Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Some bugs in CMS #167

Closed
xiaoqx opened this issue May 28, 2018 · 3 comments
Closed

Some bugs in CMS #167

xiaoqx opened this issue May 28, 2018 · 3 comments

Comments

@xiaoqx
Copy link

xiaoqx commented May 28, 2018

There are some bugs in the latest commit of CMS.
Some of the bugs could be exploited to execute code.

one of the debug info as follows:

Program received signal SIGSEGV, Segmentation fault.
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe838 --> 0x7ffff7b21c2c (<PrecalculatedXFORM+812>: mov r11,QWORD PTR [rbx+0x70])
0008| 0x7fffffffe840 --> 0x3c95700000000000
0016| 0x7fffffffe848 --> 0x102000000b10
0024| 0x7fffffffe850 --> 0x0
0032| 0x7fffffffe858 --> 0x62e610 --> 0x4000200010000
0040| 0x7fffffffe860 --> 0x614820 --> 0x0
0048| 0x7fffffffe868 --> 0x100000000
0056| 0x7fffffffe870 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff7000000 in ?? ()
#0 0x00007ffff7000000 in ?? ()
#1 0x00007ffff7b21c2c in PrecalculatedXFORM (p=0x616940, in=0x62e610, out=0x614820, PixelsPerLine=0x1020, LineCount=0x1, Stride=0x7fffffffe900) at ../../cms/src/cmsxform.c:410
#2 0x00007ffff7b25285 in cmsDoTransform (Transform=Transform@entry=0x616940, InputBuffer=InputBuffer@entry=0x62e610, OutputBuffer=OutputBuffer@entry=0x614820, Size=Size@entry=0x1020) at ../.
./cms/src/cmsxform.c:189
#3 0x0000000000405ac7 in TileBasedXform (nPlanes=0x1, out=0x6124d0, in=, hXForm=0x616940) at ../../../cms/utils/tificc/tificc.c:408
#4 TransformImage (cDefInpProf=, out=, in=) at ../../../cms/utils/tificc/tificc.c:904
#5 main (argc=argc@entry=0x3, argv=argv@entry=0x7fffffffeba8) at ../../../cms/utils/tificc/tificc.c:1167
#6 0x00007ffff71fe830 in __libc_start_main (main=0x402360

, argc=0x3, argv=0x7fffffffeba8, init=, fini=, rtld_fini=, stack_end=0x7fffffffeb
98) at ../csu/libc-start.c:291
#7 0x0000000000408e29 in _start ()

main:99: UserWarning: GDB v7.11 may not support required Python API
Description: Segmentation fault on program counter
Short description: SegFaultOnPc (3/22)
Hash: a623b76741d0ee9936f43614a95f8a38.d3ce2561115efa40618f8e7190e9ac1e
Exploitability Classification: EXPLOITABLE
Explanation: The target tried to access data at an address that matches the program counter. This is likely due to the execution of a branch instruction (ex: 'call') with a bad argument, but
it could also be due to execution continuing past the end of a memory region or another cause. Regardless this likely indicates that the program counter contents are tainted and can be contro
lled by an attacker.
Other tags: AccessViolation (21/22)

=====

the commit have been tested is 684dfb8.

please see the following url for the bugs info and POCs:
https://github.com/xiaoqx/pocs/tree/master/cms

@mm2
Copy link
Owner

mm2 commented May 28, 2018

TIFFICC is just A SAMPLE on how to use the library, it is not sanitized in any way, nor discussed in the manuals.

You should not use samples for disclosing CVE, as this is like calling the functions with bogus parameters.

If you have a profile that can break the library (which could be used for real exploits) I will be glad to help in fixing it.

@mm2 mm2 closed this as completed May 28, 2018
@deanshapira
Copy link

Hi @mm2 , I understand that you do not agree with this vulnerability as it is very unlikely but do you plan to contact MITRE and dispute/reject it ? because this is assigned with CVE-2018-11555

Thanks in advance ! :)

@mm2
Copy link
Owner

mm2 commented Aug 20, 2020

It is now in dispute state

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants