[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] OpenExif multiple vulnerabilities
From: "qflb.wu" <qflb.wu () dbappsecurity ! com ! cn>
Date: 2017-07-30 7:29:03
Message-ID: 37b604bc.e43.15d9265feca.Coremail.qflb.wu () dbappsecurity ! com ! cn
[Download RAW message or body]
[Attachment #2 (text/plain)]
OpenExif multiple vulnerabilities
================
Author : qflb.wu
===============
Introduction:
=============
OpenExif is an object-oriented library for accessing Exif formatted JPEG image files. The \
toolkits allows for creating, reading, and modifying the metadata in the Exif file. It also \
provides mean of getting and setting the main image and the thumbnail image.
Affected version:
=====
2.1.4
Vulnerability Description:
==========================
1.
the ExifJpegHUFFTable::deriveTable function in src/ExifHuffmanTable.cpp in OpenExif 2.1.4 can \
cause a denial of service(heap-buffer-overflow and application crash) via a crafted jpg file.
./ExifTagDump openexif_2.1.4_heap_buffer_overflow_1.jpg
=================================================================
==90864==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61c00000ef04 at pc \
0x7ff53957264d bp 0x7ffec44c8d40 sp 0x7ffec44c8d38 WRITE of size 4 at 0x61c00000ef04 thread T0
#0 0x7ff53957264c in ExifJpegHUFFTable::deriveTable() \
/home/a/Downloads/openexif-2_1_4-src/src/ExifHuffmanTable.cpp:121 #1 0x7ff53966c80f in \
ExifImageFile::readDHT(int) /home/a/Downloads/openexif-2_1_4-src/src/ExifImageFileRead.cpp:409 \
#2 0x7ff539668bdf in ExifImageFile::readImage() \
/home/a/Downloads/openexif-2_1_4-src/src/ExifImageFileRead.cpp:100 #3 0x7ff53964da19 in \
ExifImageFile::initAfterOpen(char const*) \
/home/a/Downloads/openexif-2_1_4-src/src/ExifImageFile.cpp:435 #4 0x7ff539697451 in \
ExifOpenFile::open(char const*, char const*) \
/home/a/Downloads/openexif-2_1_4-src/src/ExifOpenFile.cpp:78 #5 0x47c675 in main \
/home/a/Downloads/openexif-2_1_4-src/examples/ExifTagDump/ExifTagDump.cpp:64 #6 0x7ff53834bec4 \
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) #7 0x47c34c in _start \
(/home/a/Downloads/openexif-2_1_4-src/examples/ExifTagDump/.libs/ExifTagDump+0x47c34c)
0x61c00000ef04 is located 0 bytes to the right of 1668-byte region \
[0x61c00000e880,0x61c00000ef04) allocated by thread T0 here:
#0 0x4668e9 in operator new(unsigned long) \
(/home/a/Downloads/openexif-2_1_4-src/examples/ExifTagDump/.libs/ExifTagDump+0x4668e9) #1 \
0x7ff53966b5dd in ExifImageFile::readDHT(int) \
/home/a/Downloads/openexif-2_1_4-src/src/ExifImageFileRead.cpp:388 #2 0x7ff539668bdf in \
ExifImageFile::readImage() /home/a/Downloads/openexif-2_1_4-src/src/ExifImageFileRead.cpp:100 \
#3 0x7ff53964da19 in ExifImageFile::initAfterOpen(char const*) \
/home/a/Downloads/openexif-2_1_4-src/src/ExifImageFile.cpp:435 #4 0x7ff539697451 in \
ExifOpenFile::open(char const*, char const*) \
/home/a/Downloads/openexif-2_1_4-src/src/ExifOpenFile.cpp:78 #5 0x47c675 in main \
/home/a/Downloads/openexif-2_1_4-src/examples/ExifTagDump/ExifTagDump.cpp:64 #6 0x7ff53834bec4 \
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
SUMMARY: AddressSanitizer: heap-buffer-overflow \
/home/a/Downloads/openexif-2_1_4-src/src/ExifHuffmanTable.cpp:121 \
ExifJpegHUFFTable::deriveTable() Shadow bytes around the buggy address:
0x0c387fff9d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c387fff9da0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c387fff9db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c387fff9dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c387fff9dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c387fff9de0:[04]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c387fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c387fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c387fff9e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c387fff9e20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c387fff9e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==90864==ABORTING
POC:
openexif_2.1.4_heap_buffer_overflow_1.jpg
CVE:
CVE-2017-11115
2.
the ExifImageFile::readDQT function in src/ExifImageFileRead.cpp in OpenExif 2.1.4 can cause a \
denial of service(heap-buffer-overflow and application crash) via a crafted jpg file.
./ExifTagDump openexif_2.1.4_heap_buffer_overflow_2.jpg
=================================================================
==90866==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60800000c018 at pc \
0x7f3a3e6fa084 bp 0x7ffd0a69fb30 sp 0x7ffd0a69fb28 READ of size 8 at 0x60800000c018 thread T0
#0 0x7f3a3e6fa083 in ExifImageFile::readDQT(int) \
/home/a/Downloads/openexif-2_1_4-src/src/ExifImageFileRead.cpp:262 #1 0x7f3a3e6f4d51 in \
ExifImageFile::readImage() /home/a/Downloads/openexif-2_1_4-src/src/ExifImageFileRead.cpp:125 \
#2 0x7f3a3e6d9a19 in ExifImageFile::initAfterOpen(char const*) \
/home/a/Downloads/openexif-2_1_4-src/src/ExifImageFile.cpp:435 #3 0x7f3a3e723451 in \
ExifOpenFile::open(char const*, char const*) \
/home/a/Downloads/openexif-2_1_4-src/src/ExifOpenFile.cpp:78 #4 0x47c675 in main \
/home/a/Downloads/openexif-2_1_4-src/examples/ExifTagDump/ExifTagDump.cpp:64 #5 0x7f3a3d3d7ec4 \
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) #6 0x47c34c in _start \
(/home/a/Downloads/openexif-2_1_4-src/examples/ExifTagDump/.libs/ExifTagDump+0x47c34c)
AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow \
/home/a/Downloads/openexif-2_1_4-src/src/ExifImageFileRead.cpp:262 ExifImageFile::readDQT(int) \
Shadow bytes around the buggy address: 0x0c107fff97b0: fa fa fa fa fa fa fa fa fa fa fa fa fa \
fa fa fa 0x0c107fff97c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff97d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff97e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff97f0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c107fff9800: fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff9810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff9820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff9830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff9840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff9850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==90866==ABORTING
POC:
openexif_2.1.4_heap_buffer_overflow_2.jpg
CVE:
CVE-2017-11116
3.
the ExifImageFile::readDHT function in src/ExifImageFileRead.cpp in OpenExif 2.1.4 can cause a \
denial of service(heap-buffer-overflow and application crash) via a crafted jpg file.
./ExifTagDump openexif_2.1.4_heap_buffer_overflow_3.jpg
=================================================================
==90869==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60800000c0e8 at pc \
0x7f9afe8cbb74 bp 0x7ffcc8d30870 sp 0x7ffcc8d30868 READ of size 8 at 0x60800000c0e8 thread T0
#0 0x7f9afe8cbb73 in ExifImageFile::readDHT(int) \
/home/a/Downloads/openexif-2_1_4-src/src/ExifImageFileRead.cpp:381 #1 0x7f9afe8c7bdf in \
ExifImageFile::readImage() /home/a/Downloads/openexif-2_1_4-src/src/ExifImageFileRead.cpp:100 \
#2 0x7f9afe8aca19 in ExifImageFile::initAfterOpen(char const*) \
/home/a/Downloads/openexif-2_1_4-src/src/ExifImageFile.cpp:435 #3 0x7f9afe8f6451 in \
ExifOpenFile::open(char const*, char const*) \
/home/a/Downloads/openexif-2_1_4-src/src/ExifOpenFile.cpp:78 #4 0x47c675 in main \
/home/a/Downloads/openexif-2_1_4-src/examples/ExifTagDump/ExifTagDump.cpp:64 #5 0x7f9afd5aaec4 \
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) #6 0x47c34c in _start \
(/home/a/Downloads/openexif-2_1_4-src/examples/ExifTagDump/.libs/ExifTagDump+0x47c34c)
AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow \
/home/a/Downloads/openexif-2_1_4-src/src/ExifImageFileRead.cpp:381 ExifImageFile::readDHT(int) \
Shadow bytes around the buggy address: 0x0c107fff97c0: fa fa fa fa fa fa fa fa fa fa fa fa fa \
fa fa fa 0x0c107fff97d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff97e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff97f0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fff9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c107fff9810: fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa
0x0c107fff9820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff9830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff9840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff9850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff9860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==90869==ABORTING
POC:
openexif_2.1.4_heap_buffer_overflow_3.jpg
CVE:
CVE-2017-11117
4.
the ExifImageFile::readImage function in ExifImageFileRead.cpp in OpenExif 2.1.4 can cause a \
denial of service(infinite loop and CPU consumption) via a crafted jpg file.
./ExifTagDump openexif_2.1.4_infinite_loop.jpg
POC:
openexif_2.1.4_infinite_loop.jpg
CVE:
CVE-2017-11118
===============================
qflb.wu () dbappsecurity com cn
["poc.zip" (application/x-zip-compressed)]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic