[<prev] [next>] [day] [month] [year] [list]
Message-ID: <455bcb6d.4e0c.15e83962b25.Coremail.luanjunchao@163.com>
Date: Fri, 15 Sep 2017 11:30:10 +0800 (CST)
From: luanjunchao <luanjunchao@....com>
To: fulldisclosure@...lists.org
Subject: [FD] stack buffer overflow in openexif 2.1.4
I find a vulnerability in openexif when I run ExifTagDump with a specific jpg.
The result of gdb is as follows:
# gdb /work/openexif-2_1_4-src/examples/ExifTagDump/ExifTagDump
(gdb) run ../out/crashes/id:000007,sig:11,src:000000,op:havoc,rep:64
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /work/openexif-2_1_4-src/examples/ExifTagDump/ExifTagDump ../out/crashes/id:000007,sig:11,src:000000,op:havoc,rep:64
Program received signal SIGSEGV, Segmentation fault.
0x000000000041d735 in ExifImageFile::readDQT (this=<optimized out>, length=<optimized out>) at ExifImageFileRead.cpp:286
286 mJpegTables->Q[tableNum]->quantizer[openexif_jpeg_natural_order[i]] = qt[i];
(gdb) bt
#0 0x000000000041d735 in ExifImageFile::readDQT (this=<optimized out>, length=<optimized out>) at ExifImageFileRead.cpp:286
#1 0x000000000041b4e2 in ExifImageFile::readImage (this=0x7fffffffe378) at ExifImageFileRead.cpp:125
#2 0x0000000000410190 in ExifImageFile::initAfterOpen (this=0x7fffffffe378, cmode=0x4eff4c "r") at ExifImageFile.cpp:435
#3 0x0000000000429cd7 in ExifOpenFile::open (this=0x7fffffffe378, filename=0x7fffffffe8ab "../out/crashes/id:000007,sig:11,src:000000,op:havoc,rep:64", cmode=0x4eff4c "r") at ExifOpenFile.cpp:78
#4 0x0000000000402514 in main (argc=<optimized out>, argv=<optimized out>) at ExifTagDump.cpp:64
The result of running the program directly.
/work/openexif-asan/examples/ExifTagDump/ExifTagDump id:000007,sig:11,src:000000,op:havoc,rep:64
==52414==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd09fbca04 at pc 0x000000545852 bp 0x7ffd09fbc9d0 sp 0x7ffd09fbc9c8
READ of size 1 at 0x7ffd09fbca04 thread T0
#0 0x545851 (/work/openexif-asan/examples/ExifTagDump/ExifTagDump+0x545851)
#1 0x526014 (/work/openexif-asan/examples/ExifTagDump/ExifTagDump+0x526014)
#2 0x567caa (/work/openexif-asan/examples/ExifTagDump/ExifTagDump+0x567caa)
#3 0x511369 (/work/openexif-asan/examples/ExifTagDump/ExifTagDump+0x511369)
#4 0x7f44ec56a82f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#5 0x41b158 (/work/openexif-asan/examples/ExifTagDump/ExifTagDump+0x41b158)
Address 0x7ffd09fbca04 is located in stack of thread T0 at offset 36 in frame
#0 0x54415f (/work/openexif-asan/examples/ExifTagDump/ExifTagDump+0x54415f)
This frame has 1 object(s):
[32, 36) 'input' <== Memory access at offset 36 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/work/openexif-asan/examples/ExifTagDump/ExifTagDump+0x545851)
Shadow bytes around the buggy address:
0x1000213ef8f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000213ef900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000213ef910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000213ef920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000213ef930: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
=>0x1000213ef940:[04]f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x1000213ef950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [1/1937]
0x1000213ef960: f1 f1 f1 f1 04 f2 00 00 04 f3 f3 f3 f3 f3 f3 f3
0x1000213ef970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000213ef980: 00 00 00 00 f1 f1 f1 f1 04 f3 f3 f3 00 00 00 00
0x1000213ef990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Finally, the file of poc is attached.
Download attachment "crash.jpg" of type "image/jpeg" (271 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists