Next Page >>
image file
Vulnerability #9: Picture Data Length Heap Overflow
By modifying the Picture Data Length field to an excessively large
value, such as 0xFFFFFFFF, a heap based overflow can be achieved. When a
vulnerable application that supports Picture Metadata blocks processes
an album art image, it uses this field to determine the size in bytes of
the embedded image file. This memory is allocated without bounds
checking and could be used to overwrite memory and pointers with
arbitrary values from inside the FLAC file.
Vulnerability #10: Picture URL Stack Overflow
Whenever a FLAC file's MIME-Type is set to "-->" this is a flag to
Copyright (c) 2008 by Cisco Systems, Inc.
ROM: System Bootstrap, Version 1.49(20080319:195807) [CRS-1 ROMMON],
CRS uptime is 4 weeks, 4 days, 1 minute
System image file is "disk0:hfr-os-mbi-3.6.2/mbihfr-rp.vm"
cisco CRS-8/S (7457) processor with 4194304K bytes of memory.
7457 processor at 1197Mhz, Revision 1.2
17 Packet over SONET/SDH network interface(s)
http://www.gnu.org/licenses/gpl.html.
Software
loader: Version 0.95
system: Version A3(1.0) [build 3.0(0)A3(0.0.148)]
system image file: (nd)/192.168.65.31/scimitar.bin
Device Manager version 1.1 (0) 20080805:0415
...
<output truncated>
raises an Access Violation exception, which causes DoS condition.
3. In a PE file, the IMAGE_OPTIONAL_HEADER contains an array of
IMAGE_DATA_DIRECTORY structures called DataDirectory. This structure
contains, above other, the size of the import directory. Fileinfo
fails to check this field in the Image File Header tab, which may
lead to printing out information about false DLL files, that in
reality are not loaded and not used.
4. In a PE file, the IMAGE_IMPORT_DESCRIPTOR contains pointers to
arrays of pointer to strings, and a pointer to a name of the DLL being
Copyright (c) 2008 by Cisco Systems, Inc.
ROM: System Bootstrap, Version 1.49(20080319:195807) [CRS-1 ROMMON],
CRS uptime is 4 weeks, 4 days, 1 minute
System image file is "disk0:hfr-os-mbi-3.6.2/mbihfr-rp.vm"
cisco CRS-8/S (7457) processor with 4194304K bytes of memory.
7457 processor at 1197Mhz, Revision 1.2
17 Packet over SONET/SDH network interface(s)
XnView JLS File Decompression Heap Overflow
Summary
XnView Formats PlugIn is prone to an overflow condition. The JLS Plugin (xjpegls.dll) library fails to properly sanitize user-supplied input resulting in a heap-based buffer overflow. With a specially crafted JLS compressed image file, a context-dependent attacker could potentially execute arbitrary code.
Advisory page: http://www.reactionpenetrationtesting.co.uk/xnview-jls-heap.html
POC file posted at: http://www.reactionpenetrationtesting.co.uk/vuln.jls
CVE number: CVE-2012-4988
Secunia Research has discovered some vulnerabilities in ACDSee
products, which can be exploited by malicious people to compromise a
user's system.
1) An input validation error within ID_PSP.apl when processing PSP
image files can be exploited to cause a heap-based buffer overflow via
a specially crafted PSP image file.
2) An integer overflow error within ID_PSP.apl when processing PSP
image files can be exploited to cause a heap-based buffer overflow via
a specially crafted PSP image file.
_______________________________________________________________________
Problem Description:
An infinite recursion flaw was found in the way that libexif parses
Exif image tags. A carefully crafted Exif image file opened by an
application linked against libexif could cause the application to crash
(CVE-2007-6351).
An integer overflow flaw was also found in how libexif parses
Exif image tags. A carefully crafted Exif image file opened by
necessary changes.
Details follow:
Drew Yao discovered several flaws in the way OpenEXR handled certain
malformed EXR image files. If a user were tricked into opening a crafted
EXR image file, an attacker could cause a denial of service via application
crash, or possibly execute arbitrary code with the privileges of the user
invoking the program. (CVE-2009-1720, CVE-2009-1721)
It was discovered that OpenEXR did not properly handle certain malformed
Multiple security vulnerabilities has been identified and fixed in
Little cms:
A memory leak flaw allows remote attackers to cause a denial of service
(memory consumption and application crash) via a crafted image file
(CVE-2009-0581).
Multiple integer overflows allow remote attackers to execute arbitrary
code via a crafted image file that triggers a heap-based buffer
overflow (CVE-2009-0723).
user.
This vulnerability exists in the way GDI handles integer math. An
integer overflow could occur while calculating the a buffer length,
which results in an undersized heap buffer being allocated. This buffer
is then overflowed with data from the input image file.
III. ANALYSIS
Exploitation allows an attacker to execute arbitrary code with the
privileges of the current user. Exploitation would require convincing a
http://www.gnu.org/licenses/gpl.html
Software
loader: Version 0.95
system: Version A3(1.0) [build 3.0(0)A3(0.0.148) adbuild_03:31:25-2008/08/06_/auto/adbure_nightly2/nightly_rel_a3_1_0_throttle/REL_3_0_0_A3_0_0
system image file: (nd)/192.168.65.31/scimitar.bin
Device Manager version 1.1 (0) 20080805:0415
...
<output truncated>
that, when opened in Gimp would cause the CEL plug-in to crash or,
potentially, execute arbitrary code with the privileges of the user
running the gimp executable (CVE-2012-3403).
Integer overflow, leading to heap-based buffer overflow flaw was
found in the GIMP's GIF (Graphics Interchange Format) image file
plug-in. An attacker could create a specially-crafted GIF image
file that, when opened, could cause the GIF plug-in to crash or,
potentially, execute arbitrary code with the privileges of the user
running the GIMP (CVE-2012-3481).
Multiple security vulnerabilities has been identified and fixed in
Little cms library embedded in OpenJDK:
A memory leak flaw allows remote attackers to cause a denial of service
(memory consumption and application crash) via a crafted image file
(CVE-2009-0581).
Multiple integer overflows allow remote attackers to execute arbitrary
code via a crafted image file that triggers a heap-based buffer
overflow (CVE-2009-0723).
Copyright (c) 2008 by Cisco Systems, Inc.
ROM: System Bootstrap, Version 1.49(20080319:195807) [CRS-1 ROMMON],
CRS uptime is 4 weeks, 4 days, 1 minute
System image file is "disk0:hfr-os-mbi-3.6.2/mbihfr-rp.vm"
cisco CRS-8/S (7457) processor with 4194304K bytes of memory.
7457 processor at 1197Mhz, Revision 1.2
17 Packet over SONET/SDH network interface(s)
code via a crafted DCM image, or the colors or comments field in a
crafted XWD image. It only affects the oldstable distribution (etch).
CVE-2007-4985
A crafted image file can trigger an infinite loop in the ReadDCMImage
function or in the ReadXCFImage function. It only affects the oldstable
distribution (etch).
CVE-2007-4986
Multiple security vulnerabilities has been identified and fixed
in netpbm:
Multiple integer overflows in JasPer 1.900.1 might allow
context-dependent attackers to have an unknown impact via a crafted
image file, related to integer multiplication for memory allocation
(CVE-2008-3520).
Buffer overflow in the jas_stream_printf function in
libjasper/base/jas_stream.c in JasPer 1.900.1 might allow
context-dependent attackers to have an unknown impact via
Multiple security vulnerabilities has been identified and fixed in
Little cms library embedded in OpenJDK:
A memory leak flaw allows remote attackers to cause a denial of service
(memory consumption and application crash) via a crafted image file
(CVE-2009-0581).
Multiple integer overflows allow remote attackers to execute arbitrary
code via a crafted image file that triggers a heap-based buffer
overflow (CVE-2009-0723).
Multiple security vulnerabilities has been identified and fixed in
Little cms:
A memory leak flaw allows remote attackers to cause a denial of service
(memory consumption and application crash) via a crafted image file
(CVE-2009-0581).
Multiple integer overflows allow remote attackers to execute arbitrary
code via a crafted image file that triggers a heap-based buffer
overflow (CVE-2009-0723).
======================================================================
Secunia Research 19/04/2010
- e107 Avatar/Photograph Image File Upload Vulnerability -
======================================================================
Table of Contents
Affected Software....................................................1
=======
IrfanView Formats PlugIn is prone to an overflow condition. The JLS Plugin
(jpeg_ls.dll) library fails to properly sanitize user-supplied input
resulting in a heap-based buffer overflow. With a specially crafted JLS
compressed image file, a context-dependent attacker could potentially
execute arbitrary code.
CVE number: CVE-2012-3585
Impact: high
Vendor Homepage: http://www.ifranview.com/
Stefan Cornelius (Secunia Research) reported two boundary errors in
Imlib2:
* One of them within the load() function in the file
src/modules/loaders/loader_pnm.c when processing the header of a PNM
image file, possibly leading to a stack-based buffer overflow.
* The second one within the load() function in the file
src/modules/loader_xpm.c when processing an XPM image file, possibly
leading to a stack-based buffer overflow.
Updated gimp packages fix security vulnerabilities:
An integer overflow flaw, leading to a heap-based buffer overflow,
was found in the GIMP's GIF image format plug-in. An attacker could
create a specially-crafted GIF image file that, when opened, could
cause the GIF plug-in to crash or, potentially, execute arbitrary
code with the privileges of the user running the GIMP (CVE-2012-3481).
A heap-based buffer overflow flaw was found in the GIMP's KiSS CEL
file format plug-in. An attacker could create a specially-crafted
The provided chm_1.chm proof-of-concept contains the address where will
continue the code execution at offset 0x17 of test.gif (set to
0x41414141, you can use any value because it's binary data) and I have
placed a bindshell (w32-bind-ngs-shellcode by SkyLined) at offset 0x200
of the same image file only as reference during my tests.
The folder build_chm_1 instead contains the original files from which
has been created chm_1.chm using the steps listed above.
CVE-2011-0192
A buffer overflow allows to execute arbitrary code or cause
a denial of service via a crafted TIFF Internet Fax image
file that has been compressed using CCITT Group 4 encoding.
CVE-2011-1167
Heap-based buffer overflow in the thunder (aka ThunderScan)
decoder allows to execute arbitrary code via a TIFF file that
Heap-based buffer overflow in the read_channel_data function in
file-psp.c in the Paint Shop Pro (PSP) plugin in GIMP 2.6.11 allows
remote attackers to cause a denial of service (application crash)
or possibly execute arbitrary code via a PSP_COMP_RLE (aka RLE
compression) image file that begins a long run count at the end of
the image (CVE-2010-4543, CVE-2011-1782).
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php\?cPath=149\&products_id=490
(CVE-2011-0421).
exif.c in the Exif extension in PHP before 5.3.6 on 64-bit platforms
performs an incorrect cast, which allows remote attackers to cause a
denial of service (application crash) via an image with a crafted Image
File Directory (IFD) that triggers a buffer over-read (CVE-2011-0708).
Integer overflow in ext/shmop/shmop.c in PHP before 5.3.6 allows
context-dependent attackers to cause a denial of service (crash)
and possibly read sensitive memory via a large third argument to the
shmop_read function (CVE-2011-1092).
SUMMARY AND IMPACT:
The ActiveWeb Professional 3.0 web content management server is
vulnerable to remote operating system takeover. An unauthenticated
remote user can upload malicious files and backdoor ColdFusion
websites using the EasyEdit.cfm page. By accessing the "getImagefile"
section of the EasyEdit module, the remote attacker can change hidden
form fields to upload malicious applications and ColdFusion CFML
websites that execute those malicious applications or operating system
commands in the context of the ColdFusion service account (SYSTEM).
The remote user can now perform all functions of the system
This year’s challenge starts from the homepage of a young woman who is
rumored to be the girlfriend of an infamous carder. To solve the
challenge, the participants need to step into investigator's shoes and
follow the clues to find all gang members. But this is only where the
challenge begins - each gang member possesses a piece of a secret image
file that they have hidden using their own expertise.
Gang members and their secrets can be revealed in any order. The
scoreboard shows real-time overview of all investigators, as well as
detailed TOP 20 ranking. What is more, this year's challenge will
require a more diverse skillset than ever before. Finding the gang
Description:
Previous releases libtiff contain several buffer overflow
vulnerabilities, which could allow an attacker to crash an
application or execute arbitrary code via a specially
crafted tiff image file. See the linked CVEs for more
information about the specific cases which have been fixed.
http://wiki.rpath.com/Advisories:rPSA-2010-0064
Copyright 2010 rPath, Inc.
Next Page>>
|
