xloadimage buffer overflow.

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: xloadimage buffer overflow.
From: "Ariel Berkman" <aberkm1@xxxxxxx>
Date: Wed, 5 Oct 2005 16:27:57 -0500
Importance: Normal
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Hi,

While creating a stripped down version of xloadimage, I have discovered
three buffer overflows in xloadimage when handling the image title name.

Unlike most of the supported image formats in xloadimage, the NIFF image
format can store a title name of arbitrary length as part of the image file.

When xloadimage is processing a loaded image, it is creating a new Image
object and then writing the processed image to it. At that point, it will
also copy the title from the old image to the newly created image.

The 'zoom', 'reduce', and 'rotate' functions are using a fixed length buffer
to construct the new title name when an image processing is done. Since the
title name in a NIFF format is of varying length, and there are insufficient
buffer size validations, the buffer can be overflowed.

A malicious user can construct a NIFF file that when viewed and processed
(with either zoom, reduce or rotate) by xloadimage, will cause the program
to overwrite the return address and execute arbitrary code.

Proof of concept for the 'zoom' image processing bug, tested on a x86
computer running Gentoo Linux:

emerge xloadimage
xloadimage -zoom 20 small.niff                  (small.niff is attached)

This will execute '/bin/sh'.

Note: some systems may have the (/proc/sys/kernel/)randomize_va_space option
enabled, which will cause the program to crash instead of executing /bin/sh
in most cases. Using a larger NIFF file (large.niff.gz [800KB unzipped]), it
is possible to execute arbitrary code even when the random address space
option is enabled (with about 33% success rate).

The 'reduce' and 'rotate' bugs are similar, but require a slightly different
NIFF file and different ( processing options.

The bugs are in :

zoom.c, zoom() writes an arbitrarily large buffer into a 8192 bytes sized
buffer buf[].

reduce.c, reduce() writes an arbitrarily large buffer into a 8192 bytes
sized buffer buf[].

rotate.c, rotate() writes an arbitrarily large buffer into a 8192 bytes
sized buffer buf[].

The bugs discussed above exist in the latest xloadimage package that Gentoo
provides (xloadimage.4.1-r3), and the latest xloadimage source package from
debian I could find (xloadimage_4.1-14.2). I haven't tested xloadimage
packages from other sources.

I emailed jimf@xxxxxxxxxxxxxx (the contact information on the help page)
more than two weeks ago, but since I've recieved no reply, I am announcing
it here.

Thanks,
Ariel Berkman.

Attachment: large.niff.gz
Description: GNU Zip compressed data

Attachment: small.niff
Description: Binary data

Prev by Date: Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers
Next by Date: RE: Some new whitepapers ...
Previous by thread: [USN-194-1] texinfo vulnerability
Next by thread: [SECURITY] [DSA 846-1] New cpio packages fix several vulnerabilities
Index(es):
- Date
- Thread