Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneBinvulH1:167955
HistorySep 13, 2016 - 8:37 a.m.

Internet Bug Bounty: CVE-2016-4796 OpenJPEG color_cmyk_to_rgb Out-of-Bounds Read Vulnerability

2016-09-1308:37:54
binvul
hackerone.com
13

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

0.008 Low

EPSS

Percentile

78.9%

JSON

CVE-2016-4796 OpenJPEG color_cmyk_to_rgb Out-of-Bounds Read Vulnerability

1. About OpenJPEG

OpenJPEG is an open-source JPEG 2000 codec written in C language. It’s widely used in lots of Linux OSes such as Ubuntu, RedHat, Debian, Fedora, and so on. The official repository of the OpenJPEG project is available at GitHub.

2. Credit

This vulnerability was discovered by Ke Liu of Tencent’s Xuanwu LAB.

3. Testing Environments

  • OS: Ubuntu
  • OpenJPEG: 44a499f (Master version before May/6/2016)
  • Compiler: Clang
  • CFLAGS: -g -O0 -fsanitize=address

4. Reproduce Steps

Please copy file poc.j2k to directory openjpeg/bin before executing opj_decompress.

wget https://github.com/uclouvain/openjpeg/archive/44a499f2acf10b55172d07abf387e5a579a585f7.zip
unzip -q 44a499f2acf10b55172d07abf387e5a579a585f7.zip
mv openjpeg-44a499f2acf10b55172d07abf387e5a579a585f7 openjpeg
cd openjpeg
export CC='/usr/bin/clang -g -O0 -fsanitize=address'
cmake .
make

cd bin
./opj_decompress -o image.pgm -i poc.j2k

5. Vulnerability Details

AddressSanitizer output the following exception information.

==118074==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eed4 
at pc 0x000000531212 bp 0x7ffce9cd43c0 sp 0x7ffce9cd43b8
READ of size 4 at 0x60200000eed4 thread T0
    #0 0x531211 in color_cmyk_to_rgb openjpeg/src/bin/common/color.c:872:15
    #1 0x4f20c1 in main openjpeg/src/bin/jp2/opj_decompress.c:1378:4
    #2 0x7f3e59d9082f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #3 0x41a978 in _start (openjpeg/bin/opj_decompress+0x41a978)

0x60200000eed4 is located 0 bytes to the right of 4-byte region [0x60200000eed0,0x60200000eed4)
allocated by thread T0 here:
    #0 0x4bac30 in calloc (openjpeg/bin/opj_decompress+0x4bac30)
    #1 0x7f3e5b68cc44 in opj_calloc openjpeg/src/lib/openjp2/opj_malloc.c:203:10
    #2 0x7f3e5b60032a in opj_j2k_update_image_data openjpeg/src/lib/openjp2/j2k.c:8221:62
    #3 0x7f3e5b5ffd36 in opj_j2k_decode_tiles openjpeg/src/lib/openjp2/j2k.c:9764:23
    #4 0x7f3e5b5c87ed in opj_j2k_exec openjpeg/src/lib/openjp2/j2k.c:7350:41
    #5 0x7f3e5b5db8be in opj_j2k_decode openjpeg/src/lib/openjp2/j2k.c:9955:15
    #6 0x7f3e5b616b3e in opj_jp2_decode openjpeg/src/lib/openjp2/jp2.c:1492:8
    #7 0x7f3e5b633806 in opj_decode openjpeg/src/lib/openjp2/openjpeg.c:412:10
    #8 0x4f166f in main openjpeg/src/bin/jp2/opj_decompress.c:1332:10
    #9 0x7f3e59d9082f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-buffer-overflow openjpeg/src/bin/common/color.c:872:15 in color_cmyk_to_rgb
Shadow bytes around the buggy address:
  0x0c047fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa[04]fa fa fa fd fd
  0x0c047fff9de0: fa fa fd fd fa fa 00 fa fa fa fd fd fa fa 04 fa
  0x0c047fff9df0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==118074==ABORTING

6. Timeline

  • 2016.05.05 - Found
  • 2016.05.06 - Reported to OpenJPEG via Issue774
  • 2016.05.09 - Fixed

Related

ubuntucve 1
prion 1
redhatcve 1
cve 1
osv 1
debiancve 1
fedora 4
nessus 4
openvas 5
mageia 1
oracle 1
ubuntucve
ubuntucve
CVE-2016-4796
2017-02-03 00:00:00
prion
prion
Heap overflow
2017-02-03 16:59:00
redhatcve
redhatcve
CVE-2016-4796
2016-05-13 08:21:28
cve
cve
CVE-2016-4796
2017-02-03 16:59:00
osv
osv
CVE-2016-4796
2017-02-03 16:59:00
debiancve
debiancve
CVE-2016-4796
2017-02-03 16:59:00
fedora
fedora
[SECURITY] Fedora 24 Update: mingw-openjpeg2-2.1.1-1.fc24
2016-07-18 18:37:00
[SECURITY] Fedora 23 Update: openjpeg2-2.1.1-1.fc23
2016-07-16 21:21:40
[SECURITY] Fedora 23 Update: mingw-openjpeg2-2.1.1-1.fc23
2016-07-18 21:00:23
nessus
nessus
Fedora 23 : openjpeg2 (2016-d2ab705e4a)
2016-07-18 00:00:00
Fedora 24 : openjpeg2 (2016-abdc548f46)
2016-07-15 00:00:00
Fedora 23 : mingw-openjpeg2 (2016-14d8f9b4ed)
2016-07-19 00:00:00
openvas
openvas
Fedora Update for openjpeg2 FEDORA-2016-abdc548f46
2016-08-02 00:00:00
Fedora Update for openjpeg2 FEDORA-2016-d2ab705e4a
2016-08-02 00:00:00
Fedora Update for mingw-openjpeg2 FEDORA-2016-14d8f9b4ed
2016-08-02 00:00:00
mageia
mageia
Updated openjpeg2 packages fix security vulnerabilities
2016-11-03 12:02:50
oracle
oracle
Oracle Critical Patch Update Advisory - July 2020
2020-07-14 00:00:00

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

0.008 Low

EPSS

Percentile

78.9%

JSON
Related for H1:167955
ubuntucve1prion1redhatcve1cve1osv1debiancve1fedora4nessus4openvas5mageia1oracle1