'[Full-disclosure] ScriptFu Server Buffer Overflow in GIMP <= 2.6'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] ScriptFu Server Buffer Overflow in GIMP <= 2.6
From:       "Joseph Sheridan" <joe () reactionis ! com>
Date:       2012-05-30 22:38:29
Message-ID: 01d901cd3eb4$effa5c10$cfef1430$ () reactionis ! com
[Download RAW message or body]

This is a multipart message in MIME format.

[Attachment #2 (multipart/alternative)]
This is a multipart message in MIME format.


Vulnerability Summary

=================

 

There is a buffer overflow in the script-fu server component of GIMP 

(the GNU Image Manipulation Program) in all 2.6 versions (Windows and Linux
versions) affecting both 

the script-fu console and the script-fu network server. A crafted msg to the


script-fu server overflows a buffer and overwrites several function pointers


allowing the attacker to gain control of EIP and potentially execute
arbitrary 

code. This issue is fixed in the latest, stable GIMP version (currently
2.8.0).

 

CVE number: CVE-2012-2763

Impact: high

Vendor Homepage: http://www.gimp.org/

Date found: 18/05/2012

Found by: Joseph Sheridan of Reaction Information Security

Homepage: http://www.reactionpenetrationtesting.co.uk

 

This advisory is posted at:

http://www.reactionpenetrationtesting.co.uk/advisories/scriptfu-buffer-overf
low-GIMP-2.6.html

 

PoC Code is available here:

http://www.reactionpenetrationtesting.co.uk/advisories/scriptfubof.c

 

Affected Products

=================

 

Vulnerable Products

+------------------

 

The following products are known to be affected by this vulnerability:

 

  * GIMP <= 2.6.12 (Windows or Linux builds)

 

Products Confirmed Not Vulnerable

+--------------------------------

 

The following products are known not to be affected by this

vulnerability:

 

  * GIMP 2.8.0 (current stable release)

 

Details

=======

 

There is a buffer overflow in the command parsing code such that a long
command

overwrites various function pointers on the heap and gives the attacker full
control 

of EIP. The following command sent to the script-fu server will trigger the 

vulnerability:

 

(file-bmp-load 123

aaaaaaaaaaaaa...a*1000...aaaaaaaaaa

raw-filename)

 

Impact

======

 

Successful exploitation of the vulnerability may result in remote code
execution.

 

Solution

===========

Upgrade to the latest stable version of GIMP (currently 2.8 branch) - the
2.6 branch is 

no longer supported by the GIMP development team.

 

Workarounds

===========

 

A workaround would be not to use this feature on a vulnerable version of
GIMP.

The GIMP development team have strongly suggested only using the 

script-fu network server in a secure/sandboxed environment due to 

security concerns.

 

Updates

============

 

Future updates of this advisory, if any, will be placed on the ReactionIS

corporate website, but may or may not be actively announced on

mailing lists or newsgroups. Users concerned about this problem are

encouraged to check the URL below for any updates:

 

http://www.reactionpenetrationtesting.co.uk/advisories/scriptfu-buffer-overf
low-GIMP-2.6.html

 

============================================================================
====

 

Reaction Information Security 

Lombard House Business Centre,

Suite 117,

12-17 Upper Bridge Street,

Canterbury, Kent, CT1 2NF

 

Phone: +44 (0)1227 785050

Email: research () reactionis {dot} co {dot} uk

Web: http://www.reactionpenetrationtesting.co.uk


[Attachment #5 (text/html)]

<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" \
CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered \
medium)"><style><!-- /* Font Definitions */
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0cm;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri","sans-serif";
	mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:"Calibri","sans-serif";
	color:windowtext;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-family:"Calibri","sans-serif";
	mso-fareast-language:EN-US;}
@page WordSection1
	{size:612.0pt 792.0pt;
	margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-GB link=blue vlink=purple><div \
class=WordSection1><p class=MsoNormal>Vulnerability Summary<o:p></o:p></p><p \
class=MsoNormal>=================<o:p></o:p></p><p class=MsoNormal><o:p>&nbsp;</o:p></p><p \
class=MsoNormal>There is a buffer overflow in the script-fu server component of GIMP \
<o:p></o:p></p><p class=MsoNormal>(the GNU Image Manipulation Program) in all 2.6 versions \
(Windows and Linux versions) affecting both <o:p></o:p></p><p class=MsoNormal>the script-fu \
console and the script-fu network server. A crafted msg to the <o:p></o:p></p><p \
class=MsoNormal>script-fu server overflows a buffer and overwrites several function pointers \
<o:p></o:p></p><p class=MsoNormal>allowing the attacker to gain control of EIP and potentially \
execute arbitrary <o:p></o:p></p><p class=MsoNormal>code. This issue is fixed in the latest, \
stable GIMP version (currently 2.8.0).<o:p></o:p></p><p class=MsoNormal><o:p>&nbsp;</o:p></p><p \
class=MsoNormal>CVE number: CVE-2012-2763<o:p></o:p></p><p class=MsoNormal>Impact: \
high<o:p></o:p></p><p class=MsoNormal>Vendor Homepage: http://www.gimp.org/<o:p></o:p></p><p \
class=MsoNormal>Date found: 18/05/2012<o:p></o:p></p><p class=MsoNormal>Found by: Joseph \
Sheridan of Reaction Information Security<o:p></o:p></p><p class=MsoNormal>Homepage: \
http://www.reactionpenetrationtesting.co.uk<o:p></o:p></p><p \
class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal>This advisory is posted \
at:<o:p></o:p></p><p \
class=MsoNormal>http://www.reactionpenetrationtesting.co.uk/advisories/scriptfu-buffer-overflow-GIMP-2.6.html<o:p></o:p></p><p \
class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal>PoC Code is available \
here:<o:p></o:p></p><p \
class=MsoNormal>http://www.reactionpenetrationtesting.co.uk/advisories/scriptfubof.c<o:p></o:p></p><p \
class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal>Affected Products<o:p></o:p></p><p \
class=MsoNormal>=================<o:p></o:p></p><p class=MsoNormal><o:p>&nbsp;</o:p></p><p \
class=MsoNormal>Vulnerable Products<o:p></o:p></p><p \
class=MsoNormal>+------------------<o:p></o:p></p><p class=MsoNormal><o:p>&nbsp;</o:p></p><p \
class=MsoNormal>The following products are known to be affected by this \
vulnerability:<o:p></o:p></p><p class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal>&nbsp; \
* GIMP &lt;= 2.6.12 (Windows or Linux builds)<o:p></o:p></p><p \
class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal>Products Confirmed Not \
Vulnerable<o:p></o:p></p><p class=MsoNormal>+--------------------------------<o:p></o:p></p><p \
class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal>The following products are known not to \
be affected by this<o:p></o:p></p><p class=MsoNormal>vulnerability:<o:p></o:p></p><p \
class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal>&nbsp; * GIMP 2.8.0 (current stable \
release)<o:p></o:p></p><p class=MsoNormal><o:p>&nbsp;</o:p></p><p \
class=MsoNormal>Details<o:p></o:p></p><p class=MsoNormal>=======<o:p></o:p></p><p \
class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal>There is a buffer overflow in the \
command parsing code such that a long command<o:p></o:p></p><p class=MsoNormal>overwrites \
various function pointers on the heap and gives the attacker full control <o:p></o:p></p><p \
class=MsoNormal>of EIP. The following command sent to the script-fu server will trigger the \
<o:p></o:p></p><p class=MsoNormal>vulnerability:<o:p></o:p></p><p \
class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal>(file-bmp-load 123<o:p></o:p></p><p \
class=MsoNormal>aaaaaaaaaaaaa...a*1000...aaaaaaaaaa<o:p></o:p></p><p \
class=MsoNormal>raw-filename)<o:p></o:p></p><p class=MsoNormal><o:p>&nbsp;</o:p></p><p \
class=MsoNormal>Impact<o:p></o:p></p><p class=MsoNormal>======<o:p></o:p></p><p \
class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal>Successful exploitation of the \
vulnerability may result in remote code execution.<o:p></o:p></p><p \
class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal>Solution<o:p></o:p></p><p \
class=MsoNormal>===========<o:p></o:p></p><p class=MsoNormal>Upgrade to the latest stable \
version of GIMP (currently 2.8 branch) - the 2.6 branch is <o:p></o:p></p><p class=MsoNormal>no \
longer supported by the GIMP development team.<o:p></o:p></p><p \
class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal>Workarounds<o:p></o:p></p><p \
class=MsoNormal>===========<o:p></o:p></p><p class=MsoNormal><o:p>&nbsp;</o:p></p><p \
class=MsoNormal>A workaround would be not to use this feature on a vulnerable version of \
GIMP.<o:p></o:p></p><p class=MsoNormal>The GIMP development team have strongly suggested only \
using the <o:p></o:p></p><p class=MsoNormal>script-fu network server in a secure/sandboxed \
environment due to <o:p></o:p></p><p class=MsoNormal>security concerns.<o:p></o:p></p><p \
class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal>Updates<o:p></o:p></p><p \
class=MsoNormal>============<o:p></o:p></p><p class=MsoNormal><o:p>&nbsp;</o:p></p><p \
class=MsoNormal>Future updates of this advisory, if any, will be placed on the \
ReactionIS<o:p></o:p></p><p class=MsoNormal>corporate website, but may or may not be actively \
announced on<o:p></o:p></p><p class=MsoNormal>mailing lists or newsgroups. Users concerned \
about this problem are<o:p></o:p></p><p class=MsoNormal>encouraged to check the URL below for \
any updates:<o:p></o:p></p><p class=MsoNormal><o:p>&nbsp;</o:p></p><p \
class=MsoNormal>http://www.reactionpenetrationtesting.co.uk/advisories/scriptfu-buffer-overflow-GIMP-2.6.html<o:p></o:p></p><p \
class=MsoNormal><o:p>&nbsp;</o:p></p><p \
class=MsoNormal>================================================================================<o:p></o:p></p><p \
class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal>Reaction Information Security \
<o:p></o:p></p><p class=MsoNormal>Lombard House Business Centre,<o:p></o:p></p><p \
class=MsoNormal>Suite 117,<o:p></o:p></p><p class=MsoNormal>12-17 Upper Bridge \
Street,<o:p></o:p></p><p class=MsoNormal>Canterbury, Kent, CT1 2NF<o:p></o:p></p><p \
class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal>Phone: +44 (0)1227 \
785050<o:p></o:p></p><p class=MsoNormal>Email: research () reactionis {dot} co {dot} \
uk<o:p></o:p></p><p class=MsoNormal>Web: \
http://www.reactionpenetrationtesting.co.uk<o:p></o:p></p></div></body></html>



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic