Uncontrolled recursion loop in Exiv2::(anonymous namespace)::BigTiffImage::printIFD( ) - exiv2-0.27
Loginsoft-2018-1096
February 25, 2019
CVE Number
CVE-2019-9144
CWE
CWE-400: Uncontrolled Resource Consumption
Product Details
Exiv2 is a C++ library and a command line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata.
URL:https://github.com/Exiv2/exiv2
Vulnerable Versions
0.27
Vulnerability Details
We observed that there is an infinite loop generating recursively at Uncontrolled recursion loop in Exiv2::(anonymous namespace)::BigTiffImage::printIFD( ) in file bigtiffimage.cpp.The same be triggered by sending a crafted file to the exiv2 binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.
SYNOPSIS
In progress
Vulnerable code
{
// tag is an IFD
io.seek(0, BasicIo::beg); // position
std::cerr << "makernote" << std::endl;
printIFD(out,option,offset,depth);
}
io.seek(restore,BasicIo::beg); // restore
}
}
}
const uint64_t nextDirOffset = readData(dataSize_);
dir_offset = tooBig ? 0 : nextDirOffset;
out.flush();
} while (dir_offset != 0);
Analysis
{
// tag is an IFD
io.seek(0, BasicIo::beg); // position
std::cerr << "makernote" << std::endl;
printIFD(out,option,offset,depth);
}
io.seek(restore,BasicIo::beg); // restore
}
}
}
const uint64_t nextDirOffset = readData(dataSize_);
dir_offset = tooBig ? 0 : nextDirOffset;
out.flush();
} while (dir_offset != 0);
Analysis
Program received signal SIGINT, Interrupt.
0x00007ffff62276a9 in std::__cxx11::basic_string::_M_append(char const*, unsigned long) () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax : 0x0000620001c10a74 → 0xbebebebebe002020
$rbx : 0x00007fffffccfd80 → 0x0000620001c10080 → 0x2020202020202020 (" "?)
$rcx : 0x0
$rdx : 0x2
$rsp : 0x00007fffffccfa80 → 0x00007fffffccfad0 → 0x00007fffffccfeb0 → 0x00007fffffcd0290 → 0x00007fffffcd0670 → 0x00007fffffcd0a50 → 0x00007fffffcd0e30 → 0x00007fffffcd1210
$rbp : 0x9f6
$rsi : 0x00007ffff69f2020 → 0x0000000000000000
$rdi : 0x0000620001c10080 → 0x2020202020202020 (" "?)
$rip : 0x00007ffff62276a9 → ::_M_append(char const*, unsigned long)()
[#1] 0x7ffff681f34b → Exiv2::Internal::indent[abi:cxx11](int)(d=0x825)
[#2] 0x7ffff66eb692 → Exiv2::(anonymous namespace)::BigTiffImage::printIFD(this=0x61300000de80, out=@0x672ac0, option=Exiv2::kpsRecursive, dir_offset=0x80, depth=0xd20)
[#3] 0x7ffff66ebe88 → Exiv2::(anonymous namespace)::BigTiffImage::printIFD(this=0x61300000de80, out=@0x672ac0, option=Exiv2::kpsRecursive, dir_offset=0x80, depth=0xd1f)
[#4] 0x7ffff66ebe88 → Exiv2::(anonymous namespace)::BigTiffImage::printIFD(this=0x61300000de80, out=@0x672ac0, option=Exiv2::kpsRecursive, dir_offset=0x80, depth=0xd1e)
[#5] 0x7ffff66ebe88 → Exiv2::(anonymous namespace)::BigTiffImage::printIFD(this=0x61300000de80, out=@0x672ac0, option=Exiv2::kpsRecursive, dir_offset=0x80, depth=0xd1d)
[#6] 0x7ffff66ebe88 → Exiv2::(anonymous namespace)::BigTiffImage::printIFD(this=0x61300000de80, out=@0x672ac0, option=Exiv2::kpsRecursive, dir_offset=0x80, depth=0xd1c)
[#7] 0x7ffff66ebe88 → Exiv2::(anonymous namespace)::BigTiffImage::printIFD(this=0x61300000de80, out=@0x672ac0, option=Exiv2::kpsRecursive, dir_offset=0x80, depth=0xd1b)
[#8] 0x7ffff66ebe88 → Exiv2::(anonymous namespace)::BigTiffImage::printIFD(this=0x61300000de80, out=@0x672ac0, option=Exiv2::kpsRecursive, dir_offset=0x80, depth=0xd1a)
[#9] 0x7ffff66ebe88 → Exiv2::(anonymous namespace)::BigTiffImage::printIFD(this=0x61300000de80, out=@0x672ac0, option=Exiv2::kpsRecursive, dir_offset=0x80, depth=0xd19)
Tested environment
64-bit ubuntu 16.04 LTS
Proof of Concept
exiv2 -b -u -k -p R pr $POC
Timeline
Vendor Disclosure: 21-02-2019
Public Disclosure: 15-02-2019
Credit
Discovered by ACE Team - Loginsoft
