[Secure-testing-team] Bug#890086: ufraw-batch: stack buffer overflow while running ufraw-batch

Joonun Jang joonun.jang at gmail.com
Sat Feb 10 23:51:39 UTC 2018 

Package: ufraw-batch
Version: 0.22-2
Severity: important
Tags: security

stack buffer overflow running ufraw-batch with "--overwrite poc" option

Running 'ufraw-batch --overwrite poc' with the attached file raises stack buffer overflow
which may allow a remote attacker to cause unspecified impact including denial-of-service attack
I expected the program to terminate without segfault, but the program crashes as follow

june at june:~/temp/report/ufraw-batch/unknown$ ufraw-batch poc
*** stack smashing detected ***: ufraw-batch terminated
Segmentation fault

Below is debugging information about this bug

0. poc file

00000000: 0001 0001 0040 2020 0000 0020 2020 4b41  .....@  ...   KA
00000010: 492d 3033 3430 200f 4343 4343 4343 4343  I-0340 .CCCCCCCC
00000020: 4343 4343 4343 4343 4343 [4141] 6565       CCCCCCCCCCAAee

1. Above two bytes [4141] was stored in the variable 'raw_width'
   in DCRaw::identify function at dcraw.cc

 8871   } else if (!memcmp (head,"\0\001\0\001\0@",6)) {
 8872     fseek (ifp, 6, SEEK_SET);
 8873     fread (make, 1, 8, ifp);
 8874     fread (model, 1, 8, ifp);
 8875     fread (model2, 1, 16, ifp);
 8876     data_offset = get2();
 8877     get2();
 8878     raw_width = get2(); // HERE
 8879     raw_height = get2();
 8880     load_raw = &CLASS nokia_load_raw;
 8881     filters = 0x61616161;

--gdb--
8878      raw_width = get2();
(gdb) n
8879      raw_height = get2();
(gdb) p/x raw_width
$21 = 0x4141
-------

2. And then it stored in the varaible 'width' in the same function

 9008   desc[511] = artist[63] = make[63] = model[63] = model2[63] = 0;
 9009   if (!is_raw) goto notraw;
 9010
 9011   if (!height) height = raw_height;
 9012   if (!width)  width  = raw_width; // HERE
 9013   if (height == 2624 && width == 3936)  /* Pentax K10D and Samsung GX10 */
 9014     { height  = 2616;   width  = 3896; }
 9015   if (height == 3136 && width == 4864)  /* Pentax K20D and Samsung GX20 */

--gdb--
Breakpoint 9, DCRaw::identify (this=this at entry=0x7ffff48b2010) at dcraw.cc:9012
9012    if (!width)  width  = raw_width;
$24 = 0
(gdb) n
9013    if (height == 2624 && width == 3936)  /* Pentax K10D and Samsung GX10 */
(gdb) p/x width
$25 = 0x4141


3. This 'width' was used in the below loop
   in the function DCRaw::find_green at the same file.

 8504 float CLASS find_green (int bps, int bite, int off0, int off1)
 8505 {
 8506   UINT64 bitbuf=0;
 8507   int vbits, col, i, c;
 8508   ushort img[2][2064];
 8509   double sum[]={0,0};
 8510
 8511   FORC(2) {
 8512     fseek (ifp, c ? off1:off0, SEEK_SET);
 8513     for (vbits=col=0; col < width; col++) { // HERE(1), width was used
 8514       for (vbits -= bps; vbits < 0; vbits += bite) {
 8515   bitbuf <<= bite;
 8516   for (i=0; i < bite; i+=8)
 8517     bitbuf |= (unsigned) (fgetc(ifp) << i);
 8518       }
 8519       img[c][col] = bitbuf << (64-bps-vbits) >> (64-bps); // HERE(2), col is index of img buffer
 8520     }
 8521   }
 8522   FORC(width-1) {
 8523     sum[ c & 1] += ABS(img[0][c]-img[1][c+1]);
 8524     sum[~c & 1] += ABS(img[1][c]-img[0][c+1]);
 8525   }
 8526   return 100 * log(sum[0]/sum[1]);
 8527 }

At HERE(2) because local variable 'col' increased until being same as variable 'width'
which can be easily modified by input file and can have big enough value to overwrite local buffer img.

=========================================================================

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST

-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages ufraw-batch depends on:
ii  libbz2-1.0       1.0.6-8.1
ii  libc6            2.24-11+deb9u1
ii  libexiv2-14      0.25-3.1
ii  libgcc1          1:6.3.0-18
ii  libglib2.0-0     2.50.3-2
ii  libgomp1         6.3.0-18
ii  libjpeg62-turbo  1:1.5.1-2
ii  liblcms2-2       2.8-4
ii  liblensfun1      0.3.2-3
ii  libpng16-16      1.6.28-1
ii  libstdc++6       6.3.0-18
ii  libtiff5         4.0.8-2+deb9u2
ii  zlib1g           1:1.2.8.dfsg-5

ufraw-batch recommends no packages.

Versions of packages ufraw-batch suggests:
pn  ufraw  <none>

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: poc
Type: application/octet-stream
Size: 46 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20180211/7c5a3552/attachment.obj>

More information about the Secure-testing-team mailing list