lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun, 30 Jul 2017 15:29:03 +0800 (GMT+08:00)
From: "qflb.wu" <qflb.wu@...ppsecurity.com.cn>
To: fulldisclosure@...lists.org
Subject: [FD] OpenExif multiple vulnerabilities

OpenExif multiple vulnerabilities
================
Author : qflb.wu
===============


Introduction:
=============
OpenExif is an object-oriented library for accessing Exif formatted JPEG image files. The toolkits allows for creating, reading, and modifying the metadata in the Exif file. It also provides mean of getting and setting the main image and the thumbnail image.


Affected version:
=====
2.1.4


Vulnerability Description:
==========================
1.
the ExifJpegHUFFTable::deriveTable function in src/ExifHuffmanTable.cpp in OpenExif 2.1.4 can cause a denial of service(heap-buffer-overflow and application crash) via a crafted jpg file.


./ExifTagDump openexif_2.1.4_heap_buffer_overflow_1.jpg


=================================================================
==90864==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61c00000ef04 at pc 0x7ff53957264d bp 0x7ffec44c8d40 sp 0x7ffec44c8d38
WRITE of size 4 at 0x61c00000ef04 thread T0
    #0 0x7ff53957264c in ExifJpegHUFFTable::deriveTable() /home/a/Downloads/openexif-2_1_4-src/src/ExifHuffmanTable.cpp:121
    #1 0x7ff53966c80f in ExifImageFile::readDHT(int) /home/a/Downloads/openexif-2_1_4-src/src/ExifImageFileRead.cpp:409
    #2 0x7ff539668bdf in ExifImageFile::readImage() /home/a/Downloads/openexif-2_1_4-src/src/ExifImageFileRead.cpp:100
    #3 0x7ff53964da19 in ExifImageFile::initAfterOpen(char const*) /home/a/Downloads/openexif-2_1_4-src/src/ExifImageFile.cpp:435
    #4 0x7ff539697451 in ExifOpenFile::open(char const*, char const*) /home/a/Downloads/openexif-2_1_4-src/src/ExifOpenFile.cpp:78
    #5 0x47c675 in main /home/a/Downloads/openexif-2_1_4-src/examples/ExifTagDump/ExifTagDump.cpp:64
    #6 0x7ff53834bec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #7 0x47c34c in _start (/home/a/Downloads/openexif-2_1_4-src/examples/ExifTagDump/.libs/ExifTagDump+0x47c34c)


0x61c00000ef04 is located 0 bytes to the right of 1668-byte region [0x61c00000e880,0x61c00000ef04)
allocated by thread T0 here:
    #0 0x4668e9 in operator new(unsigned long) (/home/a/Downloads/openexif-2_1_4-src/examples/ExifTagDump/.libs/ExifTagDump+0x4668e9)
    #1 0x7ff53966b5dd in ExifImageFile::readDHT(int) /home/a/Downloads/openexif-2_1_4-src/src/ExifImageFileRead.cpp:388
    #2 0x7ff539668bdf in ExifImageFile::readImage() /home/a/Downloads/openexif-2_1_4-src/src/ExifImageFileRead.cpp:100
    #3 0x7ff53964da19 in ExifImageFile::initAfterOpen(char const*) /home/a/Downloads/openexif-2_1_4-src/src/ExifImageFile.cpp:435
    #4 0x7ff539697451 in ExifOpenFile::open(char const*, char const*) /home/a/Downloads/openexif-2_1_4-src/src/ExifOpenFile.cpp:78
    #5 0x47c675 in main /home/a/Downloads/openexif-2_1_4-src/examples/ExifTagDump/ExifTagDump.cpp:64
    #6 0x7ff53834bec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)


SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/openexif-2_1_4-src/src/ExifHuffmanTable.cpp:121 ExifJpegHUFFTable::deriveTable()
Shadow bytes around the buggy address:
  0x0c387fff9d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c387fff9da0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c387fff9db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c387fff9dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c387fff9dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c387fff9de0:[04]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c387fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c387fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c387fff9e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c387fff9e20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c387fff9e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==90864==ABORTING


POC:
openexif_2.1.4_heap_buffer_overflow_1.jpg
CVE:
CVE-2017-11115


2.
the ExifImageFile::readDQT function in src/ExifImageFileRead.cpp in OpenExif 2.1.4 can cause a denial of service(heap-buffer-overflow and application crash) via a crafted jpg file.


./ExifTagDump openexif_2.1.4_heap_buffer_overflow_2.jpg


=================================================================
==90866==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60800000c018 at pc 0x7f3a3e6fa084 bp 0x7ffd0a69fb30 sp 0x7ffd0a69fb28
READ of size 8 at 0x60800000c018 thread T0
    #0 0x7f3a3e6fa083 in ExifImageFile::readDQT(int) /home/a/Downloads/openexif-2_1_4-src/src/ExifImageFileRead.cpp:262
    #1 0x7f3a3e6f4d51 in ExifImageFile::readImage() /home/a/Downloads/openexif-2_1_4-src/src/ExifImageFileRead.cpp:125
    #2 0x7f3a3e6d9a19 in ExifImageFile::initAfterOpen(char const*) /home/a/Downloads/openexif-2_1_4-src/src/ExifImageFile.cpp:435
    #3 0x7f3a3e723451 in ExifOpenFile::open(char const*, char const*) /home/a/Downloads/openexif-2_1_4-src/src/ExifOpenFile.cpp:78
    #4 0x47c675 in main /home/a/Downloads/openexif-2_1_4-src/examples/ExifTagDump/ExifTagDump.cpp:64
    #5 0x7f3a3d3d7ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #6 0x47c34c in _start (/home/a/Downloads/openexif-2_1_4-src/examples/ExifTagDump/.libs/ExifTagDump+0x47c34c)


AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/openexif-2_1_4-src/src/ExifImageFileRead.cpp:262 ExifImageFile::readDQT(int)
Shadow bytes around the buggy address:
  0x0c107fff97b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff97c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff97d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff97e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff97f0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c107fff9800: fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff9810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff9820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff9830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff9840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff9850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==90866==ABORTING


POC:
openexif_2.1.4_heap_buffer_overflow_2.jpg
CVE:
CVE-2017-11116


3.
the ExifImageFile::readDHT function in src/ExifImageFileRead.cpp in OpenExif 2.1.4 can cause a denial of service(heap-buffer-overflow and application crash) via a crafted jpg file.


./ExifTagDump openexif_2.1.4_heap_buffer_overflow_3.jpg


=================================================================
==90869==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60800000c0e8 at pc 0x7f9afe8cbb74 bp 0x7ffcc8d30870 sp 0x7ffcc8d30868
READ of size 8 at 0x60800000c0e8 thread T0
    #0 0x7f9afe8cbb73 in ExifImageFile::readDHT(int) /home/a/Downloads/openexif-2_1_4-src/src/ExifImageFileRead.cpp:381
    #1 0x7f9afe8c7bdf in ExifImageFile::readImage() /home/a/Downloads/openexif-2_1_4-src/src/ExifImageFileRead.cpp:100
    #2 0x7f9afe8aca19 in ExifImageFile::initAfterOpen(char const*) /home/a/Downloads/openexif-2_1_4-src/src/ExifImageFile.cpp:435
    #3 0x7f9afe8f6451 in ExifOpenFile::open(char const*, char const*) /home/a/Downloads/openexif-2_1_4-src/src/ExifOpenFile.cpp:78
    #4 0x47c675 in main /home/a/Downloads/openexif-2_1_4-src/examples/ExifTagDump/ExifTagDump.cpp:64
    #5 0x7f9afd5aaec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #6 0x47c34c in _start (/home/a/Downloads/openexif-2_1_4-src/examples/ExifTagDump/.libs/ExifTagDump+0x47c34c)


AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/openexif-2_1_4-src/src/ExifImageFileRead.cpp:381 ExifImageFile::readDHT(int)
Shadow bytes around the buggy address:
  0x0c107fff97c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff97d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff97e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff97f0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c107fff9810: fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa
  0x0c107fff9820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff9830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff9840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff9850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff9860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==90869==ABORTING


POC:
openexif_2.1.4_heap_buffer_overflow_3.jpg
CVE:
CVE-2017-11117


4.
the ExifImageFile::readImage function in ExifImageFileRead.cpp in OpenExif 2.1.4 can cause a denial of service(infinite loop and CPU consumption) via a crafted jpg file.


./ExifTagDump openexif_2.1.4_infinite_loop.jpg


POC:
openexif_2.1.4_infinite_loop.jpg
CVE:
CVE-2017-11118




===============================




qflb.wu () dbappsecurity com cn




Download attachment "poc.zip" of type "application/x-zip-compressed" (4241 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ