Three bugs found in the LibTIFF, one of them yet to be patched

Pierluigi Paganini October 28, 2016

Libtiff library is affected by three vulnerabilities but unfortunately one of them, tracked as CVE-2016-8331, is still unpatched.

Libtiff is a library for reading and writing Tagged Image File Format (abbreviated TIFF) files and according to the experts from CISCO Talos it is affected by three vulnerabilities. The bugs could be exploited by hackers to hack a system by using booby-trapped images. The bad news is that only two of three vulnerabilities have been fixed.

The vulnerabilities affect the latest version 4.0.6, released in September.

  1. CVE-2016-5652 (TALOS-2016-0187) – LibTIFF tiff2pdf JPEG Compression Tables Heap Buffer Overflow
  2. CVE-2016-8331 (TALOS-2016-0190) – LibTIFF FAX IFD Entry Parsing Type Confusion
  3. CVE-2016-5875 (TALOS-2016-0205) – LibTIFF PixarLogDecode Heap Buffer Overflow

The Talos post says the company found the bugs in LibTiff – 4.0.6, released in September.

The LibTIFF FAX IFD Entry Parsing Type Confusion affects the LibTIFF code called BadFaxLines specific for fax systems, it could be exploited by using a specifically crafted image that triggers an out of bounds memory error, leading to remote code execution. This vulnerability is still unpatched.

“CVE-2016-8331 occurs during the parsing and handling of TIFF images using the LibTIFF API that is present in the standard build. RFC 2306 defines a series fields used within the TIFF format for use specifically in fax systems which are fully supported by the LibTIFF library.” states the analysis published by CISCO Talos. “The vulnerability exists in the handling of one of these fields, `BadFaxLines`, that can result in a write to out of bounds memory. Attackers can create a specially crafted TIFF file to exploit this vulnerability and execute arbitrary code on affected systems.”

The CVE-2016-5652 is a heap buffer overflow that resides in the Tiff2PDF tool. Attackers can exploit it by using a crafted file that can lead the library crashing.

libtiff

CVE-2016-5875 is a heap buffer overflow that resides in the way compressed TIFF images in LibTIFF’s PixarLogDecode API are handled.

“To decompress the PixarLog compressed data inside of a TIFF image, LibTIFF uses the Zlib compression library. First, a buffer with the parameters needed to be passed to Zlib are set up with a function call to `PixarLogSetupDecode`. Later this buffer is used when calling the Zlib library function `inflate` which is responsible for the actual decompression. Passing an undersized buffer into the Zlib `inflate` function causes a heap overflow that could be potentially leveraged into remote code execution.” 

The vulnerability was reported by Mathias Svensson, of Google’s Security Team, meanwhile the researcher Evan Rouault of SpatialSys published a fix on GitHub.

that is used to manage JPEG compression for TIFF images. The flaw was reported by the Google’s Security Team, Mathias Svensson. The researcher Evan Rouault of SpatialSys published a fix for the flaw and published the code on GitHub.

“TIFF offers support for multiple compression algorithms inside of the image itself. One such algorithm is the JPEG compression. This vulnerability arises in the calculating of the images tile size. A specially crafted TIFF image file can lead to an out of bounds write and ultimately to remote code execution. An attacker who can trick a user into using this utility with a crafted TIFF document can cause a heap based buffer overflow that results in remote code execution.” continues the analysis.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – LibTIFF, hacking)



you might also like

leave a comment