||||
out>, ndir=<optimized out>,
|
||||
dir=<optimized out>, tag=<optimized out>) at tif_dirwrite.c:1462
|
||||
#6 TIFFWriteDirectorySec (tif=<optimized out>, isimage=<optimized out>,
|
||||
imagedone=<optimized out>,
|
||||
pdiroff=<optimized out>) at tif_dirwrite.c:746
|
||||
#7 0x00007ffff7b4f6b5 in TIFFWriteDirectory (tif=0x615010) at
|
||||
tif_dirwrite.c:184
|
||||
#8 TIFFRewriteDirectory (tif=<optimized out>) at tif_dirwrite.c:360
|
||||
#9 0x0000000000402bc7 in main (argc=<optimized out>, argv=<optimized out>) at
|
||||
tiffset.c:344
|
||||
|
||||
Trigged in line tif_dirwrite.c:2127 at function
|
||||
TIFFWriteDirectoryTagCheckedLong8Array()
|
||||
2122 static int
|
||||
2123 TIFFWriteDirectoryTagCheckedLong8Array(TIFF* tif, uint32* ndir,
|
||||
TIFFDirEntry* dir, uint16 tag, uint32 count, uint64* value)
|
||||
2124 {
|
||||
2125 assert(count<0x20000000);
|
||||
2126 assert(sizeof(uint64)==8);
|
||||
2127 assert(tif->tif_flags&TIFF_BIGTIFF);
|
||||
2128 if (tif->tif_flags&TIFF_SWAB)
|
||||
2129 TIFFSwabArrayOfLong8(value,count);
|
||||
2130
|
||||
return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_LONG8,count,count*8,value));
|
||||
2131 }
|
||||
|
||||
[note]: Tiffset sets the value of a TIFF header to a specified value.It will
|
||||
modify the raw POC file,so you'd better make a backup file every time you are
|
||||
going to run.
|
||||
|
||||
Credits:
|
||||
|
||||
This vulnerability is detected by team OWL337, with our custom fuzzer collAFL.
|
||||
Please contact ganshuitao@gmail.com and chaoz@tsinghua.edu.cn if you need
|
||||
more info about the team, the tool or the vulnerability.
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42299.zip
|
42
platforms/linux/dos/42300.txt
Executable file
42
platforms/linux/dos/42300.txt
Executable file
|
@ -0,0 +1,42 @@
|
|||
Source: http://bugzilla.maptools.org/show_bug.cgi?id=2706
|
||||
|
||||
Triggered by “./tiff2ps $POC” or “./tiff2pdf $POC”
|
||||
|
||||
Triggered by “./tiff2ps $POC” or “./tiff2pdf $POC”
|
||||
|
||||
The asan debug information is below:
|
||||
|
||||
$./tiff2ps $POC
|
||||
|
||||
|
||||
=================================================================
|
||||
==26627==ERROR: LeakSanitizer: detected memory leaks
|
||||
|
||||
Direct leak of 1792 byte(s) in 7 object(s) allocated from:
|
||||
#0 0x7f7c4f1a19aa in malloc
|
||||
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x989aa)
|
||||
#1 0x7f7c4dca72fd (/usr/lib/x86_64-linux-gnu/libjbig.so.0+0x12fd)
|
||||
#2 0x3ea (<unknown module>)
|
||||
|
||||
Indirect leak of 170491316224 byte(s) in 223 object(s) allocated from:
|
||||
#0 0x7f7c4f1a19aa in malloc
|
||||
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x989aa)
|
||||
#1 0x7f7c4dca72fd (/usr/lib/x86_64-linux-gnu/libjbig.so.0+0x12fd)
|
||||
#2 0x3ea (<unknown module>)
|
||||
|
||||
SUMMARY: AddressSanitizer: 170491318016 byte(s) leaked in 230 allocation(s).
|
||||
|
||||
|
||||
Affected version:
|
||||
<=the Latest version (4.0.8)
|
||||
|
||||
|
||||
Credits:
|
||||
|
||||
This vulnerability is detected by team OWL337, with our custom fuzzer coll AFL.
|
||||
Please contact ganshuitao@gmail.com and chaoz@tsinghua.edu.cn if you need more
|
||||
info about the team, the tool or the vulnerability.
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42300.zip
|
91
platforms/linux/dos/42301.txt
Executable file
91
platforms/linux/dos/42301.txt
Executable file
|
@ -0,0 +1,91 @@
|
|||
Source: http://bugzilla.maptools.org/show_bug.cgi?id=2693
|
||||
|
||||
On 4.0.7:
|
||||
|
||||
# tiffsplit $FILE
|
||||
|
||||
==2007== Invalid read of size 4
|
||||
==2007== at 0x40CD1A: _TIFFVGetField (tif_dir.c:1072)
|
||||
==2007== by 0x41B2C5: TIFFVGetField (tif_dir.c:1198)
|
||||
==2007== by 0x41B2C5: TIFFGetField (tif_dir.c:1182)
|
||||
==2007== by 0x404CCF: tiffcp (tiffsplit.c:220)
|
||||
==2007== by 0x404CCF: main (tiffsplit.c:89)
|
||||
==2007== Address 0x0 is not stack'd, malloc'd or (recently) free'd
|
||||
|
||||
------- Comment #1 From zhangtan 2017-05-15 01:20:26 -------
|
||||
|
||||
The place of Out of bound read:
|
||||
|
||||
ret_val = 0;
|
||||
for (i = 0; i < td->td_customValueCount; i++) {
|
||||
TIFFTagValue *tv = td->td_customValues + i;
|
||||
|
||||
if (tv->info->field_tag != tag)
|
||||
continue;
|
||||
|
||||
------- Comment #2 From zhangtan 2017-05-15 01:29:10 -------
|
||||
|
||||
The place of Out of bound read:
|
||||
|
||||
The 1072 line of tif_dir.c
|
||||
|
||||
1068 ret_val = 0;
|
||||
1069 for (i = 0; i < td->td_customValueCount; i++) {
|
||||
1070 TIFFTagValue *tv = td->td_customValues + i;
|
||||
1071
|
||||
1072 if (tv->info->field_tag != tag)
|
||||
1073 continue;
|
||||
|
||||
As tv increased in 1070, Out of bound read happened in 1072 when the pointer tv
|
||||
was referenced.
|
||||
|
||||
------- Comment #3 From zhangtan 2017-05-15 01:46:33 -------
|
||||
|
||||
PoC:
|
||||
|
||||
Detailed information of the bug can be reproduced using the valgrind tool:
|
||||
|
||||
# valgrind tiffsplit $File(the testcase in the attachment)
|
||||
|
||||
Error Message:
|
||||
==23520== Invalid read of size 4
|
||||
==23520== at 0x40CD1A: _TIFFVGetField (tif_dir.c:1072)
|
||||
==23520== by 0x41B2C5: TIFFVGetField (tif_dir.c:1198)
|
||||
==23520== by 0x41B2C5: TIFFGetField (tif_dir.c:1182)
|
||||
==23520== by 0x404CCF: tiffcp (tiffsplit.c:220)
|
||||
==23520== by 0x404CCF: main (tiffsplit.c:89)
|
||||
==23520== Address 0x0 is not stack'd, malloc'd or (recently) free'd
|
||||
==23520==
|
||||
==23520==
|
||||
==23520== Process terminating with default action of signal 11 (SIGSEGV)
|
||||
==23520== Access not within mapped region at address 0x0
|
||||
==23520== at 0x40CD1A: _TIFFVGetField (tif_dir.c:1072)
|
||||
==23520== by 0x41B2C5: TIFFVGetField (tif_dir.c:1198)
|
||||
==23520== by 0x41B2C5: TIFFGetField (tif_dir.c:1182)
|
||||
==23520== by 0x404CCF: tiffcp (tiffsplit.c:220)
|
||||
==23520== by 0x404CCF: main (tiffsplit.c:89)
|
||||
==23520== If you believe this happened as a result of a stack
|
||||
==23520== overflow in your program's main thread (unlikely but
|
||||
==23520== possible), you can try to increase the size of the
|
||||
==23520== main thread stack using the --main-stacksize= flag.
|
||||
==23520== The main thread stack size used in this run was 8388608.
|
||||
==23520==
|
||||
==23520== HEAP SUMMARY:
|
||||
==23520== in use at exit: 17,821 bytes in 42 blocks
|
||||
==23520== total heap usage: 96 allocs, 54 frees, 59,223 bytes allocated
|
||||
==23520==
|
||||
==23520== LEAK SUMMARY:
|
||||
==23520== definitely lost: 0 bytes in 0 blocks
|
||||
==23520== indirectly lost: 0 bytes in 0 blocks
|
||||
==23520== possibly lost: 0 bytes in 0 blocks
|
||||
==23520== still reachable: 17,821 bytes in 42 blocks
|
||||
==23520== suppressed: 0 bytes in 0 blocks
|
||||
==23520== Rerun with --leak-check=full to see details of leaked memory
|
||||
==23520==
|
||||
==23520== For counts of detected and suppressed errors, rerun with: -v
|
||||
==23520== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
|
||||
Segmentation fault
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42301.zip
|
Loading…
Add table
Reference in a new issue