Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

LibTIFF - _TIFFVGetField (tiffsplit) Out-of-Bounds Read Exploit

🗓️ 07 Jul 2017 00:00:00Reported by zhangtanType 
zdt
 zdt🔗 0day.today👁 56 Views

LibTIFF _TIFFVGetField (tiffsplit) Out-of-Bounds Read Exploit descriptio

Related
Code
ReporterTitlePublishedViews
Family
IBM Security Bulletins		Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in libTIFF
7 Dec 202322:45
ibm
Cloud Foundry		USN-3606-1: LibTIFF vulnerabilities | Cloud Foundry
2 May 201800:00
cloudfoundry
Circl		CVE-2017-9147
6 Jul 201700:00
circl
CNVD		Silicon Graphics LibTIFF Denial of Service Vulnerability (CNVD-2017-07742)
24 May 201700:00
cnvd
CVE		CVE-2017-9147
22 May 201718:00
cve
Cvelist		CVE-2017-9147
22 May 201718:00
cvelist
Debian		[SECURITY] [DLA 983-1] tiff3 security update
13 Jun 201714:40
debian
Debian		[SECURITY] [DLA 984-1] tiff security update
13 Jun 201714:40
debian
Debian		[SECURITY] [DSA 3903-1] tiff security update
5 Jul 201720:57
debian
Debian CVE		CVE-2017-9147
22 May 201718:00
debiancve
Rows per page
Source: http://bugzilla.maptools.org/show_bug.cgi?id=2693
 
On 4.0.7:
 
# tiffsplit $FILE
 
==2007== Invalid read of size 4
==2007==    at 0x40CD1A: _TIFFVGetField (tif_dir.c:1072)
==2007==    by 0x41B2C5: TIFFVGetField (tif_dir.c:1198)
==2007==    by 0x41B2C5: TIFFGetField (tif_dir.c:1182)
==2007==    by 0x404CCF: tiffcp (tiffsplit.c:220)
==2007==    by 0x404CCF: main (tiffsplit.c:89)
==2007==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
 
------- Comment #1 From zhangtan 2017-05-15 01:20:26 -------
 
The place of Out of bound read:
 
ret_val = 0;
for (i = 0; i < td->td_customValueCount; i++) {
    TIFFTagValue *tv = td->td_customValues + i;
 
if (tv->info->field_tag != tag)
                        continue;
 
------- Comment #2 From zhangtan 2017-05-15 01:29:10 -------
 
The place of Out of bound read:
 
The 1072 line of tif_dir.c
 
1068     ret_val = 0;
1069     for (i = 0; i < td->td_customValueCount; i++) {
1070             TIFFTagValue *tv = td->td_customValues + i;
1071                    
1072             if (tv->info->field_tag != tag)
1073                     continue;
 
As tv increased in 1070, Out of bound read happened in 1072 when the pointer tv
was referenced.
 
------- Comment #3 From zhangtan 2017-05-15 01:46:33 -------
 
PoC:
 
Detailed information of the bug can be reproduced using the valgrind tool:
 
# valgrind tiffsplit $File(the testcase in the attachment)
 
Error Message:
==23520== Invalid read of size 4
==23520==    at 0x40CD1A: _TIFFVGetField (tif_dir.c:1072)
==23520==    by 0x41B2C5: TIFFVGetField (tif_dir.c:1198)
==23520==    by 0x41B2C5: TIFFGetField (tif_dir.c:1182)
==23520==    by 0x404CCF: tiffcp (tiffsplit.c:220)
==23520==    by 0x404CCF: main (tiffsplit.c:89)
==23520==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==23520== 
==23520== 
==23520== Process terminating with default action of signal 11 (SIGSEGV)
==23520==  Access not within mapped region at address 0x0
==23520==    at 0x40CD1A: _TIFFVGetField (tif_dir.c:1072)
==23520==    by 0x41B2C5: TIFFVGetField (tif_dir.c:1198)
==23520==    by 0x41B2C5: TIFFGetField (tif_dir.c:1182)
==23520==    by 0x404CCF: tiffcp (tiffsplit.c:220)
==23520==    by 0x404CCF: main (tiffsplit.c:89)
==23520==  If you believe this happened as a result of a stack
==23520==  overflow in your program's main thread (unlikely but
==23520==  possible), you can try to increase the size of the
==23520==  main thread stack using the --main-stacksize= flag.
==23520==  The main thread stack size used in this run was 8388608.
==23520== 
==23520== HEAP SUMMARY:
==23520==     in use at exit: 17,821 bytes in 42 blocks
==23520==   total heap usage: 96 allocs, 54 frees, 59,223 bytes allocated
==23520== 
==23520== LEAK SUMMARY:
==23520==    definitely lost: 0 bytes in 0 blocks
==23520==    indirectly lost: 0 bytes in 0 blocks
==23520==      possibly lost: 0 bytes in 0 blocks
==23520==    still reachable: 17,821 bytes in 42 blocks
==23520==         suppressed: 0 bytes in 0 blocks
==23520== Rerun with --leak-check=full to see details of leaked memory
==23520== 
==23520== For counts of detected and suppressed errors, rerun with: -v
==23520== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault

#  0day.today [2018-01-04]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
07 Jul 2017 00:00Current
7.2High risk
Vulners AI Score7.2
EPSS0.02824
libtiff_tiffvgetfieldtiffsplitout-of-bounds readexploitvulnerabilitybugzilla2693tif_dir.cvalgrindpocsegmentation fault
56