Re: iDEFENSE Security Advisory 12.21.04: libtiff STRIPOFFSETS Integer Overflow Vulnerability

From: Dmitry V. Levin (ldv_at_altlinux.org)
Date: 12/22/04

  • Next message: NGSSoftware Insight Security Research: "Sybase ASE 12.5.2 vulnerabilities" 
    Date: Wed, 22 Dec 2004 14:45:45 +0300
To: customer service mailbox <customerservice@idefense.com>

    Hi,

    On Tue, Dec 21, 2004 at 05:09:30PM -0500, customer service mailbox wrote:
    > libtiff STRIPOFFSETS Integer Overflow Vulnerability
    >
    > iDEFENSE Security Advisory 12.21.04
    > www.idefense.com/application/poi/display?id=173&type=vulnerabilities
    > December 21, 2004
    >
    > I. BACKGROUND
    >
    > libtiff provides support for the Tag Image File Format (TIFF), a widely
    > used format for storing image data.
    >
    > More information is available at the following site:
    > http://www.remotesensing.org/libtiff/
    >
    > II. DESCRIPTION
    >
    > Remote exploitation of an integer overflow in libtiff may allow for the
    > execution of arbitrary code.
    >
    > The overflow occurs in the parsing of TIFF files set with the
    > STRIPOFFSETS flag in libtiff/tif_dirread.c. In the TIFFFetchStripThing()
    >
    > function, the number of strips (nstrips) is used directly in a
    > CheckMalloc() routine without sanity checking. The call ultimately boils
    >
    > down to:
    >
    > malloc(user_supplied_int*size(int32));
    >
    > When supplied 0x40000000 as the user supplied integer, malloc is called
    > with a length argument of 0. This has the effect of returning the
    > smallest possible malloc chunk. A user controlled buffer is subsequently
    >
    > copied to that small heap buffer, causing a heap overflow.
    >
    > When exploited, it is possible to overwrite heap structures and seize
    > control of execution.
    >
    > III. ANALYSIS
    >
    > An attacker can exploit the above-described vulnerability to execute
    > arbitrary code under the permissions of the target user. Successful
    > exploitation requires that the attacker convince the end user to open
    > the malicious TIFF file using an application linked with a vulnerable
    > version of libtiff. Exploitation of this vulnerability against a remote
    > target is difficult because of the precision required in the attack.
    >
    > IV. DETECTION
    >
    > iDEFENSE has confirmed this vulnerability in libtiff 3.6.1. Changes were
    >
    > introduced in libtiff 3.7.0 that had the effect of fixing this
    > vulnerability.
    >
    > The following vendors provide susceptible libtiff packages within their
    > respective operating system distributions:
    >
    > - Gentoo Linux
    > - Fedora Linux
    > - RedHat Linux
    > - SuSE Linux
    > - Debian Linux
    >
    > V. WORKAROUND
    >
    > Only open TIFF files from trusted users.
    >
    > VI. VENDOR RESPONSE
    >
    > This issue is addressed in libtiff 3.7.0 and 3.7.1.
    >
    > VII. CVE INFORMATION
    >
    > A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
    > been assigned yet.

    I believe this issue is subset of CAN-2004-0886 which was fixed in the
    middle of October. 

    -- 
ldv

    • application/pgp-signature attachment: stored
  • Next message: NGSSoftware Insight Security Research: "Sybase ASE 12.5.2 vulnerabilities"

    Relevant Pages