<<< Date Index >>>     <<< Thread Index >>>

Re: iDEFENSE Security Advisory 12.21.04: libtiff STRIPOFFSETS Integer Overflow Vulnerability



Hi,

On Tue, Dec 21, 2004 at 05:09:30PM -0500, customer service mailbox wrote:
> libtiff STRIPOFFSETS Integer Overflow Vulnerability
> 
> iDEFENSE Security Advisory 12.21.04
> www.idefense.com/application/poi/display?id=173&type=vulnerabilities
> December 21, 2004
> 
> I. BACKGROUND
> 
> libtiff provides support for the Tag Image File Format (TIFF), a widely 
> used format for storing image data.
> 
> More information is available at the following site: 
> http://www.remotesensing.org/libtiff/
> 
> II. DESCRIPTION
> 
> Remote exploitation of an integer overflow in libtiff may allow for the 
> execution of arbitrary code.
> 
> The overflow occurs in the parsing of TIFF files set with the 
> STRIPOFFSETS flag in libtiff/tif_dirread.c. In the TIFFFetchStripThing()
> 
> function, the number of strips (nstrips) is used directly in a 
> CheckMalloc() routine without sanity checking. The call ultimately boils
> 
> down to:
> 
> malloc(user_supplied_int*size(int32));
> 
> When supplied 0x40000000 as the user supplied integer, malloc is called 
> with a length argument of 0. This has the effect of returning the 
> smallest possible malloc chunk. A user controlled buffer is subsequently
> 
> copied to that small heap buffer, causing a heap overflow.
> 
> When exploited, it is possible to overwrite heap structures and seize 
> control of execution.
> 
> III. ANALYSIS
> 
> An attacker can exploit the above-described vulnerability to execute 
> arbitrary code under the permissions of the target user. Successful 
> exploitation requires that the attacker convince the end user to open 
> the malicious TIFF file using an application linked with a vulnerable 
> version of libtiff. Exploitation of this vulnerability against a remote 
> target is difficult because of the precision required in the attack.
> 
> IV. DETECTION
> 
> iDEFENSE has confirmed this vulnerability in libtiff 3.6.1. Changes were
> 
> introduced in libtiff 3.7.0 that had the effect of fixing this 
> vulnerability.
> 
> The following vendors provide susceptible libtiff packages within their 
> respective operating system distributions: 
>       
>       - Gentoo Linux 
>       - Fedora Linux 
>       - RedHat Linux 
>       - SuSE Linux 
>       - Debian Linux 
> 
> V. WORKAROUND
> 
> Only open TIFF files from trusted users.
> 
> VI. VENDOR RESPONSE
> 
> This issue is addressed in libtiff 3.7.0 and 3.7.1.
> 
> VII. CVE INFORMATION
> 
> A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
> been assigned yet.

I believe this issue is subset of CAN-2004-0886 which was fixed in the
middle of October.


-- 
ldv

Attachment: pgpynF88RHbTx.pgp
Description: PGP signature