CVE-2019-9144: Uncontrolled recursion loop in Exiv2::(anonymous namespace)::BigTiffImage::printIFD( ) – exiv2-0.27

Uncontrolled recursion loop in Exiv2::(anonymous namespace)::BigTiffImage::printIFD( ) – exiv2-0.27

Loginsoft-2018-1096

February 25, 2019

CVE Number

CVE-2019-9144

CWE

CWE-400: Uncontrolled Resource Consumption

Product Details

Exiv2 is a C++ library and a command line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata.
URL: https://github.com/Exiv2/exiv2

Vulnerable Versions

0.27

Vulnerability Details

We observed that there is an infinite loop generating recursively at Uncontrolled recursion loop in Exiv2::(anonymous namespace)::BigTiffImage::printIFD( ) in file bigtiffimage.cpp.The same be triggered by sending a crafted file to the exiv2 binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.

SYNOPSIS

In progress

Vulnerable code
{
                                       // tag is an IFD
                                       io.seek(0, BasicIo::beg);  // position
                                       std::cerr << "makernote" << std::endl;
                                       printIFD(out,option,offset,depth);
                                   }

                                   io.seek(restore,BasicIo::beg); // restore
                               }
                           }
                       }

                       const uint64_t nextDirOffset = readData(dataSize_);

                       dir_offset = tooBig ? 0 : nextDirOffset;
                       out.flush();
                   } while (dir_offset != 0);
Analysis

 

Program received signal SIGINT, Interrupt.
0x00007ffff62276a9 in std::__cxx11::basic_string<char, std::char_traits, std::allocator >::_M_append(char const*, unsigned long) () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax   : 0x0000620001c10a74  →  0xbebebebebe002020
$rbx   : 0x00007fffffccfd80  →  0x0000620001c10080  →  0x2020202020202020 ("        "?)
$rcx   : 0x0               
$rdx   : 0x2               
$rsp   : 0x00007fffffccfa80  →  0x00007fffffccfad0  →  0x00007fffffccfeb0  →  0x00007fffffcd0290  →  0x00007fffffcd0670  →  0x00007fffffcd0a50  →  0x00007fffffcd0e30  →  0x00007fffffcd1210
$rbp   : 0x9f6             
$rsi   : 0x00007ffff69f2020  →  0x0000000000000000
$rdi   : 0x0000620001c10080  →  0x2020202020202020 ("        "?)
$rip   : 0x00007ffff62276a9  →  <std::__cxx11::basic_string add rsp, 0x8
$r8    : 0x00007fffffccfd90  →  0x0000000000000f00
$r9    : 0x9f4             
$r10   : 0x00007fffffccf1e0  →  0x00007ffff6f036b3  →   mov r15, rax
$r11   : 0x00007fffffccf1e0  →  0x00007ffff6f036b3  →   mov r15, rax
$r12   : 0x00000ffffff99f84  →  0x0000000000000000
$r13   : 0x00007fffffccfc20  →  0x0000000041b58ab3
$r14   : 0x00007ffff69600a0  →  0x006e776f6e6b6e75 ("unknown"?)
$r15   : 0x00007fffffffdb20  →  0x0000000041b58ab3
$eflags: [carry PARITY adjust ZERO sign trap INTERRUPT direction overflow resume virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000 
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007fffffccfa80│+0x0000: 0x00007fffffccfad0  →  0x00007fffffccfeb0  →  0x00007fffffcd0290  →  0x00007fffffcd0670  →  0x00007fffffcd0a50  →  0x00007fffffcd0e30  →  0x00007fffffcd1210     ← $rsp
0x00007fffffccfa88│+0x0008: 0x00007fffffccfe80  →  0x00007ffff69600a0  →  0x006e776f6e6b6e75 ("unknown"?)
0x00007fffffccfa90│+0x0010: 0x00007fffffccfad0  →  0x00007fffffccfeb0  →  0x00007fffffcd0290  →  0x00007fffffcd0670  →  0x00007fffffcd0a50  →  0x00007fffffcd0e30  →  0x00007fffffcd1210
0x00007fffffccfa98│+0x0018: 0x00007ffff681f34b  →   jmp 0x7ffff681f326 
0x00007fffffccfaa0│+0x0020: 0x00000825fff99f84  →  0x0000000000000000
0x00007fffffccfaa8│+0x0028: 0x00007fffffccfd80  →  0x0000620001c10080  →  0x2020202020202020
0x00007fffffccfab0│+0x0030: 0x00007ffff69600a0  →  0x006e776f6e6b6e75 ("unknown"?)
0x00007fffffccfab8│+0x0038: 0x7ebffb45ba0eea00
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
   0x7ffff622769e <std::__cxx11::basic_string mov    rdi, QWORD PTR [rbx]
   0x7ffff62276a1 <std::__cxx11::basic_string mov    QWORD PTR [rbx+0x8], rbp
   0x7ffff62276a5 <std::__cxx11::basic_string mov    BYTE PTR [rdi+rbp*1], 0x0
 → 0x7ffff62276a9 <std::__cxx11::basic_string add    rsp, 0x8
   0x7ffff62276ad <std::__cxx11::basic_string mov    rax, rbx
   0x7ffff62276b0 <std::__cxx11::basic_string pop    rbx
   0x7ffff62276b1 <std::__cxx11::basic_string pop    rbp
   0x7ffff62276b2 <std::__cxx11::basic_string ret    
   0x7ffff62276b3 <std::__cxx11::basic_string nop    DWORD PTR [rax+rax*1+0x0]
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "exiv2", stopped, reason: SIGINT
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x7ffff62276a9 → std::__cxx11::basic_string<char, std::char_traits, std::allocator >::_M_append(char const*, unsigned long)()
[#1] 0x7ffff681f34b → Exiv2::Internal::indent[abi:cxx11](int)(d=0x825)
[#2] 0x7ffff66eb692 → Exiv2::(anonymous namespace)::BigTiffImage::printIFD(this=0x61300000de80, out=@0x672ac0, option=Exiv2::kpsRecursive, dir_offset=0x80, depth=0xd20)
[#3] 0x7ffff66ebe88 → Exiv2::(anonymous namespace)::BigTiffImage::printIFD(this=0x61300000de80, out=@0x672ac0, option=Exiv2::kpsRecursive, dir_offset=0x80, depth=0xd1f)
[#4] 0x7ffff66ebe88 → Exiv2::(anonymous namespace)::BigTiffImage::printIFD(this=0x61300000de80, out=@0x672ac0, option=Exiv2::kpsRecursive, dir_offset=0x80, depth=0xd1e)
[#5] 0x7ffff66ebe88 → Exiv2::(anonymous namespace)::BigTiffImage::printIFD(this=0x61300000de80, out=@0x672ac0, option=Exiv2::kpsRecursive, dir_offset=0x80, depth=0xd1d)
[#6] 0x7ffff66ebe88 → Exiv2::(anonymous namespace)::BigTiffImage::printIFD(this=0x61300000de80, out=@0x672ac0, option=Exiv2::kpsRecursive, dir_offset=0x80, depth=0xd1c)
[#7] 0x7ffff66ebe88 → Exiv2::(anonymous namespace)::BigTiffImage::printIFD(this=0x61300000de80, out=@0x672ac0, option=Exiv2::kpsRecursive, dir_offset=0x80, depth=0xd1b)
[#8] 0x7ffff66ebe88 → Exiv2::(anonymous namespace)::BigTiffImage::printIFD(this=0x61300000de80, out=@0x672ac0, option=Exiv2::kpsRecursive, dir_offset=0x80, depth=0xd1a)
[#9] 0x7ffff66ebe88 → Exiv2::(anonymous namespace)::BigTiffImage::printIFD(this=0x61300000de80, out=@0x672ac0, option=Exiv2::kpsRecursive, dir_offset=0x80, depth=0xd19)
Tested environment

64-bit ubuntu 16.04 LTS

Proof of Concept

exiv2 -b -u -k -p R pr $POC

Timeline

Vendor Disclosure: 21-02-2019
Public Disclosure: 15-02-2019

Credit

Discovered by ACE Team – Loginsoft