lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <201103210711.p2L7BHdK015282@www3.securityfocus.com>
Date: Mon, 21 Mar 2011 01:11:17 -0600
From: zgmzgm@...l.ustc.edu.cn
To: bugtraq@...urityfocus.com
Subject: Buffer overflow in libtiff in Imagemagick

--Credits:
zgmzgm[at]mail.ustc.edu.cn

-- Disclosure Timeline:
3-17-2011

-- Affected Vendor:
Imagemagick 6.6.8-5
Libtiff 6.9.4

-- Problem Description:
A buffer overflow is triggered by displaying a malformed tiff image by the Imagemagick.The error information is followed:

display: malformed.tif: Wrong "StripByteCounts" field, ignoring and calculating from imagelength. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/706.
display: malformed.tif: Read error on strip 0; got 46128 bytes, expected 80624532. `TIFFFillStrip' @ error/tiff.c/TIFFErrors/496.
Segmentation fault

We use flayer to trace the malformed tiff image and the flayer gives the following suggestions:

==1812== Warning: client syscall shmdt tried to modify addresses 0xFFFFFFFF-0xFFFFFFFF
==1812== Warning: set address range perms: large range 325120064 (defined)
==1812== Stack overflow in thread 1: can't grow stack to 0xBE394FAC
==1812== 
==1812== Process terminating with default action of signal 11 (SIGSEGV)
==1812==  Access not within mapped region at address 0xBE394FAC
==1812==    at 0x484D407: (within /usr/lib/libX11.so.6.3.0)
==1812== Stack overflow in thread 1: can't grow stack to 0xBE394FA8
==1812== 
==1812== Process terminating with default action of signal 11 (SIGSEGV)
==1812==  Access not within mapped region at address 0xBE394FA8
==1812==    at 0x401F2C1: _vgnU_freeres (vg_preloaded.c:56)

The flayer suggest that a stack overflow occurred in thread 1.This may allow remote attackers to execute arbitrary code.

You can download the malformed tiff image which lead to the application collapse: 
http://home.ustc.edu.cn/~zgmzgm/malformed.tif

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ