Lucene search

BinvulH1:167510

HistorySep 11, 2016 - 6:05 a.m.

Internet Bug Bounty: CVE-2016-5157 OpenJPEG opj_dwt_interleave_v Out-of-Bounds Write Vulnerability

2016-09-1106:05:15

binvul

hackerone.com

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.008 Low

EPSS

Percentile

79.0%

JSON

OpenJPEG opj_dwt_interleave_v Out-of-Bounds Write Vulnerability

1. About OpenJPEG

OpenJPEG is an open-source JPEG 2000 codec written in C language. It’s widely used in lots of Linux OSes such as Ubuntu, RedHat, Debian, Fedora, and so on. The official repository of the OpenJPEG project is available at GitHub.

2. Credit

This vulnerability was discovered by Ke Liu of Tencent’s Xuanwu LAB.

3. Testing Environments

OS: Ubuntu
OpenJPEG: 4a2a869 (Master version before Aug/6/2016)
Compiler: Clang
CFLAGS: -g -O0 -fsanitize=address

4. Reproduce Steps

Please copy file poc.jp2 to directory openjpeg/bin before executing opj_decompress.

wget https://github.com/uclouvain/openjpeg/archive/4a2a8693e5a02207a8813b02a375abdc4e43c49b.zip
unzip -q 4a2a8693e5a02207a8813b02a375abdc4e43c49b.zip
mv openjpeg-4a2a8693e5a02207a8813b02a375abdc4e43c49b openjpeg
cd openjpeg
export CC='/usr/bin/clang -g -O0 -fsanitize=address'
cmake .
make

cd bin
./opj_decompress -o image.pgm -i poc.jp2

5. Vulnerability Details

This is a heap buffer overflow vulnerability. AddressSanitizer output the following exception information.

==38575==ERROR: AddressSanitizer: heap-buffer-overflow on address
    0x619000001e7c at pc 0x7f3ab84a5a57 bp 0x7ffc2a7f1c50 sp 0x7ffc2a7f1c48
WRITE of size 4 at 0x619000001e7c thread T0
    #0 0x7f3ab84a5a56 in opj_dwt_interleave_v openjpeg/src/lib/openjp2/dwt.c:268:11
    #1 0x7f3ab849ddca in opj_dwt_decode_tile openjpeg/src/lib/openjp2/dwt.c:609:4
    #2 0x7f3ab849d101 in opj_dwt_decode openjpeg/src/lib/openjp2/dwt.c:477:9
    #3 0x7f3ab8574f5e in opj_tcd_dwt_decode openjpeg/src/lib/openjp2/tcd.c:1619:31
    #4 0x7f3ab85747ea in opj_tcd_decode_tile openjpeg/src/lib/openjp2/tcd.c:1306:20
    #5 0x7f3ab84c2deb in opj_j2k_decode_tile openjpeg/src/lib/openjp2/j2k.c:8134:15
    #6 0x7f3ab84f0b44 in opj_j2k_decode_tiles openjpeg/src/lib/openjp2/j2k.c:9761:23
    #7 0x7f3ab84b98dd in opj_j2k_exec openjpeg/src/lib/openjp2/j2k.c:7350:41
    #8 0x7f3ab84cc9ae in opj_j2k_decode openjpeg/src/lib/openjp2/j2k.c:9959:15
    #9 0x7f3ab8507cae in opj_jp2_decode openjpeg/src/lib/openjp2/jp2.c:1492:8
    #10 0x7f3ab8524976 in opj_decode openjpeg/src/lib/openjp2/openjpeg.c:412:10
    #11 0x4f166f in main openjpeg/src/bin/jp2/opj_decompress.c:1332:10
    #12 0x7f3ab6c8182f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #13 0x41a978 in _start (openjpeg/bin/opj_decompress+0x41a978)

0x619000001e7c is located 4 bytes to the left of 1028-byte region [0x619000001e80,0x619000002284)
allocated by thread T0 here:
    #0 0x4bb380 in __interceptor_posix_memalign (openjpeg/bin/opj_decompress+0x4bb380)
    #1 0x7f3ab857e0a0 in opj_aligned_alloc_n openjpeg/src/lib/openjp2/opj_malloc.c:61:7
    #2 0x7f3ab857df0e in opj_aligned_malloc openjpeg/src/lib/openjp2/opj_malloc.c:208:10
    #3 0x7f3ab849d55e in opj_dwt_decode_tile openjpeg/src/lib/openjp2/dwt.c:576:22
    #4 0x7f3ab849d101 in opj_dwt_decode openjpeg/src/lib/openjp2/dwt.c:477:9
    #5 0x7f3ab8574f5e in opj_tcd_dwt_decode openjpeg/src/lib/openjp2/tcd.c:1619:31
    #6 0x7f3ab85747ea in opj_tcd_decode_tile openjpeg/src/lib/openjp2/tcd.c:1306:20
    #7 0x7f3ab84c2deb in opj_j2k_decode_tile openjpeg/src/lib/openjp2/j2k.c:8134:15
    #8 0x7f3ab84f0b44 in opj_j2k_decode_tiles openjpeg/src/lib/openjp2/j2k.c:9761:23
    #9 0x7f3ab84b98dd in opj_j2k_exec openjpeg/src/lib/openjp2/j2k.c:7350:41
    #10 0x7f3ab84cc9ae in opj_j2k_decode openjpeg/src/lib/openjp2/j2k.c:9959:15
    #11 0x7f3ab8507cae in opj_jp2_decode openjpeg/src/lib/openjp2/jp2.c:1492:8
    #12 0x7f3ab8524976 in opj_decode openjpeg/src/lib/openjp2/openjpeg.c:412:10
    #13 0x4f166f in main openjpeg/src/bin/jp2/opj_decompress.c:1332:10
    #14 0x7f3ab6c8182f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-buffer-overflow
    openjpeg/src/lib/openjp2/dwt.c:268:11 in opj_dwt_interleave_v
Shadow bytes around the buggy address:
  0x0c327fff8370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff83a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff83b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=&gt;0x0c327fff83c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0c327fff83d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff83e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff83f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==38575==ABORTING

6. Timeline

2016.07.31 - Found
2016.08.24 - Reported to OpenJPEG via [email protected]
2016.09.08 - Fixed
2016.09.08 - Publicly disclosed

7. References

8. Remarks

I found this issue independently but Google Chrome also got a report of this issue from another security researcher. So the CVE number was the same as CVE-2016-5157 which was issued for Google Chrome. However, I found and reported this issue to OpenJPEG before Google released a security advisory.