Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 8 Apr 2016 07:10:54 +0000
From: 张开翔 <zhangkaixiang@....cn>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: CVE-2016-3632 - libtiff 4.0.6 illegel write

Details

=======



Product: libtiff

Affected Versions: <= 4.0.6

Vulnerability Type: Illegel write

Vendor URL:  http://www.remotesensing.org/libtiff/

CVE ID: CVE-2016-3632

Credit: Kaixiang Zhang of the Cloud Security Team, Qihoo 360



Introduction

Illegal write occurs in the _TIFFVGetField function in tif_dirinfo.c when using thumbnail command, which allows attackers to exploit this issue to cause denial-of-service or may command excution.



libtiff/tif_dir.c:1073
1068                                          if (fip->field_type == TIFF_ASCII
1069                                              || fip->field_readcount == TIFF_VARIABLE
1070                                              || fip->field_readcount == TIFF_VARIABLE2
1071                                              || fip->field_readcount == TIFF_SPP
1072                                              || tv->count > 1) {
1073                                                 *va_arg(ap, void **) = tv->value;
1074                                                 ret_val = 1;

gdb  --args  thumbnail  _ TIFFVGetField.tif  tmpout.tif
……
Program received signal SIGSEGV, Segmentation fault.
_TIFFVGetField (tif=<optimized out>, tag=<optimized out>, ap=<optimized out>) at tif_dir.c:1073
1073                                                                           *va_arg(ap, void **) = tv->value;
Missing separate debuginfos, use: dnf debuginfo-install glibc-2.22-10.fc23.x86_64 libjpeg-turbo-1.4.1-2.fc23.x86_64
(gdb) bt
#0  _TIFFVGetField (tif=<optimized out>, tag=<optimized out>, ap=<optimized out>) at tif_dir.c:1073
#1  0x00007ffff7a6b5e1 in TIFFGetField (tif=tif@...ry=0x60a930, tag=tag@...ry=326) at tif_dir.c:1158
#2  0x00000000004034a1 in cpTag (type=TIFF_LONG, count=<optimized out>, tag=<optimized out>, out=<optimized out>, in=<optimized out>) at thumbnail.c:167
#3  cpTags (out=<optimized out>, in=<optimized out>) at thumbnail.c:297
#4  cpIFD (out=<optimized out>, in=<optimized out>) at thumbnail.c:373
#5  main (argc=<optimized out>, argv=<optimized out>) at thumbnail.c:124
(gdb) x/xw ap-4
0xbffff2bc:        0x00000001

References:
[1] http://www.remotesensing.org/libtiff/


Thank you!

Best Regards,

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ