[37877] in bugtraq
Re: iDEFENSE Security Advisory 12.21.04: libtiff STRIPOFFSETS Integer Overflow Vulnerability
daemon@ATHENA.MIT.EDU (Dmitry V. Levin)
Wed Dec 22 12:57:12 2004
Date: Wed, 22 Dec 2004 14:45:45 +0300
From: "Dmitry V. Levin" <ldv@altlinux.org>
To: customer service mailbox <customerservice@idefense.com>
Cc: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org
Message-ID: <20041222114545.GA32767@basalt.office.altlinux.org>
Mail-Followup-To: customer service mailbox <customerservice@idefense.com>,
bugtraq@securityfocus.com, vulnwatch@vulnwatch.org
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="gKMricLos+KVdGMg"
Content-Disposition: inline
In-Reply-To: <1CE07882ECEE894CA2D5A89B8DEBC4010A2DE4@porgy.admin.idefense.com>
--gKMricLos+KVdGMg
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hi,
On Tue, Dec 21, 2004 at 05:09:30PM -0500, customer service mailbox wrote:
> libtiff STRIPOFFSETS Integer Overflow Vulnerability
>=20
> iDEFENSE Security Advisory 12.21.04
> www.idefense.com/application/poi/display?id=3D173&type=3Dvulnerabilities
> December 21, 2004
>=20
> I. BACKGROUND
>=20
> libtiff provides support for the Tag Image File Format (TIFF), a widely=
=20
> used format for storing image data.
>=20
> More information is available at the following site:=20
> http://www.remotesensing.org/libtiff/
>=20
> II. DESCRIPTION
>=20
> Remote exploitation of an integer overflow in libtiff may allow for the=
=20
> execution of arbitrary code.
>=20
> The overflow occurs in the parsing of TIFF files set with the=20
> STRIPOFFSETS flag in libtiff/tif_dirread.c. In the TIFFFetchStripThing()
>=20
> function, the number of strips (nstrips) is used directly in a=20
> CheckMalloc() routine without sanity checking. The call ultimately boils
>=20
> down to:
>=20
> malloc(user_supplied_int*size(int32));
>=20
> When supplied 0x40000000 as the user supplied integer, malloc is called=
=20
> with a length argument of 0. This has the effect of returning the=20
> smallest possible malloc chunk. A user controlled buffer is subsequently
>=20
> copied to that small heap buffer, causing a heap overflow.
>=20
> When exploited, it is possible to overwrite heap structures and seize=20
> control of execution.
>=20
> III. ANALYSIS
>=20
> An attacker can exploit the above-described vulnerability to execute=20
> arbitrary code under the permissions of the target user. Successful=20
> exploitation requires that the attacker convince the end user to open=20
> the malicious TIFF file using an application linked with a vulnerable=20
> version of libtiff. Exploitation of this vulnerability against a remote=
=20
> target is difficult because of the precision required in the attack.
>=20
> IV. DETECTION
>=20
> iDEFENSE has confirmed this vulnerability in libtiff 3.6.1. Changes were
>=20
> introduced in libtiff 3.7.0 that had the effect of fixing this=20
> vulnerability.
>=20
> The following vendors provide susceptible libtiff packages within their=
=20
> respective operating system distributions:=20
> =09
> - Gentoo Linux=20
> - Fedora Linux=20
> - RedHat Linux=20
> - SuSE Linux=20
> - Debian Linux=20
>=20
> V. WORKAROUND
>=20
> Only open TIFF files from trusted users.
>=20
> VI. VENDOR RESPONSE
>=20
> This issue is addressed in libtiff 3.7.0 and 3.7.1.
>=20
> VII. CVE INFORMATION
>=20
> A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
> been assigned yet.
I believe this issue is subset of CAN-2004-0886 which was fixed in the
middle of October.
--=20
ldv
--gKMricLos+KVdGMg
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFByV5p9viEa8HiNCkRAuIXAJ9zDKLlimOKpz1U6gZFEV0u61vrcQCdEIQ6
GesPG4t8x9xgEdLzsHK01yk=
=oDly
-----END PGP SIGNATURE-----
--gKMricLos+KVdGMg--
