BinvulH1:167957Internet Bug Bounty: CVE-2016-1924 OpenJPEG opj_tgt_reset Out-of-Bounds Read Vulnerability
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.011 Low
EPSS
Percentile
82.4%
CVE-2016-1924 OpenJPEG opj_tgt_reset Out-of-Bounds Read Vulnerability
1. About OpenJPEG
OpenJPEG is an open-source JPEG 2000 codec written in C language. It’s widely used in lots of Linux OSes such as Ubuntu, RedHat, Debian, Fedora, and so on. The official repository of the OpenJPEG project is available at GitHub.
2. Credit
This vulnerability was discovered by Ke Liu of Tencent’s Xuanwu LAB.
3. Testing Environments
- OS: Ubuntu
- OpenJPEG: 44a499f (Master version before May/6/2016)
- Compiler: Clang
- CFLAGS:
-g -O0 -fsanitize=address
4. Reproduce Steps
Please copy file poc.j2k to directory openjpeg/bin before executing opj_decompress.
wget https://github.com/uclouvain/openjpeg/archive/44a499f2acf10b55172d07abf387e5a579a585f7.zip
unzip -q 44a499f2acf10b55172d07abf387e5a579a585f7.zip
mv openjpeg-44a499f2acf10b55172d07abf387e5a579a585f7 openjpeg
cd openjpeg
export CC='/usr/bin/clang -g -O0 -fsanitize=address'
cmake .
make
cd bin
./opj_decompress -o image.pgm -i poc.j2k
5. Vulnerability Details
AddressSanitizer output the following exception information.
==118102==ERROR: AddressSanitizer: SEGV on unknown address 0x00009fff8002
(pc 0x7fed0283b093 bp 0x7ffed1ced650 sp 0x7ffed1ced5e0 T0)
#0 0x7fed0283b092 in opj_tgt_reset openjpeg/src/lib/openjp2/tgt.c:241:34
#1 0x7fed0281cc26 in opj_t2_read_packet_header openjpeg/src/lib/openjp2/t2.c:874:33
#2 0x7fed0281bb4e in opj_t2_decode_packet openjpeg/src/lib/openjp2/t2.c:536:15
#3 0x7fed0281b0c5 in opj_t2_decode_packets openjpeg/src/lib/openjp2/t2.c:422:39
#4 0x7fed028347df in opj_tcd_t2_decode openjpeg/src/lib/openjp2/tcd.c:1546:15
#5 0x7fed02834512 in opj_tcd_decode_tile openjpeg/src/lib/openjp2/tcd.c:1285:15
#6 0x7fed02782cfb in opj_j2k_decode_tile openjpeg/src/lib/openjp2/j2k.c:8134:15
#7 0x7fed027b09d4 in opj_j2k_decode_tiles openjpeg/src/lib/openjp2/j2k.c:9757:23
#8 0x7fed027797ed in opj_j2k_exec openjpeg/src/lib/openjp2/j2k.c:7350:41
#9 0x7fed0278c8be in opj_j2k_decode openjpeg/src/lib/openjp2/j2k.c:9955:15
#10 0x7fed027e4806 in opj_decode openjpeg/src/lib/openjp2/openjpeg.c:412:10
#11 0x4f166f in main openjpeg/src/bin/jp2/opj_decompress.c:1332:10
#12 0x7fed00f4182f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
#13 0x41a978 in _start (openjpeg/bin/opj_decompress+0x41a978)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV openjpeg/src/lib/openjp2/tgt.c:241:34 in opj_tgt_reset
==118102==ABORTING
6. Timeline
- 2016.05.05 - Found
- 2016.05.06 - Reported to OpenJPEG via Issue775
- 2016.05.09 - Fixed
7. Remarks
This issue was found by limingxing on Jan/18/2016 and disclosed the details at oss-sec/2016/q1/128, and CVE-2016-1924 was assigned for this issue.
However, limingxing did not report this issue to OpenJPEG’s official developer so it didn’t get fixed. On May/5/2016, I found it independently and reported it OpenJPEG’s official developer. OpenJPEG fixed it on May/9/2016 after I reported it.
The following message was copied from oss-sec/2016/q2/333.
> From: WinsonLiu <stackexploit () gmail com>
>
>> From: Moritz Muehlenhoff <jmm () debian org>
>>
>>> From: WinsonLiu <stackexploit () gmail com>
>>>
>>> Hi,
>>> Some security issues of OpenJPEG have been fixed. Please consider assigning CVE numbers to them.
>>> 2. Issue 775
>>> OpenJPEG Out-of-Bounds Access in function opj_tgt_reset of tgt.c
>>> Fixed via https://github.com/uclouvain/openjpeg/commit/1a8318f6c24623189ecb65e049267c6f2e005c0e
>>
>>Is that a different issue than CVE-2016-1924?
>
>You are right. Issue 775 was a duplicate of CVE-2016-1924.
>
>I didn’t notice that limingxing has been reported this issue (reported at
>http://seclists.org/oss-sec/2016/q1/128 and assigned CVE-2016-1924). I have
>tested the proof-of-concept file supplied by limingxing and confirmed that
>issue 775 was a duplicate of CVE-2016-1924. It seems that limingxing did
>not report it to the official developers because I could not find any
>information about this issue on GitHub and the official developers did not
>fix it for a long time. I thought this was a new issue and reported it to
>them after I did some fuzz testing. Anyway, this issue has been fixed by
>the official developers now.
>
>Regards,
>Ke Liu of Tencent’s Xuanwu LAB
Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.011 Low
EPSS
Percentile
82.4%