oss-sec mailing list archives
CVE-2016-5320: libtiff 4.0.6 rgb2ycbcr: command excution
From: 张开翔 <zhangkaixiang () 360 cn>
Date: Wed, 15 Jun 2016 02:33:54 +0000
Details ======= Product: libtiff Affected Versions: <= 4.0.6 Vulnerability Type: command excution Vendor URL: http://www.remotesensing.org/libtiff/ CVE ID: CVE-2016-5320 Credit: Kaixiang Zhang of the Cloud Security Team, Qihoo 360 Introduction ======= It was always corrupted when I use rgb2ycbcr command followed by a crafted TIFF image. The vulnerability of out-of-bound writes is in PixarLogDecode () function in tif_pixarlog.c, which cause the function pointer of vgetparent to be coverd with any data, command execution could be possible. Tested system version: fedora23 64bit CentOS Linux release 7.1.1503 64bit command : ./rgb2ycbcr poc.tif tmpout.tif Here is the stack info: gdb –args ./rgb2ycbcr poc.tif tmpout.tif --- --- Program received signal SIGSEGV, Segmentation fault. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------[registers]-- $rax 0x5e5e5e5e5e5e5e5e $rbx 0x0000000000608560 $rcx 0x0000000000608560 $rdx 0x00007fffffffd870 $rsp 0x00007fffffffd7e0 $rbp 0x00007fffffffd810 $rsi 0x000000000000010a $rdi 0x0000000000608560 $rip 0x00007ffff7badecb $r8 0x00007ffff7b6be8e $r9 0x0000000000000001 $r10 0x00007fffffffd6d0 $r11 0x00007ffff7b685ab $r12 0x0000000000000020 $r13 0x0000000000000200 $r14 0x0000000000607010 $r15 0x0000000000000000 $cs 0x0000000000000033 $ss 0x000000000000002b $ds 0x0000000000000000 $es 0x0000000000000000 $fs 0x0000000000000000 $gs 0x0000000000000000 $eflags [ CF AF SF IF RF ] Flags: [ CARRY parity ADJUST zero SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification ] -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------[stack]-- 0x00007fffffffd7e0|+0x00: 0x0 <- $sp 0x00007fffffffd7e8|+0x08: 0x00007fffffffd870 -> 0x3000000010 0x00007fffffffd7f0|+0x10: 0x10a00000000 0x00007fffffffd7f8|+0x18: 0x0000000000608560 -> 0x0000000000608998 -> "PredictorVGetField.tif" 0x00007fffffffd800|+0x20: 0x10600000000 0x00007fffffffd808|+0x28: 0x0000000000609160 -> "^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^[...]" 0x00007fffffffd810|+0x30: 0x00007fffffffd850 -> 0x00007fffffffd940 -> 0x10 0x00007fffffffd818|+0x38: 0x00007ffff7b6a880 -> <TIFFVGetField+149>: jmp 0x7ffff7b6a887 <TIFFVGetField+156> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------[code:i386:x86-64]-- 0x7ffff7badebd <PredictorVGetField+224> mov rdx,QWORD PTR [rbp-0x28] 0x7ffff7badec1 <PredictorVGetField+228> mov esi,DWORD PTR [rbp-0x1c] 0x7ffff7badec4 <PredictorVGetField+231> mov rcx,QWORD PTR [rbp-0x18] 0x7ffff7badec8 <PredictorVGetField+235> mov rdi,rcx 0x7ffff7badecb <PredictorVGetField+238> call rax <- $pc 0x7ffff7badecd <PredictorVGetField+240> leave 0x7ffff7badece <PredictorVGetField+241> ret 0x7ffff7badecf <PredictorPrintDir> push rbp 0x7ffff7baded0 <PredictorPrintDir+1> mov rbp,rsp ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------[source:tif_predict.c+706]-- 702 case TIFFTAG_PREDICTOR: 703 *va_arg(ap, uint16*) = (uint16)sp->predictor; 704 break; 705 default: 706 return (*sp->vgetparent)(tif, tag, ap); <- $pc ; tif=0x00007fffffffd7f8 -> [...] -> "PredictorVGetField.tif", ap=0x00007fffffffd7e8 -> [...] -> 0x3000000010, sp=0x00007fffffffd808 -> [...] -> "^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^[...]" 707 } 708 return 1; 709 } 710 -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------[trace]-- #0 0x00007ffff7badecb in PredictorVGetField (tif=0x608560, tag=266, ap=0x7fffffffd870) at tif_predict.c:706 #1 0x00007ffff7b6a880 in TIFFVGetField (tif=0x608560, tag=266, ap=0x7fffffffd870) at tif_dir.c:1174 #2 0x00007ffff7b6a7dd in TIFFGetField (tif=0x608560, tag=266) at tif_dir.c:1158 -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 0x00007ffff7badecb in PredictorVGetField (tif=0x608560, tag=266, ap=0x7fffffffd870) at tif_predict.c:706 706 return (*sp->vgetparent)(tif, tag, ap); gef> bt #0 0x00007ffff7badecb in PredictorVGetField (tif=0x608560, tag=266, ap=0x7fffffffd870) at tif_predict.c:706 #1 0x00007ffff7b6a880 in TIFFVGetField (tif=0x608560, tag=266, ap=0x7fffffffd870) at tif_dir.c:1174 #2 0x00007ffff7b6a7dd in TIFFGetField (tif=0x608560, tag=266) at tif_dir.c:1158 #3 0x0000000000403700 in tiffcvt (in=in@entry=0x608560, out=out@entry=0x607010) at rgb2ycbcr.c:328 #4 0x000000000040183b in main (argc=3, argv=0x7fffffffe328) at rgb2ycbcr.c:127
Current thread:
- CVE-2016-5320: libtiff 4.0.6 rgb2ycbcr: command excution 张开翔 (Jun 14)
- Re: CVE-2016-5320: libtiff 4.0.6 rgb2ycbcr: command excution Marcus Meissner (Jun 15)