LibTIFF TIFFWriteScanline Function CVE-2018-10779 – Heap-Based Buffer Overread

Authors:NESA Lab                    Risk:High

CVE:CVE-2018-10779                 0day:Buffer Overread  

0day -id:0DAY-176147                Date:2018-05-08

Description

A vulnerability in the TIFFWriteScanline function of LibTIFF could allow a local attacker to cause a denial of service (DoS) condition on a targeted system.

The vulnerability is due to insufficient validation of user-supplied input processed by the TIFFWriteScanline function, as defined in the tif_write.c source code file of the affected software. An attacker could exploit this vulnerability by using the .bmp2tiff command to execute a file that submits malicious input to the affected software. An exploit could trigger a heap-based buffer overread condition in the TIFFWriteScanline function of the software, resulting in a DoS condition.

Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available.

LibTIFF has not confirmed the vulnerability and software updates are not available.

Analysis

To exploit this vulnerability, the attacker must have user-level access to the targeted system. This access requirement could reduce the likelihood of a successful exploit.

How reproducible

$ ./bmp2tiff  POC.mbp  /dev/null 

=================================================================
==65877==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x7f4fde2ab7dc at pc 0x00000043735b bp 0x7ffce2c7afc0 sp 0x7ffce2c7afb0
READ of size 4 at 0x7f4fde2ab7dc thread T0
    #0 0x43735a in TIFFWriteScanline
/home/puppet/test_object_pic/tiff-3.8.2/libtiff/tif_write.c:127
    #1 0x4034e3 in main
/home/puppet/test_object_pic/tiff-3.8.2/tools/bmp2tiff.c:569
    #2 0x7f4fdc68582f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #3 0x4022c8 in _start (/usr/local/bin/bmp2tiff+0x4022c8)

0x7f4fde2ab7dc is located 0 bytes to the right of 262108-byte region
[0x7f4fde26b800,0x7f4fde2ab7dc)
allocated by thread T0 here:
    #0 0x7f4fdd243602 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x4362df in _TIFFmalloc
/home/puppet/test_object_pic/tiff-3.8.2/libtiff/tif_unix.c:241
    #2 0x4398fd in TIFFSetupStrips
/home/puppet/test_object_pic/tiff-3.8.2/libtiff/tif_write.c:465
    #3 0x439eef in TIFFWriteCheck
/home/puppet/test_object_pic/tiff-3.8.2/libtiff/tif_write.c:533
    #4 0x436af3 in TIFFWriteScanline
/home/puppet/test_object_pic/tiff-3.8.2/libtiff/tif_write.c:56
    #5 0x4034e3 in main
/home/puppet/test_object_pic/tiff-3.8.2/tools/bmp2tiff.c:569
    #6 0x7f4fdc68582f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/puppet/test_object_pic/tiff-3.8.2/libtiff/tif_write.c:127
TIFFWriteScanline
Shadow bytes around the buggy address:
  0x0fea7bc4d6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fea7bc4d6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fea7bc4d6c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fea7bc4d6d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fea7bc4d6e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fea7bc4d6f0: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa
  0x0fea7bc4d700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fea7bc4d710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fea7bc4d720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fea7bc4d730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fea7bc4d740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==65877==ABORTING


This vulnerability was triggered in TIFFWriteScanline() at
libtiff/tif_write.c:127

if( td->td_stripbytecount[strip] > 0 )
{
    /* if we are writing over existing tiles, zero length */
    td->td_stripbytecount[strip] = 0;

    /* this forces TIFFAppendToStrip() to do a seek */
    tif->tif_curoff = 0;
}

Safeguards

  • Administrators are advised to contact the vendor regarding future updates and releases.

    Administrators are advised to allow only trusted users to access local systems.

    Administrators are advised to allow only privileged users to access administration or management systems.

    Administrators are advised to monitor critical systems.

Vendor Announcements

At the time this alert was first published, LibTIFF had not released a security advisory.

Fixed Software

At the time this alert was first published, LibTIFF had not released software updates.

Revision History

  • Version Description Section Date
    1 Initial public release. 2018-May-7

    Affected Products

    • The security vulnerability applies to the following combinations of products. 

      Primary Products
      Silicon Graphics, Inc (SGI) LibTIFF 3.8 (.2)

Leave a Reply