扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 |
Source: http://bugzilla.maptools.org/show_bug.cgi?id=2712 Triggered by"./tiffset POC1" $ ./tiffset POC1 TIFFReadDirectory: Warning, Unknown field with tag 302 (0x12e) encountered. TIFFReadDirectory: Warning, Unknown field with tag 61961 (0xf209) encountered. poc3: AdobeDeflate compression support is not configured. tiffset: tif_dirwrite.c:2127: int TIFFWriteDirectoryTagCheckedLong8Array(TIFF *, uint32 *, TIFFDirEntry *, uint16, uint32, uint64 *): Assertion `tif->tif_flags&TIFF_BIGTIFF' failed. Aborted The gdb debugging information is listed below: (gdb) set args POC1 (gdb) r ... (gdb) c Continuing. TIFFReadDirectory: Warning, Unknown field with tag 302 (0x12e) encountered. TIFFReadDirectory: Warning, Unknown field with tag 61961 (0xf209) encountered. poc2: AdobeDeflate compression support is not configured. Breakpoint 2, TIFFWriteDirectoryTagCheckedLong8Array (tif=<optimized out>, ndir=<optimized out>, count=1, value=0x615c20, dir=<optimized out>, tag=<optimized out>) at tif_dirwrite.c:2127 2127assert(tif->tif_flags&TIFF_BIGTIFF); (gdb) bt #00x00007ffff746a428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54 #10x00007ffff746c02a in __GI_abort () at abort.c:89 #20x00007ffff7462bd7 in __assert_fail_base (fmt=<optimized out>, assertion=assertion@entry=0x7ffff7baf949 "tif->tif_flags&TIFF_BIGTIFF", file=file@entry=0x7ffff7baf5c0 "tif_dirwrite.c", line=line@entry=2127, function=function@entry=0x7ffff7baf8e2 "int TIFFWriteDirectoryTagCheckedLong8Array(TIFF *, uint32 *, TIFFDirEntry *, uint16, uint32, uint64 *)") at assert.c:92 #30x00007ffff7462c82 in __GI___assert_fail (assertion=0x7ffff7baf949 "tif->tif_flags&TIFF_BIGTIFF", file=0x7ffff7baf5c0 "tif_dirwrite.c", line=2127, function=0x7ffff7baf8e2 "int TIFFWriteDirectoryTagCheckedLong8Array(TIFF *, uint32 *, TIFFDirEntry *, uint16, uint32, uint64 *)") at assert.c:101 #40x00007ffff7b4e9cb in TIFFWriteDirectoryTagCheckedLong8Array (tif=0x615010, ndir=<optimized out>, count=1, value=0x615c20, dir=<optimized out>, tag=<optimized out>) at tif_dirwrite.c:2127 #5TIFFWriteDirectoryTagLong8Array (count=1, value=0x615c20, tif=<optimized out>, ndir=<optimized out>, dir=<optimized out>, tag=<optimized out>) at tif_dirwrite.c:1462 #6TIFFWriteDirectorySec (tif=<optimized out>, isimage=<optimized out>, imagedone=<optimized out>, pdiroff=<optimized out>) at tif_dirwrite.c:746 #70x00007ffff7b4f6b5 in TIFFWriteDirectory (tif=0x615010) at tif_dirwrite.c:184 #8TIFFRewriteDirectory (tif=<optimized out>) at tif_dirwrite.c:360 #90x0000000000402bc7 in main (argc=<optimized out>, argv=<optimized out>) at tiffset.c:344 Trigged in line tif_dirwrite.c:2127 at function TIFFWriteDirectoryTagCheckedLong8Array() 2122 static int 2123 TIFFWriteDirectoryTagCheckedLong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, uint32 count, uint64*value) 2124 { 2125 assert(count<0x20000000); 2126 assert(sizeof(uint64)==8); 2127 assert(tif->tif_flags&TIFF_BIGTIFF); 2128 if (tif->tif_flags&TIFF_SWAB) 2129 TIFFSwabArrayOfLong8(value,count); 2130 return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_LONG8,count,count*8,value)); 2131 } [note]: Tiffset sets the value of a TIFF header to a specified value.It will modify the raw POC file,so you'd better make a backup file every time you are going to run. Credits: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42299.zip |
体验盒子
