<< Previous Next >>
image file
using the library.
Background
==========
SDL_image is an image file library that loads images as SDL surfaces,
and supports various formats like BMP, GIF, JPEG, LBM, PCX, PNG, PNM,
TGA, TIFF, XCF, XPM, and XV.
Affected packages
=================
lmvm RPCRT4
start end module name
000007fe`fe1e0000 000007fe`fe30e000 RPCRT4 (pdb symbols) d:\localsymbols\rpcrt4.pdb\484A214596114DE7AA63AF63A748044D2\rpcrt4.pdb
Loaded symbol image file: RPCRT4.dll
Image path: C:\Windows\system32\RPCRT4.dll
Image name: RPCRT4.dll
Timestamp: Tue Jul 14 03:32:37 2009 (4A5BE035)
CheckSum: 001302FA
ImageSize: 0012E000
ACD Systems ACDSee Photo Manager 8.1 build 99 and prior
ACD Systems ACDSee Photo Manager 9.0 build 108 and prior
2. Vulnerability Summary
A remotely exploitable vulnerability has been discovered in multiple ACDSee Systems products. Specifically, the vulnerability is due to a boundary error when processing XBM image files and can lead to a buffer overflow condition. This boundary error can allow attackers to inject and execute arbitrary code on the target host with the privileges of the logged-on user.
3. Vulnerability Analysis
A remote unauthenticated attacker can exploit the vulnerability by enticing a target user to open a maliciously crafted XBM image file. A successful attack will result in arbitrary code executed on the target host with the privileges of the logged-on user. An unsuccessful attack can abnormally terminate the affected product.
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Apple QuickTime. User interaction is
required to exploit this vulnerability in that the target must open a
malicious image file.
The specific flaw exists in the parsing of the pict file format. If an
invalid length is specified for the UncompressedQuickTimeData opcode, a
stack based buffer overflow occurs, allowing the execution of arbitrary
code.
I. BACKGROUND
ImageMagick is a suite of image manipulation tools (animate, composite,
conjure, convert, display, identify, import, mogrify and montage) that
are sometimes used by other applications for processing image files.
For more information about ImageMagick, visit the vendor's site at the
following URL.
http://www.imagemagick.org/
code via a crafted DCM image, or the colors or comments field in a
crafted XWD image. It only affects the oldstable distribution (etch).
CVE-2007-4985
A crafted image file can trigger an infinite loop in the ReadDCMImage
function or in the ReadXCFImage function. It only affects the oldstable
distribution (etch).
CVE-2007-4986
when opening a crafted .ty file.
CVE-2008-5032
Tobias Klein discovered that it is possible to execute arbitrary code
when opening an invalid CUE image file with a crafted header.
For the oldstable distribution (etch), these problems have been fixed
in version 0.8.6-svn20061012.debian-5.1+etch3.
Multiple security vulnerabilities has been identified and fixed
in ghostscript:
Multiple integer overflows in JasPer 1.900.1 might allow
context-dependent attackers to have an unknown impact via a crafted
image file, related to integer multiplication for memory allocation
(CVE-2008-3520).
Buffer overflow in the jas_stream_printf function in
libjasper/base/jas_stream.c in JasPer 1.900.1 might allow
context-dependent attackers to have an unknown impact via
ROM: System Bootstrap, Version 12.0(20090302:133850) [rtauro-sw30346-33S 1.23dev(0.36)] DEVELOPMENT SOFTWARE
Copyright (c) 1994-2009 by cisco Systems, Inc.
example uptime is 26 minutes
System image file is "disk0:c12k-os-mbi-3.9.1/mbiprp-rp.vm"
cisco 12404/PRP (7457) processor with 3145728K bytes of memory.
7457 processor at 1266Mhz, Revision 1.2
1 Cisco 12000 Series Performance Route Processor
The provided chm_1.chm proof-of-concept contains the address where will
continue the code execution at offset 0x17 of test.gif (set to
0x41414141, you can use any value because it's binary data) and I have
placed a bindshell (w32-bind-ngs-shellcode by SkyLined) at offset 0x200
of the same image file only as reference during my tests.
The folder build_chm_1 instead contains the original files from which
has been created chm_1.chm using the steps listed above.
Multiple security vulnerabilities has been identified and fixed
in netpbm:
Multiple integer overflows in JasPer 1.900.1 might allow
context-dependent attackers to have an unknown impact via a crafted
image file, related to integer multiplication for memory allocation
(CVE-2008-3520).
Buffer overflow in the jas_stream_printf function in
libjasper/base/jas_stream.c in JasPer 1.900.1 might allow
context-dependent attackers to have an unknown impact via
ROM: System Bootstrap, Version 12.2(8r) [cmong 8r], RELEASE SOFTWARE (fc1)
Router uptime is 1 week, 5 hours, 5 minutes
System returned to ROM by power-on
System image file is "flash:c2600-adventerprisek9-mz.124-17.bin"
Additional information about Cisco IOS release naming is available at
http://www.cisco.com/warp/public/620/1.html
Products Confirmed Not Vulnerable
g. Third Party Library libpng Updated to 1.2.29
Several flaws were discovered in the way third party library
libpng handled various PNG image chunks. An attacker could
create a carefully crafted PNG image file in such a way that
it causes an application linked with libpng to crash when the
file is manipulated.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2007-5269 to this issue.
ROM: System Bootstrap, Version 1.05(20101118:025914) [ASR9K ROMMON],
Router uptime is 9 weeks, 1 day, 5 hours, 53 minutes
System image file is "bootflash:disk0/asr9k-os-mbi-4.1.0/mbiasr9k-rp.vm"
cisco ASR9K Series (MPC8641D) processor with 4194304K bytes of memory.
MPC8641D processor at 1333MHz, Revision 2.2
ASR-9010-CHASSIS
Description:
Previous releases libtiff contain several buffer overflow
vulnerabilities, which could allow an attacker to crash an
application or execute arbitrary code via a specially
crafted tiff image file. See the linked CVEs for more
information about the specific cases which have been fixed.
http://wiki.rpath.com/Advisories:rPSA-2010-0064
Copyright 2010 rPath, Inc.
of its allocated memory, potentially allowing an attacker to execute
arbitrary code on the system running ImageMagick (CVE-2008-1096).
Another heap-based buffer overflow vulnerability was found in how
ImageMagick processed certain malformed PCX images. If ImageMagick
opened a specially-crafted PCX image file, an attacker could
possibly execute arbitrary code on the system running ImageMagick
(CVE-2008-1097).
The updated packages have been patched to correct these issues.
_______________________________________________________________________
Problem Description:
A vulnerability has been found and corrected in libpng:
A heap-based buffer overflow flaw was found in the way libpng
processed compressed chunks in PNG image files. An attacker could
create a specially-crafted PNG image file that, when opened, could
cause an application using libpng to crash or, possibly, execute
arbitrary code with the privileges of the user running the application
(CVE-2011-3045).
Vstack Director IP address: 10.1.1.163
Vstack Mode: Basic
Vstack default management vlan: 1
Vstack management Vlans: none
Vstack Config file: tftp://10.1.1.100/default-config.txt
Vstack Image file: tftp://10.1.1.100/c3750e-universalk9-tar.122-
Join Window Details:
Window: Open (default)
Operation Mode: auto (default)
Vstack Backup Details:
Mode: On (default)
in jasper:
The jpc_qcx_getcompparms function in jpc/jpc_cs.c for the JasPer
JPEG-2000 library (libjasper) before 1.900 allows remote user-assisted
attackers to cause a denial of service (crash) and possibly corrupt
the heap via malformed image files, as originally demonstrated using
imagemagick convert (CVE-2007-2721).
Multiple integer overflows in JasPer 1.900.1 might allow
context-dependent attackers to have an unknown impact via a crafted
image file, related to integer multiplication for memory allocation
* Published : 2008-01-23
* Brief
SDL_Image is an open source library providing image file handling
functionality.
GIF format handling routines suffers from lack of proper buffer
size validating, which makes it vulnerable to a buffer overflow
attack. An attacker could DoS an application using SDL_Image,
or execute arbitrary code (this has not been confirmed, and
necessary changes.
Details follow:
Tielei Wang discovered that GStreamer Good Plugins did not correctly handle
malformed PNG image files. If a user were tricked into opening a crafted
PNG image file with a GStreamer application, an attacker could cause a
denial of service via application crash, or possibly execute arbitrary code
with the privileges of the user invoking the program.
Description
===========
Tobias Klein reported the following vulnerabilities:
* A stack-based buffer overflow when processing CUE image files in
modules/access/vcd/cdrom.c (CVE-2008-5032).
* A stack-based buffer overflow when processing RealText (.rt)
subtitle files in the ParseRealText() function in
modules/demux/subtitle.c (CVE-2008-5036).
in jasper:
The jpc_qcx_getcompparms function in jpc/jpc_cs.c for the JasPer
JPEG-2000 library (libjasper) before 1.900 allows remote user-assisted
attackers to cause a denial of service (crash) and possibly corrupt
the heap via malformed image files, as originally demonstrated using
imagemagick convert (CVE-2007-2721).
Multiple integer overflows in JasPer 1.900.1 might allow
context-dependent attackers to have an unknown impact via a crafted
image file, related to integer multiplication for memory allocation
10.04 LTS, Ubuntu 10.10, and Ubuntu 11.04. (CVE-2011-0421)
Luca Carettoni discovered that the PHP Exif extension performs an
incorrect cast on 64bit platforms, which allows a remote attacker
to cause a denial of service (application crash) via an image with
a crafted Image File Directory (IFD). (CVE-2011-0708)
Jose Carlos Norte discovered that an integer overflow in the PHP
shmop extension could allow an attacker to cause a denial of service
(crash) and possibly read sensitive memory function. (CVE-2011-1092)
III. ANALYSIS
Exploitation allows an attacker to execute arbitrary code with the
privileges of the current user. Exploitation would require convincing a
targeted user to view a malicious image file either hosted on a Web
server, on local file system or embedded in an-email or Office
documents, or through some form of social engineering.
This vulnerability also can be triggered through e-mail. If the e-mail
client can automatically display images embedded in the e-mail, the
CVE-2010-4543
Heap-based buffer overflow in the read_channel_data function in
file-psp.c in the Paint Shop Pro (PSP) plugin allows remote
attackers to cause a denial of service (application crash) or
possibly execute arbitrary code via a PSP_COMP_RLE (aka RLE
compression) image file that begins a long run count at the end
of the image.
CVE-2011-1782
The correction for CVE-2010-4543 was incomplete.
(CVE-2011-0421).
exif.c in the Exif extension in PHP before 5.3.6 on 64-bit platforms
performs an incorrect cast, which allows remote attackers to cause a
denial of service (application crash) via an image with a crafted Image
File Directory (IFD) that triggers a buffer over-read (CVE-2011-0708).
Integer overflow in ext/shmop/shmop.c in PHP before 5.3.6 allows
context-dependent attackers to cause a denial of service (crash)
and possibly read sensitive memory via a large third argument to the
shmop_read function (CVE-2011-1092).
Description:
LittleCMS, an open source color management engine, suffers from several
integer errors, resulting in stack based buffer overflows and various heap
errors as well as dangerous memory leaks. Decoding a specially crafted
image file will result in unexpected process termination, Denial Of
Service conditions or arbitrary code execution due to stack overflow.
LittleCMS is used by several Open Source projects including OpenJDK,
Firefox and GIMP.
A vulnerability has been found and corrected in libtiff:
An integer overflow was discovered in the libtiff/tiff_getimage.c
file in the tiff library which could cause execution of arbitrary
code using a specially crafted TIFF image file (CVE-2012-1173).
The updated packages have been patched to correct this issue.
_______________________________________________________________________
References:
WS-C6506 Software, Version NmpSW: 7.6(9)
Copyright (c) 1995-2004 by Cisco Systems
NMP S/W compiled on Aug 27 2004, 20:05:14
System Bootstrap Version: 7.1(1)
System Boot Image File is 'disk0:cat6000-sup2k8.7-6-9.bin'
System Configuration register is 0x2102
Hardware Version: 3.0 Model: WS-C6506 Serial #: TBA05360375
PS1 Module: WS-CAC-1300W Serial #: ACP05061071
<<Previous Next>>
|
