Vulners
Lucene search
gif2apng 1.9 - '.gif' Stack Buffer Overflow
# Exploit Title: gif2apng 1.9 '.gif' Stack-Buffer Overflow
# Date: 20 April 2018
# Exploit Author: Hamm3r.py
# Vendor Homepage: http://gif2apng.sourceforge.net/
# Version: 1.9
# Tested on: Ubuntu 16.04
# CVE :
gif2apng is vulnerable to a stack based buffer overflow when a malformed
gif is supplied. Following is the stack trace:
$ ./gif2apng fuzz.gif
gif2apng 1.9 using 7ZIP with 15 iterations
Reading 'fuzz.gif'...
=================================================================
==3674==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fffb183bcf1 at pc 0x0000004ebdce bp 0x7fffb1837a90 sp
0x7fffb1837a88
WRITE of size 1 at 0x7fffb183bcf1 thread T0
#0 0x4ebdcd (/home/shyam/FUZZ/gif2apng+0x4ebdcd)
#1 0x4ee926 (/home/shyam/FUZZ/gif2apng+0x4ee926)
#2 0x7f4e5642282f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#3 0x4199a8 (/home/shyam/FUZZ/gif2apng+0x4199a8)
Address 0x7fffb183bcf1 is located in stack of thread T0 at offset 16977 in frame
#0 0x4eb23f (/home/shyam/FUZZ/gif2apng+0x4eb23f)
This frame has 6 object(s):
[32, 36) 'size'
[48, 8242) 'prefix'
[8512, 12609) 'suffix'
[12880, 16977) 'str' <== Memory access at offset 16977 overflows
this variable
[17248, 18272) 'data'
[18400, 18401) 'mincodesize'
HINT: this may be a false positive if your program uses some custom
stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
(/home/shyam/FUZZ/gif2apng+0x4ebdcd)
Shadow bytes around the buggy address:
0x1000762ff740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000762ff750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000762ff760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000762ff770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000762ff780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000762ff790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[01]f2
0x1000762ff7a0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
0x1000762ff7b0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
0x1000762ff7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000762ff7d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000762ff7e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3674==ABORTING
Version of software in use:
./gif2apng
gif2apng 1.9
#This issue is identified by Hamm3r.py, a general purpose fuzzer!
https://github.com/0xshyam/hamm3r.py
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44519.zipData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
24 Apr 2018 00:00Current
7.4High risk
Vulners AI Score7.4