Lucene search

BinvulH1:167953

HistorySep 13, 2016 - 8:24 a.m.

Internet Bug Bounty: CVE-2016-3182 OpenJPEG color_esycc_to_rgb Out-of-Bounds Read Vulnerability

2016-09-1308:24:48

binvul

hackerone.com

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

0.001 Low

EPSS

Percentile

39.7%

JSON

CVE-2016-3182 OpenJPEG color_esycc_to_rgb Out-of-Bounds Read Vulnerability

1. About OpenJPEG

OpenJPEG is an open-source JPEG 2000 codec written in C language. It’s widely used in lots of Linux OSes such as Ubuntu, RedHat, Debian, Fedora, and so on. The official repository of the OpenJPEG project is available at GitHub.

2. Credit

This vulnerability was discovered by Ke Liu of Tencent’s Xuanwu LAB.

3. Testing Environments

OS: Ubuntu
OpenJPEG: 0069a2b (Master version before Mar/14/2016)
Compiler: Clang
CFLAGS: -g -O0 -fsanitize=address

4. Reproduce Steps

Please copy file poc.jp2 to directory openjpeg/bin before executing opj_decompress.

wget https://github.com/uclouvain/openjpeg/archive/0069a2bd2f8055b7edf9699332f4f00ac5351564.zip
unzip -q 0069a2bd2f8055b7edf9699332f4f00ac5351564.zip
mv openjpeg-0069a2bd2f8055b7edf9699332f4f00ac5351564 openjpeg
cd openjpeg
export CC='/usr/bin/clang -g -O0 -fsanitize=address'
cmake .
make

cd bin
./opj_decompress -o image.pgm -i poc.jp2

5. Vulnerability Details

According to AddressSanitizer’s output message, the Out-of-Bounds read occurred in function color_esycc_to_rgb. However, there must be also an Out-of-Bounds write circumstance since an exception will be throwed when freeing the heap buffer.

AddressSanitizer output the following exception information.

==116473==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61300000e000 
at pc 0x0000005309ef bp 0x7fffb332de20 sp 0x7fffb332de18
READ of size 4 at 0x61300000e000 thread T0
    #0 0x5309ee in color_esycc_to_rgb openjpeg/src/bin/common/color.c:760:37
    #1 0x4f215c in main openjpeg/src/bin/jp2/opj_decompress.c:1381:4
    #2 0x7f50d46dd82f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #3 0x41a978 in _start (openjpeg/bin/opj_decompress+0x41a978)

0x61300000e000 is located 0 bytes to the right of 384-byte region [0x61300000de80,0x61300000e000)
allocated by thread T0 here:
    #0 0x4bac30 in calloc (openjpeg/bin/opj_decompress+0x4bac30)
    #1 0x7f50d5fd9764 in opj_calloc openjpeg/src/lib/openjp2/opj_malloc.c:203:10
    #2 0x7f50d5f4ce7a in opj_j2k_update_image_data openjpeg/src/lib/openjp2/j2k.c:8212:62
    #3 0x7f50d5f4c886 in opj_j2k_decode_tiles openjpeg/src/lib/openjp2/j2k.c:9752:23
    #4 0x7f50d5f153fd in opj_j2k_exec openjpeg/src/lib/openjp2/j2k.c:7341:41
    #5 0x7f50d5f2844e in opj_j2k_decode openjpeg/src/lib/openjp2/j2k.c:9943:15
    #6 0x7f50d5f636ce in opj_jp2_decode openjpeg/src/lib/openjp2/jp2.c:1487:8
    #7 0x7f50d5f80356 in opj_decode openjpeg/src/lib/openjp2/openjpeg.c:412:10
    #8 0x4f1627 in main openjpeg/src/bin/jp2/opj_decompress.c:1330:10
    #9 0x7f50d46dd82f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-buffer-overflow openjpeg/src/bin/common/color.c:760:37 in color_esycc_to_rgb
Shadow bytes around the buggy address:
  0x0c267fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fff9be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c267fff9bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=&gt;0x0c267fff9c00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==116473==ABORTING

GDB backtrace

If compile openjpeg with gcc and do not specify -fsanitize=address, a heap corruption will be occurred.

[INFO] Stream reached its end !
WARNING -&gt; [PGM file] Only the first component
           is written to the file
[INFO] Generated Outfile image.pgm

Program received signal SIGSEGV, Segmentation fault.
__GI___libc_free (mem=0x1f00000000) at malloc.c:2952
2952	malloc.c: No such file or directory.
(gdb) bt
#0  __GI___libc_free (mem=0x1f00000000) at malloc.c:2952
#1  0x00007ffff7bc775d in opj_free (ptr=0x1f00000000) at opj_gcc/src/lib/openjp2/opj_malloc.c:238
#2  0x00007ffff7bc50e2 in opj_tcd_free_tile (p_tcd=0x626f00) at opj_gcc/src/lib/openjp2/tcd.c:1508
#3  0x00007ffff7bc2d1d in opj_tcd_destroy (tcd=0x626f00) at opj_gcc/src/lib/openjp2/tcd.c:616
#4  0x00007ffff7ba23e5 in opj_j2k_destroy (p_j2k=0x620440) at opj_gcc/src/lib/openjp2/j2k.c:7541
#5  0x00007ffff7bb09d5 in opj_jp2_destroy (jp2=0x620380) at opj_gcc/src/lib/openjp2/jp2.c:2778
#6  0x00007ffff7bb4515 in opj_destroy_codec (p_codec=0x6202d0) at opj_gcc/src/lib/openjp2/openjpeg.c:845
#7  0x000000000040682d in main (argc=5, argv=0x7fffffffdeb8) at opj_gcc/src/bin/jp2/opj_decompress.c:1558