Headline
CVE-2023-30774: heap-buffer-overflow in tiffcrop (#463) · Issues · libtiff / libtiff · GitLab
A vulnerability was found in the libtiff library. This flaw causes a heap buffer overflow issue via the TIFFTAG_INKNAMES and TIFFTAG_NUMBEROFINKS values.
Skip to content
Open Issue created Sep 15, 2022 by yuhanghuang@yuhanghuang
heap-buffer-overflow in tiffcrop
Summary
Hello,I use fuzzer to test tiffcrop and fund heap-buffer-overflow,and the issue is different from issue #269 (closed). Because I run #269 (closed)'s poc and didn’t trigger the crash.The following is the details.
Version
latest version
Steps to reproduce
CFLAGS="-fsanitize=address"
CXXFLAGS="-fsanitize=address"
CC=clang
CXX=clang++
./autogen.sh
./configure
./make
Platform
Ubuntu_18.04(docker) clang/clang++ 12.0.1
Bug
root@c511e4bf49bc:/tiffcrop# ./tiffcrop.prefuzz id\:000000\,sig\:06\,src\:000472\,op\:arith8\,pos\:86\,val\:-7\,135076762 dist2.tiff
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFFetchNormalTag: Warning, ASCII value for tag "InkNames" does not end in null byte. Forcing it to be null.
=================================================================
==1038141==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000b1 at pc 0x000000886974 bp 0x7ffc233257d0 sp 0x7ffc23324f80
READ of size 1 at 0x6020000000b1 thread T0
#0 0x886973 in __interceptor_strlen.part.36 /llvm/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:372
#1 0x451896 in writeCroppedImage (/tiffcrop/tiffcrop.prefuzz+0x451896)
#2 0x41e411 in main (/tiffcrop/tiffcrop.prefuzz+0x41e411)
#3 0x7fc80f6ddc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#4 0x407ad9 in _start (/tiffcrop/tiffcrop.prefuzz+0x407ad9)
0x6020000000b1 is located 0 bytes to the right of 1-byte region [0x6020000000b0,0x6020000000b1)
allocated by thread T0 here:
#0 0x8fb3a0 in malloc /llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
#1 0x67d413 in _TIFFmalloc (/tiffcrop/tiffcrop.prefuzz+0x67d413)
#2 0x4c4299 in setByteArray (/tiffcrop/tiffcrop.prefuzz+0x4c4299)
#3 0x522bd8 in _TIFFsetNString (/tiffcrop/tiffcrop.prefuzz+0x522bd8)
#4 0x4e6bb6 in _TIFFVSetField (/tiffcrop/tiffcrop.prefuzz+0x4e6bb6)
#5 0x4c4c1d in TIFFVSetField (/tiffcrop/tiffcrop.prefuzz+0x4c4c1d)
#6 0x4c49b6 in TIFFSetField (/tiffcrop/tiffcrop.prefuzz+0x4c49b6)
#7 0x564952 in TIFFFetchNormalTag (/tiffcrop/tiffcrop.prefuzz+0x564952)
#8 0x53b5e4 in TIFFReadDirectory (/tiffcrop/tiffcrop.prefuzz+0x53b5e4)
#9 0x638ccb in TIFFClientOpen (/tiffcrop/tiffcrop.prefuzz+0x638ccb)
#10 0x679c1b in TIFFFdOpen (/tiffcrop/tiffcrop.prefuzz+0x679c1b)
#11 0x67d291 in TIFFOpen (/tiffcrop/tiffcrop.prefuzz+0x67d291)
#12 0x419d85 in main (/tiffcrop/tiffcrop.prefuzz+0x419d85)
#13 0x7fc80f6ddc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: heap-buffer-overflow /llvm/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:372 in __interceptor_strlen.part.36
Shadow bytes around the buggy address:
0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff8000: fa fa 00 00 fa fa fd fa fa fa 02 fa fa fa fd fa
=>0x0c047fff8010: fa fa fd fa fa fa[01]fa fa fa fd fd fa fa 00 04
0x0c047fff8020: fa fa 04 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
0x0c047fff8030: fa fa fd fd fa fa 00 04 fa fa fd fd fa fa fd fa
0x0c047fff8040: fa fa 00 fa fa fa 04 fa fa fa 04 fa fa fa fd fa
0x0c047fff8050: fa fa 00 fa fa fa fd fa fa fa 00 fa fa fa 04 fa
0x0c047fff8060: fa fa 02 fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9[id_000000_sig_06_src_000472_op_arith8_pos_86_val_-7_135076762](/uploads/6d485afc5c383af6b1c0c0491fdc259f/id_000000_sig_06_src_000472_op_arith8_pos_86_val_-7_135076762)
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1038141==ABORTING
POC
poc_tiffcrop.zip
Credit
Yuhang Huang (NCNIPC of China) Han Zheng (NCNIPC of China, Hexhive)
Thansk for your time!
Edited Sep 16, 2022 by yuhanghuang
Related news
Apple Security Advisory 10-25-2023-4 - macOS Sonoma 14.1 addresses bypass, code execution, spoofing, and use-after-free vulnerabilities.
A logic issue was addressed with improved state management. This issue is fixed in macOS Sonoma 14.1. An attacker with knowledge of a standard user's credentials can unlock another standard user's locked screen on the same Mac.
An update for libtiff is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3570: A heap-based buffer overflow flaw was found in Libtiff's tiffcrop utility. This issue occurs during the conversion of a TIFF image file, allowing an attacker to pass a crafted TIFF image file to tiffcrop utility, which causes an out-of-bound access resulting an application crash, eventually leading to a denial of service. * CVE-2022-3597: An out-o...