Headline
CVE-2021-27815: NullPointer in actions.c:701:7 · Issue #4 · libexif/exif
NULL Pointer Deference in the exif command line tool, when printing out XML formatted EXIF data, in exif v0.6.22 and earlier allows attackers to cause a Denial of Service (DoS) by uploading a malicious JPEG file, causing the application to crash.
Project: exif
system: ubuntu 20.04
Fuzzer: afl_exif_out_xml
poc.zip
Command:
asan
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3675403==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004cd901 bp 0x7ffd419c2ce0 sp 0x7ffd419c2300 T0)
==3675403==The signal is caused by a WRITE memory access.
==3675403==Hint: address points to the zero page.
#0 0x4cd901 in escape_xml /home/hx_server/target/libexif/ASAN_exif/exif/actions.c:701:7
#1 0x4cd48a in show_entry_xml /home/hx_server/target/libexif/ASAN_exif/exif/actions.c:723:26
#2 0x7f0f5af7fedd in exif_content_foreach_entry /home/hx_server/target/libexif/libexif/exif-content.c:225:3
#3 0x7f0f5af85b71 in exif_data_foreach_content /home/hx_server/target/libexif/libexif/exif-data.c:1168:3
#4 0x4cc512 in action_tag_list_xml /home/hx_server/target/libexif/ASAN_exif/exif/actions.c:745:3
#5 0x4cf155 in main /home/hx_server/target/libexif/ASAN_exif/exif/main.c:474:4
#6 0x7f0f5ad430b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#7 0x41d7cd in _start (/home/hx_server/target/libexif/ASAN_exif/exif/exif+0x41d7cd)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/hx_server/target/libexif/ASAN_exif/exif/actions.c:701:7 in escape_xml
==3675403==ABORTING
gdb
Program received signal SIGSEGV, Segmentation fault.
0x00000000004cd901 in escape_xml (text=<optimized out>) at actions.c:701
701 *out = '\x0'; /* NUL terminate the string */
[ Legend: Modified register | Code | Heap | Stack | String ]
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax : 0x0
$rbx : 0x0
$rcx : 0x40
$rdx : 0x0
$rsp : 0x00007fffffffcc20 → 0x00007fffffffd560 → 0x0000000000000000
$rbp : 0x00007fffffffd600 → 0x00007fffffffd760 → 0x00007fffffffe240 → 0x0000000000000000
$rsi : 0x0000603000000340 → 0x34030000dc000000
$rdi : 0x00007fffffffcc60 → 0x0000000000000000
$rip : 0x00000000004cd901 → <escape_xml+737> mov BYTE PTR [rbx], 0x0
$r8 : 0x11
$r9 : 0xffffefff80008678
$r10 : 0x00007ffff7df7e56 → 0x007970636e727473 ("strncpy"?)
$r11 : 0x0000000000482650 → <strncpy+0> push rbp
$r12 : 0x00007fffffffd0e0 → "Manufacturer"
$r13 : 0x0000000000515888 → 0x00007ffff7d916a0 → 0x00000000fbad2a84 → 0x0000000000000000
$r14 : 0x00007fffffffcc60 → 0x0000000000000000
$r15 : 0x00000ffffffff988 → 0x0000000000000000
$eflags: [ZERO carry PARITY adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007fffffffcc20│+0x0000: 0x00007fffffffd560 → 0x0000000000000000 ← $rsp
0x00007fffffffcc28│+0x0008: 0x00007ffff7d916a0 → 0x00000000fbad2a84 → 0x0000000000000000
0x00007fffffffcc30│+0x0010: 0x00000ffffffff988 → 0x0000000000000000
0x00007fffffffcc38│+0x0018: 0x00000000004cd48b → <show_entry_xml+1131> mov rdi, rax
0x00007fffffffcc40│+0x0020: 0x0000000041b58ab3
0x00007fffffffcc48│+0x0028: 0x00000000004eb372 → "2 32 1024 5 v:709 1184 1024 5 t:709"
0x00007fffffffcc50│+0x0030: 0x00000000004cd020 → <show_entry_xml+0> lea rsp, [rsp-0x98]
0x00007fffffffcc58│+0x0038: 0x0000619000000980 → 0x0000000000000000
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
0x4cd8f7 <escape_xml+727> mov al, BYTE PTR [rax+0x7fff8000]
0x4cd8fd <escape_xml+733> test al, al
0x4cd8ff <escape_xml+735> jne 0x4cd950 <escape_xml+816>
→ 0x4cd901 <escape_xml+737> mov BYTE PTR [rbx], 0x0
0x4cd904 <escape_xml+740> mov rax, QWORD PTR [rip+0x8edd15] # 0xdbb620 <escape_xml.escaped>
0x4cd90b <escape_xml+747> jmp 0x4cd934 <escape_xml+788>
0x4cd90d <escape_xml+749> mov rdi, QWORD PTR [rip+0x8edd0c] # 0xdbb620 <escape_xml.escaped>
0x4cd914 <escape_xml+756> call 0x495c10 <free>
0x4cd919 <escape_xml+761> mov QWORD PTR [rip+0x8edcfc], 0x0 # 0xdbb620 <escape_xml.escaped>
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:actions.c+701 ────
696 default:
697 *out = *text;
698 break;
699 }
700 }
→ 701 *out = '\x0'; /* NUL terminate the string */
702 return escaped;
703 }
704
705 static void
706 show_entry_xml (ExifEntry *e, void *data)
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "exif", stopped 0x4cd901 in escape_xml (), reason: SIGSEGV
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x4cd901 → escape_xml(text=<optimized out>)
[#1] 0x4cd48b → show_entry_xml(e=<optimized out>, data=<optimized out>)
[#2] 0x7ffff7e08ede → exif_content_foreach_entry(content=0x603000000160, func=0x4cd020 <show_entry_xml>, data=0x7fffffffd68c)
[#3] 0x7ffff7e0eb72 → exif_data_foreach_content(data=0x6060000021e0, func=0x0, user_data=0x7fffffffd68c)
[#4] 0x4cc513 → action_tag_list_xml(ed=0x7fffffffcc60, p={
tag = 65535,
ifd = EXIF_IFD_COUNT,
machine_readable = 0x0,
use_ids = 0x0,
width = 0x50,
fin = 0x602000000250 "poc.jpeg",
set_value = 0x0,
set_thumb = 0x0
})
[#5] 0x4cf156 → main(argc=<optimized out>, argv=<optimized out>)
HX from Topsec alpha Security Team
Related news
Gentoo Linux Security Advisory 202210-28
Gentoo Linux Security Advisory 202210-28 - A vulnerability has been discovered in exif which could result in denial of service. Versions less than 0.6.22 are affected.