We found a global-buffer-overflow on OptiPNG.
Running optipng with the "-zm 3 -zc 1 -zw 256 -snip -out" configuration options enabled raises a global-buffer-overflow bug, which could allow a remote attacker to conduct a denial-of-service attack or other unspecified effect on a crafted file.
It should be noted that optipng (version 0.7.7) downloaded through apt-get can also trigger this vulnerability, which may endanger the system security of Debian users.
It should be noted that CVE-2017-16938 also found the global-buffer-overflow bug in the old version of OptiPNG (version 0.7.6), but the bug we found this time is different from CVE-2017-16938. In CVE-2017-16938, there is a global-buffer-overflow bug in the global variable 'stack'(defined in 'gifread.c:401:16',version 0.7.6) and the global variable 'oldcode'(defined in 'gifread.c:398:27',version 0.7.6). The global-buffer-overflow bug we discovered this time is caused by global variable 'buffer' (defined in 'gifread.c:334:26', version 0.7.7).
OptiPNG version 0.7.7.
This is the latest version of http://optipng.sourceforge.net/
root@38ad1e4b9d16:/test2/optipng-0.7.7/src/optipng# /test2/optipng-0.7.7/src/optipng/optipng --version
OptiPNG version 0.7.7
Copyright (C) 2001-2017 Cosmin Truta and the Contributing Authors.
This program is open-source software. See LICENSE for more details.
Portions of this software are based in part on the work of:
Jean-loup Gailly and Mark Adler (zlib)
Glenn Randers-Pehrson and the PNG Development Group (libpng)
Miyasaka Masaru (BMP support)
David Koblas (GIF support)
Using libpng version 1.6.34 and zlib version 1.2.11-optipnghttps://gitee.com/src-openeuler/optipng
OptiPNG Official website: http://optipng.sourceforge.net/
Source Code Download: https://sourceforge.net/projects/optipng/files/OptiPNG/optipng-0.7.7/optipng-0.7.7.tar.gz/download?use_mirror=udomain&download=
global-buffer-overflow
POCoptipng:https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/POCoptipng
#First,install Aflplusplus to use ASAN and other vulnerability analysis functions
git clone https://github.com/AFLplusplus/AFLplusplus
cd AFLplusplus
apt install build-essential libtool-bin python3-dev automake flex bison libglib2.0-dev libpixman-1-dev clang python3-setuptools llvm
make
make install
#Then download the latest optipng source code (version0.7.7) from https://sourceforge.net/projects/optipng/files/OptiPNG/optipng-0.7.7/optipng-0.7.7.tar.gz/download?use_mirror=udomain&download=
tar -xvf optipng-0.7.7.tar.gz
cd optipng-0.7.7
#Next, we compile optipng
export CC=afl-clang-fast
export CXX=afl-clang-fast++
./configure
AFL_USE_ASAN=1 make
#Finally, we run optipng with the PoC file under specific configuration options.
src/optipng/optipng -o4 POCoptipng -zm 3 -zc 1 -zw 256 -snip -out optipngtest.png=================================================================
==1681804==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000e73918 at pc 0x00000054f5ce bp 0x7fffffffa350 sp 0x7fffffffa348
READ of size 1 at 0x000000e73918 thread T0
#0 0x54f5cd (/afltest/optipng/optipng-0.7.7/src/optipng/optipng+0x54f5cd)
#1 0x54d98f (/afltest/optipng/optipng-0.7.7/src/optipng/optipng+0x54d98f)
#2 0x54c8cc (/afltest/optipng/optipng-0.7.7/src/optipng/optipng+0x54c8cc)
#3 0x4def39 (/afltest/optipng/optipng-0.7.7/src/optipng/optipng+0x4def39)
#4 0x4dac27 (/afltest/optipng/optipng-0.7.7/src/optipng/optipng+0x4dac27)
#5 0x4cb8c4 (/afltest/optipng/optipng-0.7.7/src/optipng/optipng+0x4cb8c4)
#6 0x4c8cbd (/afltest/optipng/optipng-0.7.7/src/optipng/optipng+0x4c8cbd)
#7 0x4c85bc (/afltest/optipng/optipng-0.7.7/src/optipng/optipng+0x4c85bc)
#8 0x4c6966 (/afltest/optipng/optipng-0.7.7/src/optipng/optipng+0x4c6966)
#9 0x7ffff7c52082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#10 0x41c52d (/afltest/optipng/optipng-0.7.7/src/optipng/optipng+0x41c52d)
0x000000e73918 is located 0 bytes to the right of global variable 'buffer' defined in 'gifread.c:334:26' (0xe73800) of size 280
SUMMARY: AddressSanitizer: global-buffer-overflow (/afltest/optipng/optipng-0.7.7/src/optipng/optipng+0x54f5cd)
Shadow bytes around the buggy address:
0x0000801c66d0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0000801c66e0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0000801c66f0: 00 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
0x0000801c6700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000801c6710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000801c6720: 00 00 00[f9]f9 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
0x0000801c6730: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9
0x0000801c6740: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0000801c6750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000801c6760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000801c6770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1681804==ABORTINGubuntu:20.04
gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
clang version 10.0.0-4ubuntu1
afl-cc++4.09
Zeng Yunxiang (Huazhong University of Science and Technology)
Song Jiaxuan


