libjpeg-turbo 1.5.1 – Denial of Service

Exploit Database
115 阅读

作者： qflb.wu

日期： 2017-07-28
类别：
- dos
平台：
- linux
来源：https://www.exploit-db.com/exploits/42391/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

libjpeg-turbo denial of service vulnerability

======================

Author : qflb.wu

CVE: CVE-2017-9614

======================

Introduction:

=============

libjpeg-turbo is a JPEG image codec that uses SIMD instructions (MMX, SSE2, AVX2, NEON, AltiVec) to accelerate baseline JPEG compression and decompression on x86, x86-64, ARM, and PowerPC systems.

Affected version:

=====

1.5.1

Vulnerability Description:

==========================

the fill_input_buffer function in jdatasrc.c in libjpeg-turbo 1.5.1 can cause a denial of service(invalid address and application crash) via a crafted jpg file.

I found this bug when I test stills2dv-alpha-0.601 which used the libjpeg-turbo.

./stills2dv exampleworkfile.s2d

(the exampleworkfile.s2d contains the path of the poc jpg file)

----debug info:----

gdb-peda$ bt

#0__memcpy_sse2 () at ../sysdeps/x86_64/multiarch/../memcpy.S:166

#10x00007ffff6d82323 in __GI__IO_file_xsgetn (fp=0x61c370,

data=<optimized out>, n=0x1000) at fileops.c:1387

#20x00007ffff6d7786f in __GI__IO_fread (buf=<optimized out>, size=0x1,

count=0x1000, fp=0x61c370) at iofread.c:42

#30x00007ffff7b6e23b in fill_input_buffer (cinfo=0x7fffffffe190)

at jdatasrc.c:107

#40x00007ffff7b7beef in get_dqt (cinfo=0x7fffffffe190) at jdmarker.c:516

#50x00007ffff7b7dba3 in read_markers (cinfo=0x7fffffffe190)

at jdmarker.c:1050

#60x00007ffff7b795fd in consume_markers (cinfo=0x7fffffffe190)

at jdinput.c:320

#70x00007ffff7b6c853 in jpeg_finish_decompress (cinfo=0x7fffffffe190)

at jdapimin.c:399

#80x0000000000402da0 in readjpg (

fn=fn@entry=0x61c2f4 "example_data_files/test.jpg") at s2d_jpg.c:148

#90x0000000000403c5b in openImage (

fn=0x61c2f4 "example_data_files/test.jpg", cache=0xffffffff)

at s2d_main.c:202

#10 0x00000000004063a5 in splitted2struct (p=p@entry=0x60acc0 <ms>,

strs=strs@entry=0x61c2a0) at s2d_main.c:1139

#11 0x000000000040240b in main (argc=argc@entry=0x2,

argv=argv@entry=0x7fffffffe5f8) at s2d_main.c:1404

#12 0x00007ffff6d2af45 in __libc_start_main (main=0x402040 <main>, argc=0x2,

argv=0x7fffffffe5f8, init=<optimized out>, fini=<optimized out>,

rtld_fini=<optimized out>, stack_end=0x7fffffffe5e8) at libc-start.c:287

#13 0x0000000000402500 in _start ()

=================================================================================

[------------------------------------------------------------------------------]

Legend: code, data, rodata, value

0x00007ffff7b6e233107nbytes = JFREAD(src->infile, src->buffer, INPUT_BUF_SIZE);

gdb-peda$

[----------------------------------registers-----------------------------------]

RAX: 0x61ce30 --> 0x464a1000e0ffd8ff

RBX: 0x7fffffffe190 --> 0x7fffffffe0e0 --> 0x7ffff7b89ce0 (<error_exit>:push rbp)

RCX: 0x61c370 ("example_data_files/test.jpg")

RDX: 0x1000

RSI: 0x1

RDI: 0x61ce30 --> 0x464a1000e0ffd8ff

RBP: 0x7fffffffdff0 --> 0x7fffffffe050 --> 0x7fffffffe070 --> 0x7fffffffe0a0 --> 0x7fffffffe0c0 --> 0x61c370 ("example_data_files/test.jpg")

RSP: 0x7fffffffdfd0 --> 0x7fffffffe030 --> 0x0

RIP: 0x7ffff7b6e236 (<fill_input_buffer+56>

R8 : 0x67706a2e747365 ('est.jpg')

R9 : 0x7ffff70ca7b8 --> 0x623770 --> 0x0

R10: 0x7fffffffde90 --> 0x0

R11: 0x7ffff7b6c74c (<jpeg_finish_decompress>:push rbp)

R12: 0x61c2f4 ("example_data_files/test.jpg")

R13: 0x61c5b0 --> 0x61c370 ("example_data_files/test.jpg")

R14: 0xc00 ('')

R15: 0x3

EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)

[-------------------------------------code-------------------------------------]

0x7ffff7b6e229 <fill_input_buffer+43>:movedx,0x1000

0x7ffff7b6e22e <fill_input_buffer+48>:movesi,0x1

0x7ffff7b6e233 <fill_input_buffer+53>:movrdi,rax

=> 0x7ffff7b6e236 <fill_input_buffer+56>:

call 0x7ffff7b477f0 <fread@plt>

0x7ffff7b6e23b <fill_input_buffer+61>:movQWORD PTR [rbp-0x10],rax

0x7ffff7b6e23f <fill_input_buffer+65>:cmpQWORD PTR [rbp-0x10],0x0

0x7ffff7b6e244 <fill_input_buffer+70>:

jne0x7ffff7b6e2bb <fill_input_buffer+189>

0x7ffff7b6e246 <fill_input_buffer+72>:movrax,QWORD PTR [rbp-0x8]

Guessed arguments:

arg[0]: 0x61ce30 --> 0x464a1000e0ffd8ff

arg[1]: 0x1

arg[2]: 0x1000

arg[3]: 0x61c370 ("example_data_files/test.jpg")

[------------------------------------stack-------------------------------------]

0000| 0x7fffffffdfd0 --> 0x7fffffffe030 --> 0x0

0008| 0x7fffffffdfd8 --> 0x7fffffffe190 --> 0x7fffffffe0e0 --> 0x7ffff7b89ce0 (<error_exit>:push rbp)

0016| 0x7fffffffdfe0 --> 0x5bffffe0bc

0024| 0x7fffffffdfe8 --> 0x61c880 --> 0x61d028 --> 0x0

0032| 0x7fffffffdff0 --> 0x7fffffffe050 --> 0x7fffffffe070 --> 0x7fffffffe0a0 --> 0x7fffffffe0c0 --> 0x61c370 ("example_data_files/test.jpg")

0040| 0x7fffffffdff8 --> 0x7ffff7b7beef (<get_dqt+71>:test eax,eax)

0048| 0x7fffffffe000 --> 0x0

0056| 0x7fffffffe008 --> 0x7fffffffe190 --> 0x7fffffffe0e0 --> 0x7ffff7b89ce0 (<error_exit>:push rbp)

[------------------------------------------------------------------------------]

Legend: code, data, rodata, value

0x00007ffff7b6e236107nbytes = JFREAD(src->infile, src->buffer, INPUT_BUF_SIZE);

gdb-peda$ x/20x $rdi

0x61ce30:0x464a1000e0ffd8ff0x1c00020101004649

0x61ce40:0x4300dbff00001c000x28191e231e1c2800

0x61ce50:0x3c30282b2d2321230x587b3c37373c4164

0x61ce60:0x8f9699809164495d0xa0c3e6b4a08a8c80

0x61ce70:0xcbffc88c8aaddaaa0xc19bfffffff5eeda

0x61ce80:0xfffde6fffaffffff0x2d2b014300dbfff8

0x61ce90:0x764141763c353c2d0xf8f8f8f8a58ca5f8

0x61cea0:0xf8f8f8f8f8f8f8f80xf8f8f8f8f8f8f8f8

0x61ceb0:0xf8f8f8f8f8f8f8f80xf8f8f8f8f8f8f8f8

0x61cec0:0xf8f8f8f8f8f8f8f80xc0fff8f8f8f8f8f8

gdb-peda$ ni

Program received signal SIGSEGV, Segmentation fault.

POC:

test.jpg;exampleworkfile.s2d

CVE:

CVE-2017-9614

Proof of Concept:

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42391.zip