exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

libtiff 4.0.6 Heap Overflow

libtiff 4.0.6 Heap Overflow
Posted Dec 28, 2015
Authored by riusksk

libtiff versions 4.0.6 and below suffer from a heap overflow vulnerability.

tags | advisory, overflow
advisories | CVE-2015-8668
SHA-256 | ddfd1c393297b02656c6af06e2fa4f16ca0f928fa45ec87e895588cb147b6756

libtiff 4.0.6 Heap Overflow

Change Mirror Download
Details
=======

Product: libtiff
Affected Versions: <= 4.0.6
Vulnerability Type: Heap Overflow
Security Risk: High
Vendor URL: http://www.libtiff.org/
CVE ID: CVE-2015-8668
Credit: riusksk of Tencent Security Platform Department

Introduction
============

libtiff v4.0.6 bmp2tiff function PackBitsPreEncode() (./libtiff/tif_packbits.c ) handle malicious bmp file (Width = 65663) to cause memory corruption. An attacker could exploit this issue to execute arbitrary code in the context of the application using the library. Failed exploit attempts may result in denial-of-service conditions.

╭─riusksk@MacBook ~/Downloads ‹›
╰─➤$ ./tiff-4.0.6/tools/bmp2tiff ./libtiff-poc.bmp out.tif 255 ↵
=================================================================
==54340==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63100001087f at pc 0x00010cdc0532 bp 0x7fff52f459b0 sp 0x7fff52f459a8
READ of size 1 at 0x63100001087f thread T0
#0 0x10cdc0531 in PackBitsEncode (/Users/riusksk/Downloads/./tiff-4.0.6/tools/bmp2tiff+0x100108531)
#1 0x10cdfaa18 in TIFFWriteScanline (/Users/riusksk/Downloads/./tiff-4.0.6/tools/bmp2tiff+0x100142a18)
#2 0x10ccbde7b in main (/Users/riusksk/Downloads/./tiff-4.0.6/tools/bmp2tiff+0x100005e7b)
#3 0x7fff8dcbc5ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
#4 0x2 (<unknown module>)

0x63100001087f is located 0 bytes to the right of 65663-byte region [0x631000000800,0x63100001087f)
allocated by thread T0 here:
#0 0x10cefdf60 in wrap_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/7.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x42f60)
#1 0x10ce073bf in _TIFFmalloc (/Users/riusksk/Downloads/./tiff-4.0.6/tools/bmp2tiff+0x10014f3bf)
#2 0x10ccbc9d5 in main (/Users/riusksk/Downloads/./tiff-4.0.6/tools/bmp2tiff+0x1000049d5)
#3 0x7fff8dcbc5ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
#4 0x2 (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 PackBitsEncode
Shadow bytes around the buggy address:
0x1c62000020b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c62000020c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c62000020d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c62000020e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c62000020f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1c6200002100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[07]
0x1c6200002110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c6200002120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c6200002130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c6200002140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c6200002150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==54340==ABORTING
[1] 54340 abort ./tiff-4.0.6/tools/bmp2tiff ./libtiff-poc.bmp out.tif



Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close