Menu

#129 Out-of-Bounds Read - exif_data_save_data_entry

None
closed-duplicate
None
5
2018-06-29
2017-05-29
No

Out-of-Bounds Read

Version: 0.6.21
Trigger: exif -c file
Only tested in Linux x86 and x64.

Hey guys, there's a OOB Read when trying to write or remove tags in a raw file. To crash the libexif, for now, I was using the exif tool as frontend. If you agree can you assign a CVE number, please?

root@vulndev01:~/src/crashes# exif -cd file
ExifLoader: Scanning 1024 byte(s) of data...
exif-content: Tag 'XResolution' is mandatory in IFD '0' and has therefore been added.
exif-content: Tag 'YResolution' is mandatory in IFD '0' and has therefore been added.
exif-content: Tag 'ResolutionUnit' is mandatory in IFD '0' and has therefore been added.
exif-content: Tag 'YCbCrPositioning' is mandatory in IFD '0' and has therefore been added.
exif-content: Tag 'ExifVersion' is mandatory in IFD 'EXIF' and has therefore been added.
exif-content: Tag 'ComponentsConfiguration' is mandatory in IFD 'EXIF' and has therefore been added.
exif-content: Tag 'FlashPixVersion' is mandatory in IFD 'EXIF' and has therefore been added.
exif-content: Tag 'ColorSpace' is mandatory in IFD 'EXIF' and has therefore been added.
exif-content: Tag 'PixelXDimension' is mandatory in IFD 'EXIF' and has therefore been added.
exif-content: Tag 'PixelYDimension' is mandatory in IFD 'EXIF' and has therefore been added.
exif: Adding entry...
ExifData: Saving IFDs...
ExifData: Saving 5 entries (IFD '0', offset: 10)...
ExifData: Saving 6 entries (IFD 'EXIF', offset: 124)...
ExifData: Saved 206 byte(s) EXIF data.
ExifData: Saving IFDs...
ExifData: Saving 5 entries (IFD '0', offset: 10)...
ExifData: Saving 6 entries (IFD 'EXIF', offset: 124)...
ExifData: Saved 206 byte(s) EXIF data.
Segmentation fault
root@vulndev01:~/src/crashes#

=================================================================
==2199==ERROR: AddressSanitizer: unknown-crash on address 0xb1a0a200 at pc 0xb718ae34 bp 0xbf8e10a8 sp 0xbf8e109c
READ of size 134416 at 0xb1a0a200 thread T0
    #0 0xb718ae33 in exif_data_save_data_entry /root/libexif-0.6.21/libexif/exif-data.c:298
#1 0xb718ae33 in exif_data_save_data_content /root/libexif-0.6.21/libexif/exif-data.c:582
#2 0xb7189b19 in exif_data_save_data_content /root/libexif-0.6.21/libexif/exif-data.c:609
#3 0xb718da8c in exif_data_save_data /root/libexif-0.6.21/libexif/exif-data.c:984
#4 0x8050dc7 in jpeg_data_save_data /root/exif-0.6.21/libjpeg/jpeg-data.c:145
#5 0x80519e6 in jpeg_data_save_file /root/exif-0.6.21/libjpeg/jpeg-data.c:97
#6 0x804c206 in action_save /root/exif-0.6.21/exif/actions.c:183
#7 0x804a6e0 in main /root/exif-0.6.21/exif/main.c:462
#8 0xb6f8aa62 in libc_start_main (/lib/i386-linux-gnu/i686/cmov/libc.so.6+0x19a62)
#9 0x804afda (/usr/local/bin/exif+0x804afda)**

0xb1a0e3a2 is located 0 bytes to the right of 16802-byte region [0xb1a0a200,0xb1a0e3a2)
allocated by thread T0 here:
    #0 0xb7255954 in realloc (/usr/lib/i386-linux-gnu/libasan.so.1+0x4e954)
    #1 0xb719f8bb in exif_mem_realloc_func /root/libexif-0.6.21/libexif/exif-mem.c:23

SUMMARY: AddressSanitizer: unknown-crash /root/libexif-0.6.21/libexif/exif-data.c:298 exif_data_save_data_entry
Shadow bytes around the buggy address:
  0x363413f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36341400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36341410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36341420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36341430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x36341440:[00]00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36341450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36341460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36341470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36341480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36341490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==2199==ABORTING
1 Attachments

Related

Bugs: #129

Discussion

  • Dan Fandrich

    Dan Fandrich - 2017-05-29

    I'm looking at a similar issue now. I hope to have the time to investigate this by next week.

     
    • Joaquim Espinhara

      Hi Dan, hope you're doing great. Looks like someone else create an open
      ticket with public visibility, reading the description looks like the same
      bug but I'm not sure if it is, however just notice that the zip file is
      password protected.

      https://sourceforge.net/p/libexif/bugs/130/

      Cheers.

      On Tue, May 30, 2017 at 6:24 AM, Dan Fandrich dfandrich@users.sf.net
      wrote:

      I'm looking at a similar issue now. I hope to have the time to investigate
      this by next week.


      Status: open
      Group:
      Created: Mon May 29, 2017 01:37 PM UTC by Joaquim Espinhara
      Last Updated: Mon May 29, 2017 01:37 PM UTC
      Owner: Dan Fandrich
      Attachments:

      Out-of-Bounds Read

      Version: 0.6.21
      Trigger: exif -c file
      Only tested in Linux x86 and x64.

      Hey guys, there's a OOB Read when trying to write or remove tags in a raw
      file. To crash the libexif, for now, I was using the exif tool as frontend.
      If you agree can you assign a CVE number, please?

      root@vulndev01:~/src/crashes# exif -cd file
      ExifLoader: Scanning 1024 byte(s) of data...
      exif-content: Tag 'XResolution' is mandatory in IFD '0' and has therefore been added.
      exif-content: Tag 'YResolution' is mandatory in IFD '0' and has therefore been added.
      exif-content: Tag 'ResolutionUnit' is mandatory in IFD '0' and has therefore been added.
      exif-content: Tag 'YCbCrPositioning' is mandatory in IFD '0' and has therefore been added.
      exif-content: Tag 'ExifVersion' is mandatory in IFD 'EXIF' and has therefore been added.
      exif-content: Tag 'ComponentsConfiguration' is mandatory in IFD 'EXIF' and has therefore been added.
      exif-content: Tag 'FlashPixVersion' is mandatory in IFD 'EXIF' and has therefore been added.
      exif-content: Tag 'ColorSpace' is mandatory in IFD 'EXIF' and has therefore been added.
      exif-content: Tag 'PixelXDimension' is mandatory in IFD 'EXIF' and has therefore been added.
      exif-content: Tag 'PixelYDimension' is mandatory in IFD 'EXIF' and has therefore been added.
      exif: Adding entry...
      ExifData: Saving IFDs...
      ExifData: Saving 5 entries (IFD '0', offset: 10)...
      ExifData: Saving 6 entries (IFD 'EXIF', offset: 124)...
      ExifData: Saved 206 byte(s) EXIF data.
      ExifData: Saving IFDs...
      ExifData: Saving 5 entries (IFD '0', offset: 10)...
      ExifData: Saving 6 entries (IFD 'EXIF', offset: 124)...
      ExifData: Saved 206 byte(s) EXIF data.
      Segmentation fault
      root@vulndev01:~/src/crashes#

      =================================================================
      ==2199==ERROR: AddressSanitizer: unknown-crash on address 0xb1a0a200 at pc 0xb718ae34 bp 0xbf8e10a8 sp 0xbf8e109c
      READ of size 134416 at 0xb1a0a200 thread T0
      #0 0xb718ae33 in exif_data_save_data_entry /root/libexif-0.6.21/libexif/exif-data.c:298

      1 0xb718ae33 in exif_data_save_data_content /root/libexif-0.6.21/libexif/exif-data.c:582

      2 0xb7189b19 in exif_data_save_data_content /root/libexif-0.6.21/libexif/exif-data.c:609

      3 0xb718da8c in exif_data_save_data /root/libexif-0.6.21/libexif/exif-data.c:984

      4 0x8050dc7 in jpeg_data_save_data /root/exif-0.6.21/libjpeg/jpeg-data.c:145

      5 0x80519e6 in jpeg_data_save_file /root/exif-0.6.21/libjpeg/jpeg-data.c:97

      6 0x804c206 in action_save /root/exif-0.6.21/exif/actions.c:183

      7 0x804a6e0 in main /root/exif-0.6.21/exif/main.c:462

      8 0xb6f8aa62 in libc_start_main (/lib/i386-linux-gnu/i686/cmov/libc.so.6+0x19a62)

      9 0x804afda (/usr/local/bin/exif+0x804afda)**

      0xb1a0e3a2 is located 0 bytes to the right of 16802-byte region [0xb1a0a200,0xb1a0e3a2)
      allocated by thread T0 here:
      #0 0xb7255954 in realloc (/usr/lib/i386-linux-gnu/libasan.so.1+0x4e954)
      #1 0xb719f8bb in exif_mem_realloc_func /root/libexif-0.6.21/libexif/exif-mem.c:23

      SUMMARY: AddressSanitizer: unknown-crash /root/libexif-0.6.21/libexif/exif-data.c:298 exif_data_save_data_entry
      Shadow bytes around the buggy address:
      0x363413f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x36341400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x36341410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x36341420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x36341430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      =>0x36341440:[00]00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x36341450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x36341460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x36341470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x36341480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x36341490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable: 00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone: fa
      Heap right redzone: fb
      Freed heap region: fd
      Stack left redzone: f1
      Stack mid redzone: f2
      Stack right redzone: f3
      Stack partial redzone: f4
      Stack after return: f5
      Stack use after scope: f8
      Global redzone: f9
      Global init order: f6
      Poisoned by user: f7
      Contiguous container OOB:fc
      ASan internal: fe
      ==2199==ABORTING


      Sent from sourceforge.net because you indicated interest in
      https://sourceforge.net/p/libexif/bugs/129/

      To unsubscribe from further messages, please visit
      https://sourceforge.net/auth/subscriptions/

       

      Related

      Bugs: #129

  • Marcus Meissner

    Marcus Meissner - 2017-07-25

    same as bug 130
    i applied this fix.

     
  • Joaquim Espinhara

    cool! well done

     
  • Joaquim Espinhara

    Hi Marcus/other. Since the bug was fixed, do you mind in close the ticket and change from private to public?

     
  • Dan Fandrich

    Dan Fandrich - 2018-06-29
    • status: open --> closed-duplicate
    • assigned_to: Dan Fandrich --> Marcus Meissner
    • private: Yes --> No
    • Group: -->
     

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.