lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <tencent_2C180C58B13903A77C45EFFA319863C70209@qq.com>
Date: Thu, 20 Dec 2018 09:03:08 +0800
From: "zzt0907" <16362505@...com>
To: "fulldisclosure" <fulldisclosure@...lists.org>
Subject: [FD] LibTIFF 4.0.8 has multiple memory leak vulnerabilities
	(CVE-2017-16232)

#CVE-2017-16232
# LibTIFF 4.0.8 has multiple memory leak vulnerabilities (CVE-2017-16232)
## Product Download: http://www.libtiff.org/ http://download.osgeo.org/libtiff/
## Vulnerability Type:memory leak
## Attack Type : local
## Vulnerability Description
LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow
attackers to cause a denial of service (memory consumption), as demonstrated
by tif_open.c, tif_lzw.c, and tif_aux.c
## POC
https://github.com/followboy1999/poc/tree/master/CVE-2017-16232

./tiff2bw libtiff_poc.tif 222.tif
 LZWDecode: Not enough data at scanline 0 (short 6442443006 bytes).
> /usr/local/bin/llvm-symbolizer: /lib/x86_64-linux-gnu/libtinfo.so.5: no version information available (required by /usr/local/bin/llvm-symbolizer)
> 
> =================================================================
> ==25328==ERROR: LeakSanitizer: detected memory leaks
> 
> Direct leak of 6442451106 byte(s) in 1 object(s) allocated from:
>     #0 0x4bbfd3 in __interceptor_malloc /home/brian/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:67:3
>     #1 0x4e88be in main /home/zzt/Fuzzing/Victims/ASAN/tiff-4.0.8/tools/tiff2bw.c:258:28
>     #2 0x7f293f0fdabf in __libc_start_main /build/glibc-qbmteM/glibc-2.21/csu/libc-start.c:289
> 
> Direct leak of 1137 byte(s) in 1 object(s) allocated from:
>     #0 0x4bbfd3 in __interceptor_malloc /home/brian/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:67:3
>     #1 0x54d6b6 in TIFFClientOpen /home/zzt/Fuzzing/Victims/tiff-4.0.8/libtiff/tif_open.c:119
> 
> Indirect leak of 81904 byte(s) in 1 object(s) allocated from:
>     #0 0x4bbfd3 in __interceptor_malloc /home/brian/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:67:3
>     #1 0x5ea2e9 in LZWSetupDecode /home/zzt/Fuzzing/Victims/tiff-4.0.8/libtiff/tif_lzw.c:232
> 
> Indirect leak of 2273 byte(s) in 5 object(s) allocated from:
>     #0 0x4bc3d7 in realloc /home/brian/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:98:3
>     #1 0x56f5db in _TIFFCheckRealloc /home/zzt/Fuzzing/Victims/tiff-4.0.8/libtiff/tif_aux.c:73
>     #2 0x56f5db in _TIFFCheckMalloc /home/zzt/Fuzzing/Victims/tiff-4.0.8/libtiff/tif_aux.c:88
> 
> Indirect leak of 1240 byte(s) in 2 object(s) allocated from:
>     #0 0x4bc3d7 in realloc /home/brian/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:98:3
>     #1 0x56f430 in _TIFFCheckRealloc /home/zzt/Fuzzing/Victims/tiff-4.0.8/libtiff/tif_aux.c:73

## Versions:LibTIFF 4.0.8
## Impact:Denial of Service
## Credit
This vulnerability was discovered by Jiawang Zhang Coordination Center of China (CNCERT/CC)
## References
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16232
https://github.com/shelltdf/libtiff/commit/25f9ffa56548c1846c4a1f19308b7f561f7b1ab0

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ