lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <18a74f57.c65.15d7d70da5f.Coremail.qflb.wu@dbappsecurity.com.cn>
Date: Wed, 26 Jul 2017 13:48:54 +0800 (GMT+08:00)
From: "qflb.wu" <qflb.wu@...ppsecurity.com.cn>
To: fulldisclosure@...lists.org
Subject: [FD] libjpeg-turbo denial of service vulnerability

libjpeg-turbo denial of service vulnerability
======================
Author : qflb.wu
CVE    : CVE-2017-9614
======================


Introduction:
=============
libjpeg-turbo is a JPEG image codec that uses SIMD instructions (MMX, SSE2, AVX2, NEON, AltiVec) to accelerate baseline JPEG compression and decompression on x86, x86-64, ARM, and PowerPC systems.


Affected version:
=====
1.5.1


Vulnerability Description:
==========================
the fill_input_buffer function in jdatasrc.c in libjpeg-turbo 1.5.1 can cause a denial of service(invalid address and application crash) via a crafted jpg file.


I found this bug when I test stills2dv-alpha-0.601 which used the libjpeg-turbo.


./stills2dv exampleworkfile.s2d


(the exampleworkfile.s2d contains the path of the poc jpg file)


----debug info:----
gdb-peda$ bt
#0  __memcpy_sse2 () at ../sysdeps/x86_64/multiarch/../memcpy.S:166
#1  0x00007ffff6d82323 in __GI__IO_file_xsgetn (fp=0x61c370, 
    data=<optimized out>, n=0x1000) at fileops.c:1387
#2  0x00007ffff6d7786f in __GI__IO_fread (buf=<optimized out>, size=0x1, 
    count=0x1000, fp=0x61c370) at iofread.c:42
#3  0x00007ffff7b6e23b in fill_input_buffer (cinfo=0x7fffffffe190)
    at jdatasrc.c:107
#4  0x00007ffff7b7beef in get_dqt (cinfo=0x7fffffffe190) at jdmarker.c:516
#5  0x00007ffff7b7dba3 in read_markers (cinfo=0x7fffffffe190)
    at jdmarker.c:1050
#6  0x00007ffff7b795fd in consume_markers (cinfo=0x7fffffffe190)
    at jdinput.c:320
#7  0x00007ffff7b6c853 in jpeg_finish_decompress (cinfo=0x7fffffffe190)
    at jdapimin.c:399
#8  0x0000000000402da0 in readjpg (
    fn=fn@...ry=0x61c2f4 "example_data_files/test.jpg") at s2d_jpg.c:148
#9  0x0000000000403c5b in openImage (
    fn=0x61c2f4 "example_data_files/test.jpg", cache=0xffffffff)
    at s2d_main.c:202
#10 0x00000000004063a5 in splitted2struct (p=p@...ry=0x60acc0 <ms>, 
    strs=strs@...ry=0x61c2a0) at s2d_main.c:1139
#11 0x000000000040240b in main (argc=argc@...ry=0x2, 
    argv=argv@...ry=0x7fffffffe5f8) at s2d_main.c:1404
#12 0x00007ffff6d2af45 in __libc_start_main (main=0x402040 <main>, argc=0x2, 
    argv=0x7fffffffe5f8, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffe5e8) at libc-start.c:287
#13 0x0000000000402500 in _start ()




=================================================================================
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x00007ffff7b6e233107  nbytes = JFREAD(src->infile, src->buffer, INPUT_BUF_SIZE);
gdb-peda$ 
[----------------------------------registers-----------------------------------]
RAX: 0x61ce30 --> 0x464a1000e0ffd8ff 
RBX: 0x7fffffffe190 --> 0x7fffffffe0e0 --> 0x7ffff7b89ce0 (<error_exit>:push   rbp)
RCX: 0x61c370 ("example_data_files/test.jpg")
RDX: 0x1000 
RSI: 0x1 
RDI: 0x61ce30 --> 0x464a1000e0ffd8ff 
RBP: 0x7fffffffdff0 --> 0x7fffffffe050 --> 0x7fffffffe070 --> 0x7fffffffe0a0 --> 0x7fffffffe0c0 --> 0x61c370 ("example_data_files/test.jpg")
RSP: 0x7fffffffdfd0 --> 0x7fffffffe030 --> 0x0 
RIP: 0x7ffff7b6e236 (<fill_input_buffer+56>:)
R8 : 0x67706a2e747365 ('est.jpg')
R9 : 0x7ffff70ca7b8 --> 0x623770 --> 0x0 
R10: 0x7fffffffde90 --> 0x0 
R11: 0x7ffff7b6c74c (<jpeg_finish_decompress>:push   rbp)
R12: 0x61c2f4 ("example_data_files/test.jpg")
R13: 0x61c5b0 --> 0x61c370 ("example_data_files/test.jpg")
R14: 0xc00 ('')
R15: 0x3
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7b6e229 <fill_input_buffer+43>:mov    edx,0x1000
   0x7ffff7b6e22e <fill_input_buffer+48>:mov    esi,0x1
   0x7ffff7b6e233 <fill_input_buffer+53>:mov    rdi,rax
=> 0x7ffff7b6e236 <fill_input_buffer+56>:
    call   0x7ffff7b477f0 <fread@plt>
   0x7ffff7b6e23b <fill_input_buffer+61>:mov    QWORD PTR [rbp-0x10],rax
   0x7ffff7b6e23f <fill_input_buffer+65>:cmp    QWORD PTR [rbp-0x10],0x0
   0x7ffff7b6e244 <fill_input_buffer+70>:
    jne    0x7ffff7b6e2bb <fill_input_buffer+189>
   0x7ffff7b6e246 <fill_input_buffer+72>:mov    rax,QWORD PTR [rbp-0x8]
Guessed arguments:
arg[0]: 0x61ce30 --> 0x464a1000e0ffd8ff 
arg[1]: 0x1 
arg[2]: 0x1000 
arg[3]: 0x61c370 ("example_data_files/test.jpg")
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdfd0 --> 0x7fffffffe030 --> 0x0 
0008| 0x7fffffffdfd8 --> 0x7fffffffe190 --> 0x7fffffffe0e0 --> 0x7ffff7b89ce0 (<error_exit>:push   rbp)
0016| 0x7fffffffdfe0 --> 0x5bffffe0bc 
0024| 0x7fffffffdfe8 --> 0x61c880 --> 0x61d028 --> 0x0 
0032| 0x7fffffffdff0 --> 0x7fffffffe050 --> 0x7fffffffe070 --> 0x7fffffffe0a0 --> 0x7fffffffe0c0 --> 0x61c370 ("example_data_files/test.jpg")
0040| 0x7fffffffdff8 --> 0x7ffff7b7beef (<get_dqt+71>:test   eax,eax)
0048| 0x7fffffffe000 --> 0x0 
0056| 0x7fffffffe008 --> 0x7fffffffe190 --> 0x7fffffffe0e0 --> 0x7ffff7b89ce0 (<error_exit>:push   rbp)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x00007ffff7b6e236107  nbytes = JFREAD(src->infile, src->buffer, INPUT_BUF_SIZE);
gdb-peda$ x/20x $rdi
0x61ce30:0x464a1000e0ffd8ff0x1c00020101004649
0x61ce40:0x4300dbff00001c000x28191e231e1c2800
0x61ce50:0x3c30282b2d2321230x587b3c37373c4164
0x61ce60:0x8f9699809164495d0xa0c3e6b4a08a8c80
0x61ce70:0xcbffc88c8aaddaaa0xc19bfffffff5eeda
0x61ce80:0xfffde6fffaffffff0x2d2b014300dbfff8
0x61ce90:0x764141763c353c2d0xf8f8f8f8a58ca5f8
0x61cea0:0xf8f8f8f8f8f8f8f80xf8f8f8f8f8f8f8f8
0x61ceb0:0xf8f8f8f8f8f8f8f80xf8f8f8f8f8f8f8f8
0x61cec0:0xf8f8f8f8f8f8f8f80xc0fff8f8f8f8f8f8


gdb-peda$ ni
Program received signal SIGSEGV, Segmentation fault.


POC:
test.jpg;exampleworkfile.s2d
CVE:
CVE-2017-9614




===============================




qflb.wu () dbappsecurity com cn






Download attachment "poc.zip" of type "application/x-zip-compressed" (3425875 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ