LibTIFF – ‘_TIFFVGetField (tiffsplit)’ Out-of-Bounds Read

• Exploit Database
• 15 阅读

• 作者： zhangtan
  日期： 2017-07-06
• 类别：

  • dos
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/42301/

• Source: http://bugzilla.maptools.org/show_bug.cgi?id=2693
  
  On 4.0.7:
  
  # tiffsplit $FILE
  
  ==2007== Invalid read of size 4
  ==2007==at 0x40CD1A: _TIFFVGetField (tif_dir.c:1072)
  ==2007==by 0x41B2C5: TIFFVGetField (tif_dir.c:1198)
  ==2007==by 0x41B2C5: TIFFGetField (tif_dir.c:1182)
  ==2007==by 0x404CCF: tiffcp (tiffsplit.c:220)
  ==2007==by 0x404CCF: main (tiffsplit.c:89)
  ==2007==Address 0x0 is not stack'd, malloc'd or (recently) free'd
  
  ------- Comment #1 From zhangtan 2017-05-15 01:20:26 -------
  
  The place of Out of bound read:
  
  ret_val = 0;
  for (i = 0; i < td->td_customValueCount; i++) {
  TIFFTagValue *tv = td->td_customValues + i;
  
  if (tv->info->field_tag != tag)
  continue;
  
  ------- Comment #2 From zhangtan 2017-05-15 01:29:10 -------
  
  The place of Out of bound read:
  
  The 1072 line of tif_dir.c
  
  1068 ret_val = 0;
  1069 for (i = 0; i < td->td_customValueCount; i++) {
  1070 TIFFTagValue *tv = td->td_customValues + i;
  1071
  1072 if (tv->info->field_tag != tag)
  1073 continue;
  
  As tv increased in 1070, Out of bound read happened in 1072 when the pointer tv
  was referenced.
  
  ------- Comment #3 From zhangtan 2017-05-15 01:46:33 -------
  
  PoC:
  
  Detailed information of the bug can be reproduced using the valgrind tool:
  
  # valgrind tiffsplit $File(the testcase in the attachment)
  
  Error Message:
  ==23520== Invalid read of size 4
  ==23520==at 0x40CD1A: _TIFFVGetField (tif_dir.c:1072)
  ==23520==by 0x41B2C5: TIFFVGetField (tif_dir.c:1198)
  ==23520==by 0x41B2C5: TIFFGetField (tif_dir.c:1182)
  ==23520==by 0x404CCF: tiffcp (tiffsplit.c:220)
  ==23520==by 0x404CCF: main (tiffsplit.c:89)
  ==23520==Address 0x0 is not stack'd, malloc'd or (recently) free'd
  ==23520== 
  ==23520== 
  ==23520== Process terminating with default action of signal 11 (SIGSEGV)
  ==23520==Access not within mapped region at address 0x0
  ==23520==at 0x40CD1A: _TIFFVGetField (tif_dir.c:1072)
  ==23520==by 0x41B2C5: TIFFVGetField (tif_dir.c:1198)
  ==23520==by 0x41B2C5: TIFFGetField (tif_dir.c:1182)
  ==23520==by 0x404CCF: tiffcp (tiffsplit.c:220)
  ==23520==by 0x404CCF: main (tiffsplit.c:89)
  ==23520==If you believe this happened as a result of a stack
  ==23520==overflow in your program's main thread (unlikely but
  ==23520==possible), you can try to increase the size of the
  ==23520==main thread stack using the --main-stacksize= flag.
  ==23520==The main thread stack size used in this run was 8388608.
  ==23520== 
  ==23520== HEAP SUMMARY:
  ==23520== in use at exit: 17,821 bytes in 42 blocks
  ==23520== total heap usage: 96 allocs, 54 frees, 59,223 bytes allocated
  ==23520== 
  ==23520== LEAK SUMMARY:
  ==23520==definitely lost: 0 bytes in 0 blocks
  ==23520==indirectly lost: 0 bytes in 0 blocks
  ==23520==possibly lost: 0 bytes in 0 blocks
  ==23520==still reachable: 17,821 bytes in 42 blocks
  ==23520== suppressed: 0 bytes in 0 blocks
  ==23520== Rerun with --leak-check=full to see details of leaked memory
  ==23520== 
  ==23520== For counts of detected and suppressed errors, rerun with: -v
  ==23520== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
  Segmentation fault
  
  
  Proof of Concept:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42301.zip