Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

OpenExif multiple vulnerabilities

From: "qflb.wu" <qflb.wu () dbappsecurity com cn>
Date: Sun, 30 Jul 2017 15:29:03 +0800 (GMT+08:00)
OpenExif multiple vulnerabilities
================
Author : qflb.wu
===============


Introduction:
=============
OpenExif is an object-oriented library for accessing Exif formatted JPEG image files. The toolkits allows for creating, 
reading, and modifying the metadata in the Exif file. It also provides mean of getting and setting the main image and 
the thumbnail image.


Affected version:
=====
2.1.4


Vulnerability Description:
==========================
1.
the ExifJpegHUFFTable::deriveTable function in src/ExifHuffmanTable.cpp in OpenExif 2.1.4 can cause a denial of 
service(heap-buffer-overflow and application crash) via a crafted jpg file.


./ExifTagDump openexif_2.1.4_heap_buffer_overflow_1.jpg


=================================================================
==90864==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61c00000ef04 at pc 0x7ff53957264d bp 0x7ffec44c8d40 
sp 0x7ffec44c8d38
WRITE of size 4 at 0x61c00000ef04 thread T0
    #0 0x7ff53957264c in ExifJpegHUFFTable::deriveTable() 
/home/a/Downloads/openexif-2_1_4-src/src/ExifHuffmanTable.cpp:121
    #1 0x7ff53966c80f in ExifImageFile::readDHT(int) /home/a/Downloads/openexif-2_1_4-src/src/ExifImageFileRead.cpp:409
    #2 0x7ff539668bdf in ExifImageFile::readImage() /home/a/Downloads/openexif-2_1_4-src/src/ExifImageFileRead.cpp:100
    #3 0x7ff53964da19 in ExifImageFile::initAfterOpen(char const*) 
/home/a/Downloads/openexif-2_1_4-src/src/ExifImageFile.cpp:435
    #4 0x7ff539697451 in ExifOpenFile::open(char const*, char const*) 
/home/a/Downloads/openexif-2_1_4-src/src/ExifOpenFile.cpp:78
    #5 0x47c675 in main /home/a/Downloads/openexif-2_1_4-src/examples/ExifTagDump/ExifTagDump.cpp:64
    #6 0x7ff53834bec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #7 0x47c34c in _start (/home/a/Downloads/openexif-2_1_4-src/examples/ExifTagDump/.libs/ExifTagDump+0x47c34c)


0x61c00000ef04 is located 0 bytes to the right of 1668-byte region [0x61c00000e880,0x61c00000ef04)
allocated by thread T0 here:
    #0 0x4668e9 in operator new(unsigned long) 
(/home/a/Downloads/openexif-2_1_4-src/examples/ExifTagDump/.libs/ExifTagDump+0x4668e9)
    #1 0x7ff53966b5dd in ExifImageFile::readDHT(int) /home/a/Downloads/openexif-2_1_4-src/src/ExifImageFileRead.cpp:388
    #2 0x7ff539668bdf in ExifImageFile::readImage() /home/a/Downloads/openexif-2_1_4-src/src/ExifImageFileRead.cpp:100
    #3 0x7ff53964da19 in ExifImageFile::initAfterOpen(char const*) 
/home/a/Downloads/openexif-2_1_4-src/src/ExifImageFile.cpp:435
    #4 0x7ff539697451 in ExifOpenFile::open(char const*, char const*) 
/home/a/Downloads/openexif-2_1_4-src/src/ExifOpenFile.cpp:78
    #5 0x47c675 in main /home/a/Downloads/openexif-2_1_4-src/examples/ExifTagDump/ExifTagDump.cpp:64
    #6 0x7ff53834bec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)


SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/openexif-2_1_4-src/src/ExifHuffmanTable.cpp:121 
ExifJpegHUFFTable::deriveTable()
Shadow bytes around the buggy address:
  0x0c387fff9d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c387fff9da0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c387fff9db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c387fff9dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c387fff9dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c387fff9de0:[04]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c387fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c387fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c387fff9e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c387fff9e20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c387fff9e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==90864==ABORTING


POC:
openexif_2.1.4_heap_buffer_overflow_1.jpg
CVE:
CVE-2017-11115


2.
the ExifImageFile::readDQT function in src/ExifImageFileRead.cpp in OpenExif 2.1.4 can cause a denial of 
service(heap-buffer-overflow and application crash) via a crafted jpg file.


./ExifTagDump openexif_2.1.4_heap_buffer_overflow_2.jpg


=================================================================
==90866==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60800000c018 at pc 0x7f3a3e6fa084 bp 0x7ffd0a69fb30 
sp 0x7ffd0a69fb28
READ of size 8 at 0x60800000c018 thread T0
    #0 0x7f3a3e6fa083 in ExifImageFile::readDQT(int) /home/a/Downloads/openexif-2_1_4-src/src/ExifImageFileRead.cpp:262
    #1 0x7f3a3e6f4d51 in ExifImageFile::readImage() /home/a/Downloads/openexif-2_1_4-src/src/ExifImageFileRead.cpp:125
    #2 0x7f3a3e6d9a19 in ExifImageFile::initAfterOpen(char const*) 
/home/a/Downloads/openexif-2_1_4-src/src/ExifImageFile.cpp:435
    #3 0x7f3a3e723451 in ExifOpenFile::open(char const*, char const*) 
/home/a/Downloads/openexif-2_1_4-src/src/ExifOpenFile.cpp:78
    #4 0x47c675 in main /home/a/Downloads/openexif-2_1_4-src/examples/ExifTagDump/ExifTagDump.cpp:64
    #5 0x7f3a3d3d7ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #6 0x47c34c in _start (/home/a/Downloads/openexif-2_1_4-src/examples/ExifTagDump/.libs/ExifTagDump+0x47c34c)


AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/openexif-2_1_4-src/src/ExifImageFileRead.cpp:262 
ExifImageFile::readDQT(int)
Shadow bytes around the buggy address:
  0x0c107fff97b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff97c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff97d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff97e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff97f0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c107fff9800: fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff9810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff9820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff9830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff9840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff9850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==90866==ABORTING


POC:
openexif_2.1.4_heap_buffer_overflow_2.jpg
CVE:
CVE-2017-11116


3.
the ExifImageFile::readDHT function in src/ExifImageFileRead.cpp in OpenExif 2.1.4 can cause a denial of 
service(heap-buffer-overflow and application crash) via a crafted jpg file.


./ExifTagDump openexif_2.1.4_heap_buffer_overflow_3.jpg


=================================================================
==90869==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60800000c0e8 at pc 0x7f9afe8cbb74 bp 0x7ffcc8d30870 
sp 0x7ffcc8d30868
READ of size 8 at 0x60800000c0e8 thread T0
    #0 0x7f9afe8cbb73 in ExifImageFile::readDHT(int) /home/a/Downloads/openexif-2_1_4-src/src/ExifImageFileRead.cpp:381
    #1 0x7f9afe8c7bdf in ExifImageFile::readImage() /home/a/Downloads/openexif-2_1_4-src/src/ExifImageFileRead.cpp:100
    #2 0x7f9afe8aca19 in ExifImageFile::initAfterOpen(char const*) 
/home/a/Downloads/openexif-2_1_4-src/src/ExifImageFile.cpp:435
    #3 0x7f9afe8f6451 in ExifOpenFile::open(char const*, char const*) 
/home/a/Downloads/openexif-2_1_4-src/src/ExifOpenFile.cpp:78
    #4 0x47c675 in main /home/a/Downloads/openexif-2_1_4-src/examples/ExifTagDump/ExifTagDump.cpp:64
    #5 0x7f9afd5aaec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #6 0x47c34c in _start (/home/a/Downloads/openexif-2_1_4-src/examples/ExifTagDump/.libs/ExifTagDump+0x47c34c)


AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/openexif-2_1_4-src/src/ExifImageFileRead.cpp:381 
ExifImageFile::readDHT(int)
Shadow bytes around the buggy address:
  0x0c107fff97c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff97d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff97e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff97f0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c107fff9810: fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa
  0x0c107fff9820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff9830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff9840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff9850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff9860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==90869==ABORTING


POC:
openexif_2.1.4_heap_buffer_overflow_3.jpg
CVE:
CVE-2017-11117


4.
the ExifImageFile::readImage function in ExifImageFileRead.cpp in OpenExif 2.1.4 can cause a denial of service(infinite 
loop and CPU consumption) via a crafted jpg file.


./ExifTagDump openexif_2.1.4_infinite_loop.jpg


POC:
openexif_2.1.4_infinite_loop.jpg
CVE:
CVE-2017-11118




===============================




qflb.wu () dbappsecurity com cn

Attachment: poc.zip
Description: 


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: