Multiple Vulnerabilities in LibTIFF (STRIPOFFSETS and Directory Entry Count Integer Overflow)
21 Dec. 2004
Summary
LibTIFF provides "support for the Tag Image File Format (TIFF), a widely used format for storing image data". Remote exploitation of two integer overflows in LibTIFF allow execution of arbitrary code.
Vulnerable Systems:
* The STRIPOFFSETS vulnerability exist in LibTIFF 3.6.1.
* Directory Entry Count vulnerability exist in LibTIFF 3.5.7 and 3.7.0.
Immune Systems:
* Changes were introduced in libtiff 3.7.0 that had the effect of fixing the STRIPOFFSETS vulnerability.
* libtiff version 3.7.1 addresses both the vulnerabilities.
STRIPOFFSETS Integer Overflow:
The overflow occurs in the parsing of TIFF files set with the STRIPOFFSETS flag in libtiff/tif_dirread.c. In the TIFFFetchStripThing() function, the number of strips (nstrips) is used directly in a CheckMalloc() routine without sanity checking. The call ultimately boils down to: malloc(user_supplied_int*size(int32));
When supplied 0x40000000 as the user supplied integer, malloc is called with a length argument of 0. This has the effect of returning the smallest possible malloc chunk. A user controlled buffer is subsequently copied to that small heap buffer, causing a heap overflow.
When exploited, it is possible to overwrite heap structures and seize control of execution.
An attacker can exploit the above-described vulnerability to execute arbitrary code under the permissions of the target user. Successful exploitation requires that the attacker convince the end user to open the malicious TIFF file using an application linked with a vulnerable version of LibTIFF. Exploitation of this vulnerability against a remote target is difficult because of the precision required in the attack.
Disclosure Timeline:
12/15/2004 Discovery of fix in later software version
12/21/2004 Public disclosure
Directory Entry Count Integer Overflow:
The vulnerability specifically exists due to insufficient validation of user-supplied data when calculating the size of a directory entry. A TIFF file includes a number of directory entry header fields that describe the data in the file. Included in these entries is an entry count and offset value that are calculated to determine the size and location of the data for that entry. If the directory entry type is TIFF_ASCII or TIFF_UNDEFINED, the a call to CheckMalloc is made in order to allocate space for the entry contents as shown below from tif_dirread.c:
If the tdir_count is set to 0xffffffff, the increment will cause the function call to allocate 0 bytes of memory and later memcpy calls will cause the buffer to overflow. An attacker may generate a malicious TIFF file which takes advantage of this unchecked calculation to execute arbitrary code with permissions of the user opening the TIFF file.
Vendor Status:
The following patch will address this vulnerability:
