Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Uncontrolled recursion loop in Exiv2::(anonymous namespace)::BigTiffImage::printIFD( ) #712

Open
SegfaultMasters opened this Issue Feb 21, 2019 · 4 comments

Comments

Projects
None yet
4 participants
@SegfaultMasters
Copy link

SegfaultMasters commented Feb 21, 2019

Description - During our research ,we Observed that an infinite uncontrolled recursion loop, at function Exiv2::(anonymous namespace)::BigTiffImage::printIFD( ) located in bigtiffimage.cpp . It allows an attacker to cause Denial of Service or possibly have unspecified other impact.
Command - exiv2 -b -u -k -p R pr $POC
POC - REPRODUCER
Debug -
GDB -

Program received signal SIGINT, Interrupt.
0x00007ffff62276a9 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_append(char const*, unsigned long) () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax   : 0x0000620001c10a74  →  0xbebebebebe002020
$rbx   : 0x00007fffffccfd80  →  0x0000620001c10080  →  0x2020202020202020 ("        "?)
$rcx   : 0x0               
$rdx   : 0x2               
$rsp   : 0x00007fffffccfa80  →  0x00007fffffccfad0  →  0x00007fffffccfeb0  →  0x00007fffffcd0290  →  0x00007fffffcd0670  →  0x00007fffffcd0a50  →  0x00007fffffcd0e30  →  0x00007fffffcd1210
$rbp   : 0x9f6             
$rsi   : 0x00007ffff69f2020  →  0x0000000000000000
$rdi   : 0x0000620001c10080  →  0x2020202020202020 ("        "?)
$rip   : 0x00007ffff62276a9  →  <std::__cxx11::basic_string<char,+0> add rsp, 0x8
$r8    : 0x00007fffffccfd90  →  0x0000000000000f00
$r9    : 0x9f4             
$r10   : 0x00007fffffccf1e0  →  0x00007ffff6f036b3  →  <operator+0> mov r15, rax
$r11   : 0x00007fffffccf1e0  →  0x00007ffff6f036b3  →  <operator+0> mov r15, rax
$r12   : 0x00000ffffff99f84  →  0x0000000000000000
$r13   : 0x00007fffffccfc20  →  0x0000000041b58ab3
$r14   : 0x00007ffff69600a0  →  0x006e776f6e6b6e75 ("unknown"?)
$r15   : 0x00007fffffffdb20  →  0x0000000041b58ab3
$eflags: [carry PARITY adjust ZERO sign trap INTERRUPT direction overflow resume virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000 
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007fffffccfa80│+0x0000: 0x00007fffffccfad0  →  0x00007fffffccfeb0  →  0x00007fffffcd0290  →  0x00007fffffcd0670  →  0x00007fffffcd0a50  →  0x00007fffffcd0e30  →  0x00007fffffcd1210     ← $rsp
0x00007fffffccfa88│+0x0008: 0x00007fffffccfe80  →  0x00007ffff69600a0  →  0x006e776f6e6b6e75 ("unknown"?)
0x00007fffffccfa90│+0x0010: 0x00007fffffccfad0  →  0x00007fffffccfeb0  →  0x00007fffffcd0290  →  0x00007fffffcd0670  →  0x00007fffffcd0a50  →  0x00007fffffcd0e30  →  0x00007fffffcd1210
0x00007fffffccfa98│+0x0018: 0x00007ffff681f34b  →  <Exiv2::Internal::indent[abi:cxx11](int)+86> jmp 0x7ffff681f326 <Exiv2::Internal::indent[abi:cxx11](int)+49>
0x00007fffffccfaa0│+0x0020: 0x00000825fff99f84  →  0x0000000000000000
0x00007fffffccfaa8│+0x0028: 0x00007fffffccfd80  →  0x0000620001c10080  →  0x2020202020202020
0x00007fffffccfab0│+0x0030: 0x00007ffff69600a0  →  0x006e776f6e6b6e75 ("unknown"?)
0x00007fffffccfab8│+0x0038: 0x7ebffb45ba0eea00
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
   0x7ffff622769e <std::__cxx11::basic_string<char,+0> mov    rdi, QWORD PTR [rbx]
   0x7ffff62276a1 <std::__cxx11::basic_string<char,+0> mov    QWORD PTR [rbx+0x8], rbp
   0x7ffff62276a5 <std::__cxx11::basic_string<char,+0> mov    BYTE PTR [rdi+rbp*1], 0x0
 → 0x7ffff62276a9 <std::__cxx11::basic_string<char,+0> add    rsp, 0x8
   0x7ffff62276ad <std::__cxx11::basic_string<char,+0> mov    rax, rbx
   0x7ffff62276b0 <std::__cxx11::basic_string<char,+0> pop    rbx
   0x7ffff62276b1 <std::__cxx11::basic_string<char,+0> pop    rbp
   0x7ffff62276b2 <std::__cxx11::basic_string<char,+0> ret    
   0x7ffff62276b3 <std::__cxx11::basic_string<char,+0> nop    DWORD PTR [rax+rax*1+0x0]
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "exiv2", stopped, reason: SIGINT
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x7ffff62276a9 → std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_append(char const*, unsigned long)()
[#1] 0x7ffff681f34b → Exiv2::Internal::indent[abi:cxx11](int)(d=0x825)
[#2] 0x7ffff66eb692 → Exiv2::(anonymous namespace)::BigTiffImage::printIFD(this=0x61300000de80, out=@0x672ac0, option=Exiv2::kpsRecursive, dir_offset=0x80, depth=0xd20)
[#3] 0x7ffff66ebe88 → Exiv2::(anonymous namespace)::BigTiffImage::printIFD(this=0x61300000de80, out=@0x672ac0, option=Exiv2::kpsRecursive, dir_offset=0x80, depth=0xd1f)
[#4] 0x7ffff66ebe88 → Exiv2::(anonymous namespace)::BigTiffImage::printIFD(this=0x61300000de80, out=@0x672ac0, option=Exiv2::kpsRecursive, dir_offset=0x80, depth=0xd1e)
[#5] 0x7ffff66ebe88 → Exiv2::(anonymous namespace)::BigTiffImage::printIFD(this=0x61300000de80, out=@0x672ac0, option=Exiv2::kpsRecursive, dir_offset=0x80, depth=0xd1d)
[#6] 0x7ffff66ebe88 → Exiv2::(anonymous namespace)::BigTiffImage::printIFD(this=0x61300000de80, out=@0x672ac0, option=Exiv2::kpsRecursive, dir_offset=0x80, depth=0xd1c)
[#7] 0x7ffff66ebe88 → Exiv2::(anonymous namespace)::BigTiffImage::printIFD(this=0x61300000de80, out=@0x672ac0, option=Exiv2::kpsRecursive, dir_offset=0x80, depth=0xd1b)
[#8] 0x7ffff66ebe88 → Exiv2::(anonymous namespace)::BigTiffImage::printIFD(this=0x61300000de80, out=@0x672ac0, option=Exiv2::kpsRecursive, dir_offset=0x80, depth=0xd1a)
[#9] 0x7ffff66ebe88 → Exiv2::(anonymous namespace)::BigTiffImage::printIFD(this=0x61300000de80, out=@0x672ac0, option=Exiv2::kpsRecursive, dir_offset=0x80, depth=0xd19)

@piponazo

This comment has been minimized.

Copy link
Collaborator

piponazo commented Feb 25, 2019

This issue is solved in 0.27 and master since the action -pR was disabled when compiling the project in Release mode:

$ ./exiv2 -b -u -k -p R pr /f/datasets/
exiv2.exe: Action not available in Rele
Usage: exiv2.exe [ options ] [ action ]

Manipulate the Exif metadata of images.

Therefore I'll close the issue (feel free to re-open it if you think this needs further discussion).

@nluedtke

This comment has been minimized.

Copy link

nluedtke commented Feb 26, 2019

This was assigned CVE-2019-9144.

@D4N

This comment has been minimized.

Copy link
Contributor

D4N commented Feb 26, 2019

This was assigned CVE-2019-9144.

If you run Release builds, you are not affected by this.

@piponazo

This comment has been minimized.

Copy link
Collaborator

piponazo commented Feb 27, 2019

I'll reopen the issue and I guess we will fix it at some point

@piponazo piponazo reopened this Feb 27, 2019

@piponazo piponazo assigned piponazo and unassigned piponazo Feb 27, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.