oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2016-5320: libtiff 4.0.6 rgb2ycbcr: command excution

From: 张开翔 <zhangkaixiang () 360 cn>
Date: Wed, 15 Jun 2016 02:33:54 +0000
Details
=======

Product: libtiff
Affected Versions: <= 4.0.6
Vulnerability Type: command excution
Vendor URL: http://www.remotesensing.org/libtiff/
CVE ID: CVE-2016-5320
Credit: Kaixiang Zhang of the Cloud Security Team, Qihoo 360


Introduction
=======

It was always corrupted when I use rgb2ycbcr command followed by a crafted TIFF image. The vulnerability of 
out-of-bound writes is in PixarLogDecode () function in tif_pixarlog.c, which cause the function pointer of vgetparent 
to be coverd with any data, command execution could be possible.
Tested system version:
       fedora23 64bit
       CentOS Linux release 7.1.1503 64bit
command :
        ./rgb2ycbcr poc.tif tmpout.tif

  Here is the stack info:
gdb –args ./rgb2ycbcr poc.tif tmpout.tif
--- ---
Program received signal SIGSEGV, Segmentation fault.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------[registers]--
$rax     0x5e5e5e5e5e5e5e5e $rbx     0x0000000000608560 $rcx     0x0000000000608560 $rdx     0x00007fffffffd870 $rsp    
 0x00007fffffffd7e0 $rbp     0x00007fffffffd810 $rsi     0x000000000000010a
$rdi     0x0000000000608560 $rip     0x00007ffff7badecb $r8      0x00007ffff7b6be8e $r9      0x0000000000000001 $r10    
 0x00007fffffffd6d0 $r11     0x00007ffff7b685ab $r12     0x0000000000000020
$r13     0x0000000000000200 $r14     0x0000000000607010 $r15     0x0000000000000000 $cs      0x0000000000000033 $ss     
 0x000000000000002b $ds      0x0000000000000000 $es      0x0000000000000000
$fs      0x0000000000000000 $gs      0x0000000000000000 $eflags  [ CF AF SF IF RF ]
Flags: [ CARRY  parity  ADJUST  zero  SIGN  trap  INTERRUPT  direction  overflow  RESUME  virtualx86  identification ]
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------[stack]--
0x00007fffffffd7e0|+0x00: 0x0                  <- $sp
0x00007fffffffd7e8|+0x08: 0x00007fffffffd870 -> 0x3000000010
0x00007fffffffd7f0|+0x10: 0x10a00000000
0x00007fffffffd7f8|+0x18: 0x0000000000608560 -> 0x0000000000608998 -> "PredictorVGetField.tif"
0x00007fffffffd800|+0x20: 0x10600000000
0x00007fffffffd808|+0x28: 0x0000000000609160 -> "^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^[...]"
0x00007fffffffd810|+0x30: 0x00007fffffffd850 -> 0x00007fffffffd940 -> 0x10
0x00007fffffffd818|+0x38: 0x00007ffff7b6a880 -> <TIFFVGetField+149>: jmp 0x7ffff7b6a887 <TIFFVGetField+156>
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------[code:i386:x86-64]--
0x7ffff7badebd         <PredictorVGetField+224>  mov    rdx,QWORD PTR [rbp-0x28]
0x7ffff7badec1         <PredictorVGetField+228>  mov    esi,DWORD PTR [rbp-0x1c]
0x7ffff7badec4         <PredictorVGetField+231>  mov    rcx,QWORD PTR [rbp-0x18]
0x7ffff7badec8         <PredictorVGetField+235>  mov    rdi,rcx
0x7ffff7badecb        <PredictorVGetField+238>  call   rax                <- $pc
0x7ffff7badecd         <PredictorVGetField+240>  leave
0x7ffff7badece         <PredictorVGetField+241>  ret
0x7ffff7badecf <PredictorPrintDir>  push   rbp
0x7ffff7baded0         <PredictorPrintDir+1>  mov    rbp,rsp
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------[source:tif_predict.c+706]--
702                case TIFFTAG_PREDICTOR:
703                         *va_arg(ap, uint16*) = (uint16)sp->predictor;
704                         break;
705                default:
706                         return (*sp->vgetparent)(tif, tag, ap);                    <- $pc     ; 
tif=0x00007fffffffd7f8 -> [...] -> "PredictorVGetField.tif", ap=0x00007fffffffd7e8 -> [...] -> 0x3000000010, 
sp=0x00007fffffffd808 -> [...] -> "^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^[...]"
707                }
708                return 1;
709         }
710
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------[trace]--
#0  0x00007ffff7badecb in PredictorVGetField (tif=0x608560, tag=266, ap=0x7fffffffd870) at tif_predict.c:706
#1  0x00007ffff7b6a880 in TIFFVGetField (tif=0x608560, tag=266, ap=0x7fffffffd870) at tif_dir.c:1174
#2  0x00007ffff7b6a7dd in TIFFGetField (tif=0x608560, tag=266) at tif_dir.c:1158
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0x00007ffff7badecb in PredictorVGetField (tif=0x608560, tag=266, ap=0x7fffffffd870) at tif_predict.c:706
706                     return (*sp->vgetparent)(tif, tag, ap);
gef> bt
#0  0x00007ffff7badecb in PredictorVGetField (tif=0x608560, tag=266, ap=0x7fffffffd870) at tif_predict.c:706
#1  0x00007ffff7b6a880 in TIFFVGetField (tif=0x608560, tag=266, ap=0x7fffffffd870) at tif_dir.c:1174
#2  0x00007ffff7b6a7dd in TIFFGetField (tif=0x608560, tag=266) at tif_dir.c:1158
#3  0x0000000000403700 in tiffcvt (in=in@entry=0x608560, out=out@entry=0x607010) at rgb2ycbcr.c:328
#4  0x000000000040183b in main (argc=3, argv=0x7fffffffe328) at rgb2ycbcr.c:127
Previous By Date Next
Previous By Thread Next

Current thread: