LibTIFF - 'tif_dirwrite.c' Denial of Service
2017-07-06 02:05:02Source: http://bugzilla.maptools.org/show_bug.cgi?id=2712
Triggered by "./tiffset POC1"
$ ./tiffset POC1
TIFFReadDirectory: Warning, Unknown field with tag 302 (0x12e) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 61961 (0xf209) encountered.
poc3: AdobeDeflate compression support is not configured.
tiffset: tif_dirwrite.c:2127: int TIFFWriteDirectoryTagCheckedLong8Array(TIFF
*, uint32 *, TIFFDirEntry *, uint16, uint32, uint64 *): Assertion
`tif->tif_flags&TIFF_BIGTIFF' failed.
Aborted
The gdb debugging information is listed below:
(gdb) set args POC1
(gdb) r
...
(gdb) c
Continuing.
TIFFReadDirectory: Warning, Unknown field with tag 302 (0x12e) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 61961 (0xf209) encountered.
poc2: AdobeDeflate compression support is not configured.
Breakpoint 2, TIFFWriteDirectoryTagCheckedLong8Array (tif=<optimized out>,
ndir=<optimized out>, count=1,
value=0x615c20, dir=<optimized out>, tag=<optimized out>) at
tif_dirwrite.c:2127
2127 assert(tif->tif_flags&TIFF_BIGTIFF);
(gdb) bt
#0 0x00007ffff746a428 in __GI_raise (<a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="e5968c82d8968c82a5808b91979c">[email protected]</a><script data-cfhash='f9e31' type="text/javascript">/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */</script>=6) at
../sysdeps/unix/sysv/linux/raise.c:54
#1 0x00007ffff746c02a in __GI_abort () at abort.c:89
#2 0x00007ffff7462bd7 in __assert_fail_base (fmt=<optimized out>,
<a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="88e9fbfbedfafce1e7e6b5e9fbfbedfafce1e7e6c8ede6fcfaf1">[email protected]</a><script data-cfhash='f9e31' type="text/javascript">/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */</script>=0x7ffff7baf949 "tif->tif_flags&TIFF_BIGTIFF",
<a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="b9dfd0d5dc84dfd0d5dcf9dcd7cdcbc0">[email protected]</a><script data-cfhash='f9e31' type="text/javascript">/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */</script>=0x7ffff7baf5c0 "tif_dirwrite.c", <a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="a8c4c1c6cd95c4c1c6cde8cdc6dcdad1">[email protected]</a><script data-cfhash='f9e31' type="text/javascript">/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */</script>=2127,
<a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="2741524944534e48491a41524944534e484967424953555e">[email protected]</a><script data-cfhash='f9e31' type="text/javascript">/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */</script>=0x7ffff7baf8e2 "int
TIFFWriteDirectoryTagCheckedLong8Array(TIFF *, uint32 *, TIFFDirEntry *,
uint16, uint32, uint64 *)") at assert.c:92
#3 0x00007ffff7462c82 in __GI___assert_fail (assertion=0x7ffff7baf949
"tif->tif_flags&TIFF_BIGTIFF",
file=0x7ffff7baf5c0 "tif_dirwrite.c", line=2127,
function=0x7ffff7baf8e2 "int TIFFWriteDirectoryTagCheckedLong8Array(TIFF *,
uint32 *, TIFFDirEntry *, uint16, uint32, uint64 *)") at assert.c:101
#4 0x00007ffff7b4e9cb in TIFFWriteDirectoryTagCheckedLong8Array (tif=0x615010,
ndir=<optimized out>, count=1,
value=0x615c20, dir=<optimized out>, tag=<optimized out>) at
tif_dirwrite.c:2127
#5 TIFFWriteDirectoryTagLong8Array (count=1, value=0x615c20, tif=<optimized
out>, ndir=<optimized out>,
dir=<optimized out>, tag=<optimized out>) at tif_dirwrite.c:1462
#6 TIFFWriteDirectorySec (tif=<optimized out>, isimage=<optimized out>,
imagedone=<optimized out>,
pdiroff=<optimized out>) at tif_dirwrite.c:746
#7 0x00007ffff7b4f6b5 in TIFFWriteDirectory (tif=0x615010) at
tif_dirwrite.c:184
#8 TIFFRewriteDirectory (tif=<optimized out>) at tif_dirwrite.c:360
#9 0x0000000000402bc7 in main (argc=<optimized out>, argv=<optimized out>) at
tiffset.c:344
Trigged in line tif_dirwrite.c:2127 at function
TIFFWriteDirectoryTagCheckedLong8Array()
2122 static int
2123 TIFFWriteDirectoryTagCheckedLong8Array(TIFF* tif, uint32* ndir,
TIFFDirEntry* dir, uint16 tag, uint32 count, uint64* value)
2124 {
2125 assert(count<0x20000000);
2126 assert(sizeof(uint64)==8);
2127 assert(tif->tif_flags&TIFF_BIGTIFF);
2128 if (tif->tif_flags&TIFF_SWAB)
2129 TIFFSwabArrayOfLong8(value,count);
2130
return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_LONG8,count,count*8,value));
2131 }
[note]: Tiffset sets the value of a TIFF header to a specified value.It will
modify the raw POC file,so you'd better make a backup file every time you are
going to run.
Credits:
This vulnerability is detected by team OWL337, with our custom fuzzer collAFL.
Please contact <a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="aacdcbc4d9c2dfc3decbc5eacdc7cbc3c684c9c5c7">[email protected]</a><script data-cfhash='f9e31' type="text/javascript">/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */</script> and <a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="4e2d262f21340e3a3d272029263b2f602b2a3b602d20">[email protected]</a><script data-cfhash='f9e31' type="text/javascript">/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */</script> if you need
more info about the team, the tool or the vulnerability.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42299.zip
Fixes
No fixesIn order to submit a new fix you need to be registered.