Re: iDEFENSE Security Advisory 12.21.04: libtiff STRIPOFFSETS Integer Overflow Vulnerability

Hi,

On Tue, Dec 21, 2004 at 05:09:30PM -0500, customer service mailbox wrote:
> libtiff STRIPOFFSETS Integer Overflow Vulnerability
>
> iDEFENSE Security Advisory 12.21.04
> www.idefense.com/application/poi/display?id=173&type=vulnerabilities
> December 21, 2004
>
> I. BACKGROUND
>
> libtiff provides support for the Tag Image File Format (TIFF), a widely 
> used format for storing image data.
>
> More information is available at the following site: 
> http://www.remotesensing.org/libtiff/
>
> II. DESCRIPTION
>
> Remote exploitation of an integer overflow in libtiff may allow for the 
> execution of arbitrary code.
>
> The overflow occurs in the parsing of TIFF files set with the 
> STRIPOFFSETS flag in libtiff/tif_dirread.c. In the TIFFFetchStripThing()
>
> function, the number of strips (nstrips) is used directly in a 
> CheckMalloc() routine without sanity checking. The call ultimately boils
>
> down to:
>
> malloc(user_supplied_int*size(int32));
>
> When supplied 0x40000000 as the user supplied integer, malloc is called 
> with a length argument of 0. This has the effect of returning the 
> smallest possible malloc chunk. A user controlled buffer is subsequently
>
> copied to that small heap buffer, causing a heap overflow.
>
> When exploited, it is possible to overwrite heap structures and seize 
> control of execution.
>
> III. ANALYSIS
>
> An attacker can exploit the above-described vulnerability to execute 
> arbitrary code under the permissions of the target user. Successful 
> exploitation requires that the attacker convince the end user to open 
> the malicious TIFF file using an application linked with a vulnerable 
> version of libtiff. Exploitation of this vulnerability against a remote 
> target is difficult because of the precision required in the attack.
>
> IV. DETECTION
>
> iDEFENSE has confirmed this vulnerability in libtiff 3.6.1. Changes were
>
> introduced in libtiff 3.7.0 that had the effect of fixing this 
> vulnerability.
>
> The following vendors provide susceptible libtiff packages within their 
> respective operating system distributions: 
>       
>       - Gentoo Linux 
>       - Fedora Linux 
>       - RedHat Linux 
>       - SuSE Linux 
>       - Debian Linux 
>
> V. WORKAROUND
>
> Only open TIFF files from trusted users.
>
> VI. VENDOR RESPONSE
>
> This issue is addressed in libtiff 3.7.0 and 3.7.1.
>
> VII. CVE INFORMATION
>
> A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
> been assigned yet.

I believe this issue is subset of CAN-2004-0886 which was fixed in the
middle of October.


-- 
ldv

pgpinWyFho3pL.pgp
Description: PGP signature