Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

uncontrolled recursion loop in Exiv2::Image::printTiffStructure() #711

Closed
SegfaultMasters opened this Issue Feb 21, 2019 · 2 comments

Comments

Projects
None yet
3 participants
@SegfaultMasters
Copy link

SegfaultMasters commented Feb 21, 2019

Description - During our research ,we Observed that an infinite uncontrolled recursion loop, at function Exiv2::Image::printTiffStructure at file image.cpp . It allows an attacker to cause Denial of Service or possibly have unspecified other impact.
Command - exiv2 -b -u -k -p R pr $POC
POC - REPRODUCER
Debug -
GDB -

84    ../sysdeps/unix/syscall-template.S: No such file or directory.
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax   : 0x49              
$rbx   : 0x4a              
$rcx   : 0x00007ffff5c172c0  →  <__write_nocancel+7> cmp rax, 0xfffffffffffff001
$rdx   : 0x4a              
$rsp   : 0x00007fffffffd338  →  0x00007ffff5b98bff  →  <_IO_file_write+143> test rax, rax
$rbp   : 0x0000619000001480  →  "STRUCTURE OF TIFF FILE (II): id:000000,src:000553+[...]"
$rsi   : 0x0000619000001480  →  "STRUCTURE OF TIFF FILE (II): id:000000,src:000553+[...]"
$rdi   : 0x1               
$rip   : 0x00007ffff5c172c0  →  <__write_nocancel+7> cmp rax, 0xfffffffffffff001
$r8    : 0x00007ffff5ee6780  →  0x0000000100000001  →  0x0000000000000000
$r9    : 0x00007ffff7fd1780  →  0x00007ffff7fd1780  →  [loop detected]
$r10   : 0x733a706f2c333132 ("213,op:s"?)
$r11   : 0x246             
$r12   : 0x4a              
$r13   : 0x1               
$r14   : 0x00007ffff5ee5620  →  0x00000000fbad2a84  →  0x0000000000000000
$r15   : 0x00007fffffffdb20  →  0x0000000041b58ab3
$eflags: [carry PARITY adjust ZERO sign trap INTERRUPT direction overflow resume virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000 
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007fffffffd338│+0x0000: 0x00007ffff5b98bff  →  <_IO_file_write+143> test rax, rax     ← $rsp
0x00007fffffffd340│+0x0008: 0x00007ffff5ee5620  →  0x00000000fbad2a84  →  0x0000000000000000
0x00007fffffffd348│+0x0010: 0x000000000000004a ("J"?)
0x00007fffffffd350│+0x0018: 0x0000619000001480  →  "STRUCTURE OF TIFF FILE (II): id:000000,src:000553+[...]"
0x00007fffffffd358│+0x0020: 0x00007fffffffd530  →  0x0000000041b58ab3
0x00007fffffffd360│+0x0028: 0x00007fffffffd960  →  0x0000000041b58ab3
0x00007fffffffd368│+0x0030: 0x00007ffff5b9a409  →  <_IO_do_write+121> mov r13, rax
0x00007fffffffd370│+0x0038: 0x00007fffffffdb20  →  0x0000000041b58ab3
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
   0x7ffff5c172b2 <write+2>        mov    DWORD PTR [rbp*1+0x10750000], esp
   0x7ffff5c172b9 <__write_nocancel+0> mov    eax, 0x1
   0x7ffff5c172be <__write_nocancel+5> syscall 
 → 0x7ffff5c172c0 <__write_nocancel+7> cmp    rax, 0xfffffffffffff001
   0x7ffff5c172c6 <__write_nocancel+13> jae    0x7ffff5c172f9 <write+73>
   0x7ffff5c172c8 <__write_nocancel+15> ret    
   0x7ffff5c172c9 <write+25>       sub    rsp, 0x8
   0x7ffff5c172cd <write+29>       call   0x7ffff5c350d0 <__libc_enable_asynccancel>
   0x7ffff5c172d2 <write+34>       mov    QWORD PTR [rsp], rax
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "exiv2", stopped, reason: SIGINT
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x7ffff5c172c0 → __write_nocancel()
[#1] 0x7ffff5b98bff → _IO_new_file_write(f=0x7ffff5ee5620 <_IO_2_1_stdout_>, data=0x619000001480, n=0x4a)
[#2] 0x7ffff5b9a409 → new_do_write(to_do=0x4a, data=0x619000001480 "STRUCTURE OF TIFF FILE (II): id:000000,src:000553+000213,op:splice,rep:64\n", '\276' <repeats 950 times>, fp=0x7ffff5ee5620 <_IO_2_1_stdout_>)
[#3] 0x7ffff5b9a409 → _IO_new_do_write(fp=0x7ffff5ee5620 <_IO_2_1_stdout_>, data=0x619000001480 "STRUCTURE OF TIFF FILE (II): $POC\n", '\276' <repeats 950 times>, to_do=0x4a)
[#4] 0x7ffff5b9a81b → _IO_new_file_overflow(f=0x7ffff5ee5620 <_IO_2_1_stdout_>, ch=0xa)
[#5] 0x7ffff5b96533 → __GI__IO_putc(c=<optimized out>, fp=0x7ffff5ee5620 <_IO_2_1_stdout_>)
[#6] 0x7ffff6214a4a → std::ostream::put(char)()
[#7] 0x7ffff6214c3f → std::basic_ostream<char, std::char_traits<char> >& std::endl<char, std::char_traits<char> >(std::basic_ostream<char, std::char_traits<char> >&)()
[#8] 0x7ffff673df1e → Exiv2::Image::printIFDStructure(this=0x61200000bec0, io=@0x60300000ecb0, out=@0x672ac0, option=Exiv2::kpsRecursive, start=0xff, bSwap=0x0, c=0x49, depth=0x0)
[#9] 0x7ffff673fe2a → Exiv2::Image::printTiffStructure(this=0x61200000bec0, io=@0x60300000ecb0, out=@0x672ac0, option=Exiv2::kpsRecursive, depth=0xffffffff, offset=0x0)

@piponazo

This comment has been minimized.

Copy link
Collaborator

piponazo commented Feb 25, 2019

As in #712, this issue is fixed in 0.27 and master since we do not allow the action -pR anymore on Release mode.

@piponazo piponazo closed this Feb 25, 2019

@carnil

This comment has been minimized.

Copy link

carnil commented Feb 28, 2019

CVE-2019-9143 was assigned for this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.