[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] LibTIFF 4.0.8 has multiple memory leak vulnerabilities (CVE-2017-16232)
- To: "=?gb18030?b?ZnVsbGRpc2Nsb3N1cmU=?=" <fulldisclosure@xxxxxxxxxxxx>
- Subject: [FD] LibTIFF 4.0.8 has multiple memory leak vulnerabilities (CVE-2017-16232)
- From: "=?gb18030?b?enp0MDkwNw==?=" <16362505@xxxxxx>
- Date: Thu, 20 Dec 2018 09:03:08 +0800
#CVE-2017-16232
# LibTIFF 4.0.8 has multiple memory leak vulnerabilities (CVE-2017-16232)
## Product Download: http://www.libtiff.org/ http://download.osgeo.org/libtiff/
## Vulnerability Type£ºmemory leak
## Attack Type : local
## Vulnerability Description
LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow
attackers to cause a denial of service (memory consumption), as demonstrated
by tif_open.c, tif_lzw.c, and tif_aux.c
## POC
https://github.com/followboy1999/poc/tree/master/CVE-2017-16232
./tiff2bw libtiff_poc.tif 222.tif
LZWDecode: Not enough data at scanline 0 (short 6442443006 bytes).
> /usr/local/bin/llvm-symbolizer: /lib/x86_64-linux-gnu/libtinfo.so.5: no
> version information available (required by /usr/local/bin/llvm-symbolizer)
>
> =================================================================
> ==25328==ERROR: LeakSanitizer: detected memory leaks
>
> Direct leak of 6442451106 byte(s) in 1 object(s) allocated from:
> #0 0x4bbfd3 in __interceptor_malloc
> /home/brian/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:67:3
> #1 0x4e88be in main
> /home/zzt/Fuzzing/Victims/ASAN/tiff-4.0.8/tools/tiff2bw.c:258:28
> #2 0x7f293f0fdabf in __libc_start_main
> /build/glibc-qbmteM/glibc-2.21/csu/libc-start.c:289
>
> Direct leak of 1137 byte(s) in 1 object(s) allocated from:
> #0 0x4bbfd3 in __interceptor_malloc
> /home/brian/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:67:3
> #1 0x54d6b6 in TIFFClientOpen
> /home/zzt/Fuzzing/Victims/tiff-4.0.8/libtiff/tif_open.c:119
>
> Indirect leak of 81904 byte(s) in 1 object(s) allocated from:
> #0 0x4bbfd3 in __interceptor_malloc
> /home/brian/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:67:3
> #1 0x5ea2e9 in LZWSetupDecode
> /home/zzt/Fuzzing/Victims/tiff-4.0.8/libtiff/tif_lzw.c:232
>
> Indirect leak of 2273 byte(s) in 5 object(s) allocated from:
> #0 0x4bc3d7 in realloc
> /home/brian/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:98:3
> #1 0x56f5db in _TIFFCheckRealloc
> /home/zzt/Fuzzing/Victims/tiff-4.0.8/libtiff/tif_aux.c:73
> #2 0x56f5db in _TIFFCheckMalloc
> /home/zzt/Fuzzing/Victims/tiff-4.0.8/libtiff/tif_aux.c:88
>
> Indirect leak of 1240 byte(s) in 2 object(s) allocated from:
> #0 0x4bc3d7 in realloc
> /home/brian/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:98:3
> #1 0x56f430 in _TIFFCheckRealloc
> /home/zzt/Fuzzing/Victims/tiff-4.0.8/libtiff/tif_aux.c:73
## Versions:LibTIFF 4.0.8
## Impact:Denial of Service
## Credit
This vulnerability was discovered by Jiawang Zhang Coordination Center of China
(CNCERT/CC)
## References
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16232
https://github.com/shelltdf/libtiff/commit/25f9ffa56548c1846c4a1f19308b7f561f7b1ab0
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/