You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
a bug results to segment fault in Exiv2::Internal::stringFormat, and it maybe a string format vulnerability which could be exploited.
the debug info as follows:
Breakpoint 1, Exiv2::Internal::stringFormat (format=0x7ffff78a1879 "%8ld | 0xff%02x %-5s") at image.cpp:1013
1013 rc = vsnprintf(&buffer[0], buffer.size(), format, args);
gdb-peda$ n
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x7fffffffd540 --> 0x7ffffbad8001
RCX: 0xffffffffffffffff
RDX: 0x28 ('(')
RSI: 0x7fffffe8
RDI: 0x1000000000000
RBP: 0x7fffffffd530 --> 0x644b70 (" 63 | 0xfffffff")
RSP: 0x7fffffffcf50 --> 0x0
RIP: 0x7ffff6d06943 (<_IO_vfprintf_internal+7427>: repnz scas al,BYTE PTR es:[rdi])
R8 : 0x7fffffff
R9 : 0x7ffff7fe3780 (0x00007ffff7fe3780)
R10: 0x7ffff707bfe0 --> 0x0
R11: 0x0
R12: 0x7ffff6d08f69 (<_IO_vfprintf_internal+17193>: cmp BYTE PTR [rbp-0x508],0x0)
R13: 0x1000000000000
R14: 0x7ffff78a1879 ("%8ld | 0xff%02x %-5s")
R15: 0x7fffffffd6e0 --> 0x3000000028 ('(')
EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7ffff6d0693a <_IO_vfprintf_internal+7418>: xor eax,eax
0x7ffff6d0693c <_IO_vfprintf_internal+7420>: or rcx,0xffffffffffffffff
0x7ffff6d06940 <_IO_vfprintf_internal+7424>: mov rdi,r13
=> 0x7ffff6d06943 <_IO_vfprintf_internal+7427>: repnz scas al,BYTE PTR es:[rdi]
0x7ffff6d06945 <_IO_vfprintf_internal+7429>: mov DWORD PTR [rbp-0x508],0x0
0x7ffff6d0694f <_IO_vfprintf_internal+7439>: mov rsi,rcx
0x7ffff6d06952 <_IO_vfprintf_internal+7442>: not rsi
0x7ffff6d06955 <_IO_vfprintf_internal+7445>: lea r10,[rsi-0x1]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcf50 --> 0x0
0008| 0x7fffffffcf58 --> 0x0
0016| 0x7fffffffcf60 --> 0x0
0024| 0x7fffffffcf68 --> 0x0
0032| 0x7fffffffcf70 --> 0x0
0040| 0x7fffffffcf78 --> 0x0
0048| 0x7fffffffcf80 --> 0x7fffffffd0b0 --> 0xffffffffffffffff
0056| 0x7fffffffcf88 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff6d06943 in _IO_vfprintf_internal (s=s@entry=0x7fffffffd540, format=, format@entry=0x7ffff78a1879 "%8ld | 0xff%02x %-5s", ap=ap@entry=0x7fffffffd6e0) at vfprintf.c:1661
1661 vfprintf.c: No such file or directory.
gdb-peda$ bt
#0 0x00007ffff6d06943 in _IO_vfprintf_internal (s=s@entry=0x7fffffffd540, format=, format@entry=0x7ffff78a1879 "%8ld | 0xff%02x %-5s", ap=ap@entry=0x7fffffffd6e0) at vfprintf.c:1661 #1 0x00007ffff6d2d499 in _IO_vsnprintf (string=0x644b70 " 63 | 0xfffffff", maxlen=, format=0x7ffff78a1879 "%8ld | 0xff%02x %-5s", args=0x7fffffffd6e0) at vsnprintf.c:119 #2 0x00007ffff778247d in Exiv2::Internal::stringFormat (format=0x7ffff78a1879 "%8ld | 0xff%02x %-5s") at image.cpp:1013 #3 0x00007ffff77966e9 in Exiv2::JpegBase::printStructure (this=0x644a60, out=..., option=Exiv2::kpsBasic, depth=0x0) at jpgimage.cpp:787 #4 0x000000000041cafe in Action::Print::printStructure (this=0x6447e0, out=..., option=Exiv2::kpsBasic) at actions.cpp:283 #5 0x000000000041c87b in Action::Print::run (this=0x6447e0, path="/data/xqx/projects/docker-fuzz/testcases/pics/exiv2/1-poc.jpg") at actions.cpp:246 #6 0x000000000040e337 in main (argc=0x3, argv=0x7fffffffe4b8) at exiv2.cpp:166 #7 0x00007ffff6cdcf45 in __libc_start_main (main=0x40e07e <main(int, char* const*)>, argc=0x3, argv=0x7fffffffe4b8, init=, fini=, rtld_fini=, stack_end=0x7fffffffe4a8) at libc-start.c:287 #8 0x000000000040dfb9 in _start ()
Thank you very much for the report! I have a identified the issue, it is an out of bounds read and not a string format vulnerability. It can be fixed with the following patch:
a bug results to segment fault in Exiv2::Internal::stringFormat, and it maybe a string format vulnerability which could be exploited.
the debug info as follows:
Breakpoint 1, Exiv2::Internal::stringFormat (format=0x7ffff78a1879 "%8ld | 0xff%02x %-5s") at image.cpp:1013
1013 rc = vsnprintf(&buffer[0], buffer.size(), format, args);
gdb-peda$ n
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x7fffffffd540 --> 0x7ffffbad8001
RCX: 0xffffffffffffffff
RDX: 0x28 ('(')
RSI: 0x7fffffe8
RDI: 0x1000000000000
RBP: 0x7fffffffd530 --> 0x644b70 (" 63 | 0xfffffff")
RSP: 0x7fffffffcf50 --> 0x0
RIP: 0x7ffff6d06943 (<_IO_vfprintf_internal+7427>: repnz scas al,BYTE PTR es:[rdi])
R8 : 0x7fffffff
R9 : 0x7ffff7fe3780 (0x00007ffff7fe3780)
R10: 0x7ffff707bfe0 --> 0x0
R11: 0x0
R12: 0x7ffff6d08f69 (<_IO_vfprintf_internal+17193>: cmp BYTE PTR [rbp-0x508],0x0)
R13: 0x1000000000000
R14: 0x7ffff78a1879 ("%8ld | 0xff%02x %-5s")
R15: 0x7fffffffd6e0 --> 0x3000000028 ('(')
EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7ffff6d0693a <_IO_vfprintf_internal+7418>: xor eax,eax
0x7ffff6d0693c <_IO_vfprintf_internal+7420>: or rcx,0xffffffffffffffff
0x7ffff6d06940 <_IO_vfprintf_internal+7424>: mov rdi,r13
=> 0x7ffff6d06943 <_IO_vfprintf_internal+7427>: repnz scas al,BYTE PTR es:[rdi]
0x7ffff6d06945 <_IO_vfprintf_internal+7429>: mov DWORD PTR [rbp-0x508],0x0
0x7ffff6d0694f <_IO_vfprintf_internal+7439>: mov rsi,rcx
0x7ffff6d06952 <_IO_vfprintf_internal+7442>: not rsi
0x7ffff6d06955 <_IO_vfprintf_internal+7445>: lea r10,[rsi-0x1]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcf50 --> 0x0
0008| 0x7fffffffcf58 --> 0x0
0016| 0x7fffffffcf60 --> 0x0
0024| 0x7fffffffcf68 --> 0x0
0032| 0x7fffffffcf70 --> 0x0
0040| 0x7fffffffcf78 --> 0x0
0048| 0x7fffffffcf80 --> 0x7fffffffd0b0 --> 0xffffffffffffffff
0056| 0x7fffffffcf88 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff6d06943 in _IO_vfprintf_internal (s=s@entry=0x7fffffffd540, format=, format@entry=0x7ffff78a1879 "%8ld | 0xff%02x %-5s", ap=ap@entry=0x7fffffffd6e0) at vfprintf.c:1661
1661 vfprintf.c: No such file or directory.
gdb-peda$ bt
#0 0x00007ffff6d06943 in _IO_vfprintf_internal (s=s@entry=0x7fffffffd540, format=, format@entry=0x7ffff78a1879 "%8ld | 0xff%02x %-5s", ap=ap@entry=0x7fffffffd6e0) at vfprintf.c:1661
#1 0x00007ffff6d2d499 in _IO_vsnprintf (string=0x644b70 " 63 | 0xfffffff", maxlen=, format=0x7ffff78a1879 "%8ld | 0xff%02x %-5s", args=0x7fffffffd6e0) at vsnprintf.c:119
#2 0x00007ffff778247d in Exiv2::Internal::stringFormat (format=0x7ffff78a1879 "%8ld | 0xff%02x %-5s") at image.cpp:1013
#3 0x00007ffff77966e9 in Exiv2::JpegBase::printStructure (this=0x644a60, out=..., option=Exiv2::kpsBasic, depth=0x0) at jpgimage.cpp:787
#4 0x000000000041cafe in Action::Print::printStructure (this=0x6447e0, out=..., option=Exiv2::kpsBasic) at actions.cpp:283
#5 0x000000000041c87b in Action::Print::run (this=0x6447e0, path="/data/xqx/projects/docker-fuzz/testcases/pics/exiv2/1-poc.jpg") at actions.cpp:246
#6 0x000000000040e337 in main (argc=0x3, argv=0x7fffffffe4b8) at exiv2.cpp:166
#7 0x00007ffff6cdcf45 in __libc_start_main (main=0x40e07e <main(int, char* const*)>, argc=0x3, argv=0x7fffffffe4b8, init=, fini=, rtld_fini=, stack_end=0x7fffffffe4a8) at libc-start.c:287
#8 0x000000000040dfb9 in _start ()
=========================================
the bug trigger commandline is : ./bin/.libs/lt-exiv2 -pS $POC
please ref the following url for the poc:
https://github.com/xiaoqx/pocs/blob/master/exiv2/1-string-format.jpg
The text was updated successfully, but these errors were encountered: