
1979 changes to exploits/shellcodes Couchdb 1.5.0 - 'uuids' Denial of Service Apache CouchDB 1.5.0 - 'uuids' Denial of Service Beyond Remote 2.2.5.3 - Denial of Service (PoC) udisks2 2.8.0 - Denial of Service (PoC) Termite 3.4 - Denial of Service (PoC) SoftX FTP Client 3.3 - Denial of Service (PoC) Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection Silverstripe CMS 3.0.2 - Multiple Vulnerabilities SilverStripe CMS 3.0.2 - Multiple Vulnerabilities Silverstripe CMS 2.4 - File Renaming Security Bypass SilverStripe CMS 2.4 - File Renaming Security Bypass Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload Silverstripe CMS 2.4.x - 'BackURL' Open Redirection SilverStripe CMS 2.4.x - 'BackURL' Open Redirection Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure Silverstripe CMS - Multiple HTML Injection Vulnerabilities SilverStripe CMS - Multiple HTML Injection Vulnerabilities Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation Monstra CMS before 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (2) Monstra CMS < 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (1) Navigate CMS 2.8 - Cross-Site Scripting Collectric CMU 1.0 - 'lang' SQL injection Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection LG SuperSign EZ CMS 2.5 - Remote Code Execution MyBB Visual Editor 1.8.18 - Cross-Site Scripting Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection RICOH Aficio MP 301 Printer - Cross-Site Scripting Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection RICOH MP C6003 Printer - Cross-Site Scripting Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes) Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
126 lines
No EOL
4.2 KiB
Text
126 lines
No EOL
4.2 KiB
Text
Summary
|
|
=======
|
|
|
|
There is a file handling DoS in GIMP (the GNU Image Manipulation Program) for
|
|
the 'fit' file format affecting all versions (Windows and Linux) up to and
|
|
including 2.8.0. A file in the fit format with a malformed 'XTENSION' header
|
|
will cause a crash in the GIMP program.
|
|
|
|
CVE number: CVE-2012-3236
|
|
Vendor Homepage: http://www.gimp.org/
|
|
Date reported to vendor: 25/05/2012
|
|
Found by Joseph Sheridan:
|
|
href="http://www.reactionpenetrationtesting.co.uk/joseph-sheridan.html
|
|
|
|
This advisory is posted at:
|
|
http://www.reactionpenetrationtesting.co.uk/FIT-file-handling-DoS.html
|
|
|
|
PoC file is available here:
|
|
http://www.reactionpenetrationtesting.co.uk/vuln.fit
|
|
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/19482.fit
|
|
|
|
|
|
Affected Products
|
|
=================
|
|
|
|
Vulnerable Products
|
|
+------------------
|
|
|
|
The following products are known to be affected by this vulnerability:
|
|
|
|
* GIMP <= 2.8.0 (Windows or Linux builds)
|
|
|
|
Products Not Vulnerable
|
|
+--------------------------------
|
|
* GIMP 2.8.1
|
|
|
|
Details
|
|
=======
|
|
|
|
There is a file handling DoS in GIMP (the GNU Image Manipulation Program) for
|
|
the 'fit' file format affecting all versions (Windows and Linux) up to 2.8.0.
|
|
A file in the fit format with a malformed 'XTENSION' header will cause a crash
|
|
in the GIMP program. The flaw is triggered by opening a crafted 'fit' file or
|
|
allowing the file explorer dialog to preview the file.
|
|
|
|
A file in the fit format starting as follows will trigger the crash:
|
|
XTENSIONaaaaaaaaaaaaaaaaaaaaaa...aaaaaaaaaaaaaaaaaaaaaaaaHEADER2...
|
|
|
|
The vulnerable code is in the fits-io.c lines where the program attempts to
|
|
copy from a null pointer:
|
|
|
|
{
|
|
fdat = fits_decode_card (fits_search_card (hdr, "XTENSION"), typ_fstring);
|
|
strcpy (hdulist->xtension, fdat->fstring);
|
|
}
|
|
|
|
This code can be patched by changing it to the following (as GIMP 2.8.1):
|
|
|
|
fdat = fits_decode_card (fits_search_card (hdr, "XTENSION"), typ_fstring);
|
|
if(fdat != NULL) {
|
|
strcpy (hdulist->xtension, fdat->fstring);
|
|
} else {
|
|
strcpy (errmsg, "No valid XTENSION header found.");
|
|
goto err_return;
|
|
}
|
|
|
|
Impact
|
|
======
|
|
|
|
Successful exploitation of the vulnerability may result in an application
|
|
crash and denial of service.
|
|
|
|
Solution
|
|
===========
|
|
The GIMP team have provided an update for this issue (release 2.8.1).
|
|
|
|
Workarounds
|
|
===========
|
|
|
|
The fits-io.c file can be patched as above.
|
|
|
|
Distribution
|
|
============
|
|
|
|
In addition to posting on the website, a text version of this notice
|
|
is posted to the following e-mail and Usenet news recipients.
|
|
|
|
* bugtraq () securityfocus com
|
|
* full-disclosure () lists grok org uk
|
|
* oss [dash] security [dash] subscribe [at] lists [dot] openwall [dot] com
|
|
|
|
Future updates of this advisory, if any, will be placed on the ReactionIS
|
|
corporate website, but may or may not be actively announced on
|
|
mailing lists or newsgroups. Users concerned about this problem are
|
|
encouraged to check the URL below for any updates:
|
|
|
|
http://www.reactionpenetrationtesting.co.uk/FIT-file-handling-DoS.html
|
|
|
|
========================================================================
|
|
====
|
|
|
|
Reaction Information Security
|
|
Lombard House Business Centre,
|
|
Suite 117,
|
|
12-17 Upper Bridge Street,
|
|
Canterbury, Kent, CT1 2NF
|
|
|
|
Phone: +44 (0)1227 785050
|
|
Email: research () reactionis {dot} co {dot} uk
|
|
Web: http://www.reactionpenetrationtesting.co.uk
|
|
|
|
Joseph Sheridan
|
|
Technical Director
|
|
Principal Consultant
|
|
CHECK Team Leader, CREST Infrastructure, CREST Application, CISSP
|
|
Tel: 07812052515
|
|
Web: www.reactionis.com
|
|
Email: joe (at) reactionis.co (dot) uk [email concealed]
|
|
|
|
Reaction Information Security Limited.
|
|
Registered in England No: 6929383
|
|
Registered Office: 1, The Mews, 69 New Dover Road, Canterbury, CT1 3DZ
|
|
|
|
This email and any files transmitted with it are confidential and are intended solely for the use of the individual to whom they are addressed. If you are not the intended recipient please notify the sender. Any unauthorised dissemination or copying of this email or its attachments and any use or disclosure of any information contained in them, is strictly prohibited.
|
|
|
|
ï Please consider the environment before printing this email |