lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 22 Dec 2004 14:45:45 +0300
From: "Dmitry V. Levin" <ldv@...linux.org>
To: customer service mailbox <customerservice@...fense.com>
Cc: bugtraq@...urityfocus.com, vulnwatch@...nwatch.org
Subject: Re: iDEFENSE Security Advisory 12.21.04: libtiff STRIPOFFSETS Integer Overflow Vulnerability

Hi,

On Tue, Dec 21, 2004 at 05:09:30PM -0500, customer service mailbox wrote:
> libtiff STRIPOFFSETS Integer Overflow Vulnerability
> 
> iDEFENSE Security Advisory 12.21.04
> www.idefense.com/application/poi/display?id=173&type=vulnerabilities
> December 21, 2004
> 
> I. BACKGROUND
> 
> libtiff provides support for the Tag Image File Format (TIFF), a widely 
> used format for storing image data.
> 
> More information is available at the following site: 
> http://www.remotesensing.org/libtiff/
> 
> II. DESCRIPTION
> 
> Remote exploitation of an integer overflow in libtiff may allow for the 
> execution of arbitrary code.
> 
> The overflow occurs in the parsing of TIFF files set with the 
> STRIPOFFSETS flag in libtiff/tif_dirread.c. In the TIFFFetchStripThing()
> 
> function, the number of strips (nstrips) is used directly in a 
> CheckMalloc() routine without sanity checking. The call ultimately boils
> 
> down to:
> 
> malloc(user_supplied_int*size(int32));
> 
> When supplied 0x40000000 as the user supplied integer, malloc is called 
> with a length argument of 0. This has the effect of returning the 
> smallest possible malloc chunk. A user controlled buffer is subsequently
> 
> copied to that small heap buffer, causing a heap overflow.
> 
> When exploited, it is possible to overwrite heap structures and seize 
> control of execution.
> 
> III. ANALYSIS
> 
> An attacker can exploit the above-described vulnerability to execute 
> arbitrary code under the permissions of the target user. Successful 
> exploitation requires that the attacker convince the end user to open 
> the malicious TIFF file using an application linked with a vulnerable 
> version of libtiff. Exploitation of this vulnerability against a remote 
> target is difficult because of the precision required in the attack.
> 
> IV. DETECTION
> 
> iDEFENSE has confirmed this vulnerability in libtiff 3.6.1. Changes were
> 
> introduced in libtiff 3.7.0 that had the effect of fixing this 
> vulnerability.
> 
> The following vendors provide susceptible libtiff packages within their 
> respective operating system distributions: 
> 	
> 	- Gentoo Linux 
> 	- Fedora Linux 
> 	- RedHat Linux 
> 	- SuSE Linux 
> 	- Debian Linux 
> 
> V. WORKAROUND
> 
> Only open TIFF files from trusted users.
> 
> VI. VENDOR RESPONSE
> 
> This issue is addressed in libtiff 3.7.0 and 3.7.1.
> 
> VII. CVE INFORMATION
> 
> A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
> been assigned yet.

I believe this issue is subset of CAN-2004-0886 which was fixed in the
middle of October.


-- 
ldv

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ