Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2017-17669: CVE-2017-17669: heap-buffer-overflow in Exiv2::Internal::PngChunk::keyTXTChunk · Issue #187 · Exiv2/exiv2

There is a heap-based buffer over-read in the Exiv2::Internal::PngChunk::keyTXTChunk function of pngchunk_int.cpp in Exiv2 0.26. A crafted PNG file will lead to a remote denial of service attack.

CVE
Open in Source
#vulnerability#dos#git#c++#auth

Description

There is a heap-buffer-overflow vulnerability in Exiv2.

The command is: ./exiv2 POC

Stack trace with asan:

==2826==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000edb9 at pc 0x7f7c43e7a77a bp 0x7ffe0d1d6df0 sp 0x7ffe0d1d6de8
READ of size 1 at 0x60300000edb9 thread T0
    #0 0x7f7c43e7a779 in Exiv2::Internal::PngChunk::keyTXTChunk(Exiv2::DataBuf const&, bool) /home/rg/fuzz_project/exiv2/exiv2_test/exiv2_github_1210/src/pngchunk_int.cpp:111:17
    #1 0x7f7c43e7a000 in Exiv2::Internal::PngChunk::decodeTXTChunk(Exiv2::Image*, Exiv2::DataBuf const&, Exiv2::Internal::PngChunk::TxtChunkType) /home/rg/fuzz_project/exiv2/exiv2_test/exiv2_github_1210/src/pngchunk_int.cpp:78:23
    #2 0x7f7c43d3ff3b in Exiv2::PngImage::readMetadata() /home/rg/fuzz_project/exiv2/exiv2_test/exiv2_github_1210/src/pngimage.cpp:445:21
    #3 0x52f84c in Action::Print::printSummary() /home/rg/fuzz_project/exiv2/exiv2_test/exiv2_github_1210/src/actions.cpp:288:9
    #4 0x52e389 in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/rg/fuzz_project/exiv2/exiv2_test/exiv2_github_1210/src/actions.cpp:240:44
    #5 0x509598 in main /home/rg/fuzz_project/exiv2/exiv2_test/exiv2_github_1210/src/exiv2.cpp:166:19
    #6 0x7f7c422e082f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #7 0x4347b8 in _start (/home/rg/fuzz_project/exiv2/exiv2_test/exiv2_github_1210/build_clang_with_sym/bin/exiv2+0x4347b8)

0x60300000edb9 is located 0 bytes to the right of 25-byte region [0x60300000eda0,0x60300000edb9)
allocated by thread T0 here:
    #0 0x506030 in operator new[](unsigned long) (/home/rg/fuzz_project/exiv2/exiv2_test/exiv2_github_1210/build_clang_with_sym/bin/exiv2+0x506030)
    #1 0x55b31f in Exiv2::DataBuf::DataBuf(long) /home/rg/fuzz_project/exiv2/exiv2_test/exiv2_github_1210/include/exiv2/types.hpp:206:46
    #2 0x7f7c43d3fb50 in Exiv2::PngImage::readMetadata() /home/rg/fuzz_project/exiv2/exiv2_test/exiv2_github_1210/src/pngimage.cpp:420:25
    #3 0x52f84c in Action::Print::printSummary() /home/rg/fuzz_project/exiv2/exiv2_test/exiv2_github_1210/src/actions.cpp:288:9
    #4 0x52e389 in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/rg/fuzz_project/exiv2/exiv2_test/exiv2_github_1210/src/actions.cpp:240:44
    #5 0x509598 in main /home/rg/fuzz_project/exiv2/exiv2_test/exiv2_github_1210/src/exiv2.cpp:166:19
    #6 0x7f7c422e082f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/rg/fuzz_project/exiv2/exiv2_test/exiv2_github_1210/src/pngchunk_int.cpp:111:17 in Exiv2::Internal::PngChunk::keyTXTChunk(Exiv2::DataBuf const&, bool)
Shadow bytes around the buggy address:
  0x0c067fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c067fff9db0: fa fa fa fa 00 00 00[01]fa fa 00 00 00 fa fa fa
  0x0c067fff9dc0: 00 00 00 00 fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fff9dd0: fa fa fd fd fd fa fa fa 00 00 02 fa fa fa 00 00
  0x0c067fff9de0: 02 fa fa fa 00 00 02 fa fa fa 00 00 02 fa fa fa
  0x0c067fff9df0: 00 00 00 fa fa fa 00 00 00 01 fa fa 00 00 00 fa
  0x0c067fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2826==ABORTING

PoC

PoC https://github.com/Young-X/pocs/blob/master/Exiv2/issue_187

Author

Credit to Young_X@VARAS, IIE

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE