Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Overflow in exiv2 #1019

Closed
c0d3xpl0it opened this issue Oct 6, 2019 · 4 comments · Fixed by #1020
Closed

Overflow in exiv2 #1019

c0d3xpl0it opened this issue Oct 6, 2019 · 4 comments · Fixed by #1020
Labels
bug

Comments

@c0d3xpl0it
Copy link

c0d3xpl0it commented Oct 6, 2019
edited
Loading

We found vulnerability in exiv2 binary and exiv2 is complied with clang enabling ASAN.

Machine Setup

Machine : Ubuntu 16.04.3 LTS
gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.11)
Commit : 401e658
exiv2 : 0.27.99.0
Command : exiv2 -pv $POC

ASAN Output

fuzzer@fuzzer:~/victim/exiv2/build/bin$ ./exiv2 -pv POC
=================================================================
==16699==ERROR: AddressSanitizer: unknown-crash on address 0x7f9a857b7143 at pc 0x7f9a84dcc1db bp 0x7ffcb8c7b650 sp 0x7ffcb8c7b648
READ of size 1 at 0x7f9a857b7143 thread T0
    #0 0x7f9a84dcc1da in Exiv2::getULong(unsigned char const*, Exiv2::ByteOrder) /home/fuzzer/victim/exiv2/src/types.cpp:289:28
    #1 0x7f9a84ebd4c4 in Exiv2::Internal::CiffDirectory::readDirectory(unsigned char const*, unsigned int, Exiv2::ByteOrder) /home/fuzzer/victim/exiv2/src/crwimage_int.cpp:285:22
    #2 0x7f9a84ebd84e in Exiv2::Internal::CiffComponent::read(unsigned char const*, unsigned int, unsigned int, Exiv2::ByteOrder) /home/fuzzer/victim/exiv2/src/crwimage_int.cpp:231:9
    #3 0x7f9a84ebd84e in Exiv2::Internal::CiffDirectory::readDirectory(unsigned char const*, unsigned int, Exiv2::ByteOrder) /home/fuzzer/victim/exiv2/src/crwimage_int.cpp:305
    #4 0x7f9a84c5c29d in Exiv2::CrwParser::decode(Exiv2::CrwImage*, unsigned char const*, unsigned int) /home/fuzzer/victim/exiv2/src/crwimage.cpp:150:9
    #5 0x7f9a84c5afa0 in Exiv2::CrwImage::readMetadata() /home/fuzzer/victim/exiv2/src/crwimage.cpp:107:9
    #6 0x589421 in Action::Print::printList() /home/fuzzer/victim/exiv2/src/actions.cpp:483:9
    #7 0x57c1df in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/fuzzer/victim/exiv2/src/actions.cpp:218:26
    #8 0x4f4c5f in main /home/fuzzer/victim/exiv2/src/exiv2.cpp:77:23
    #9 0x7f9a836be82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
    #10 0x41ff38 in _start (/home/fuzzer/victim/exiv2/build/bin/exiv2+0x41ff38)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: unknown-crash /home/fuzzer/victim/exiv2/src/types.cpp:289:28 in Exiv2::getULong(unsigned char const*, Exiv2::ByteOrder)
Shadow bytes around the buggy address:
  0x0ff3d0aeedd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff3d0aeede0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff3d0aeedf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff3d0aeee00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0ff3d0aeee10: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
=>0x0ff3d0aeee20: fe fe fe fe fe fe fe fe[fe]fe fe fe fe fe fe fe
  0x0ff3d0aeee30: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0ff3d0aeee40: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0ff3d0aeee50: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0ff3d0aeee60: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0ff3d0aeee70: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==16699==ABORTING
fuzzer@fuzzer:~/victim/exiv2/build/bin$
@c0d3xpl0it c0d3xpl0it added the bug label Oct 6, 2019
@phako
Copy link
Contributor

phako commented Oct 6, 2019

Hi. Please provide repducuction material and, if possible, it would be really nice of you to also provide a fix.

@phako phako mentioned this issue Oct 6, 2019
Open
@c0d3xpl0it
Copy link
Author

Below is command for reproducing the bug. Please unzip POC before running.

./exiv2 -pv POC-file.zip

Machine Setup

Machine : Ubuntu 16.04.3 LTS
gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.11)
Commit : 401e658
exiv2 : 0.27.99.0
Command : exiv2 -pv $POC

@phako Currently I am unaware of fix.

@phako
Copy link
Contributor

phako commented Oct 6, 2019

This seems to catch that but I am not sure that this is correct place for it.

diff --git a/src/crwimage_int.cpp b/src/crwimage_int.cpp
index 2474baac..c2fa3d0c 100644
--- a/src/crwimage_int.cpp
+++ b/src/crwimage_int.cpp
@@ -270,6 +270,9 @@ namespace Exiv2 {
 #ifdef EXIV2_DEBUG_MESSAGES
         std::cout << "Reading directory 0x" << std::hex << tag() << "\n";
 #endif
+        if (this->offset() + this->size() > size)
+            throw Error(kerCorruptedMetadata);
+
         readDirectory(pData + offset(), this->size(), byteOrder);
 #ifdef EXIV2_DEBUG_MESSAGES
         std::cout << "<---- 0x" << std::hex << tag() << "\n";

phako added a commit to phako/exiv2 that referenced this issue Oct 6, 2019
@phako
crwimage: Check offset and size against total size
6834515 
Corrupted or specially crafted CRW images might exceed the overall
buffersize.

Fixes Exiv2#1019
@phako phako mentioned this issue Oct 6, 2019
Merged
@c0d3xpl0it
Copy link
Author

@phako You can edit the title of the ticket inorder to point to correct vulnerability.

D4N added a commit to phako/exiv2 that referenced this issue Oct 7, 2019
@D4N
[tests] Add regression test for Exiv2#1019
73b874f
@D4N D4N closed this as completed in #1020 Oct 7, 2019
mergify bot pushed a commit that referenced this issue Oct 7, 2019
@phako
crwimage: Check offset and size against total size
b789077 
Corrupted or specially crafted CRW images might exceed the overall
buffersize.

Fixes #1019

(cherry picked from commit 6834515)
mergify bot pushed a commit that referenced this issue Oct 7, 2019
@D4N
[tests] Add regression test for #1019
0a4fdae 
(cherry picked from commit 73b874f)
1div0 pushed a commit to 1div0/exiv2 that referenced this issue Jun 7, 2020
@phako @1div0
crwimage: Check offset and size against total size
af86dba 
Corrupted or specially crafted CRW images might exceed the overall
buffersize.

Fixes Exiv2#1019
1div0 pushed a commit to 1div0/exiv2 that referenced this issue Jun 7, 2020
@D4N @1div0
[tests] Add regression test for Exiv2#1019
035ddb6
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

crwimage: Check offset and size against total size phako/exiv2
2 participants
@phako @c0d3xpl0it