Vulnerabilities > CVE-2016-8331 - Unspecified vulnerability in Libtiff 4.0.6
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
An exploitable remote code execution vulnerability exists in the handling of TIFF images in LibTIFF version 4.0.6. A crafted TIFF document can lead to a type confusion vulnerability resulting in remote code execution. This vulnerability can be triggered via a TIFF file delivered to the application using LibTIFF's tag extension functionality.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3212-3.NASL description USN-3212-1 and USN-3212-2 fixed a vulnerabilitiy in LibTIFF. This update provides a subset of corresponding update for Ubuntu 12.04 ESM. It was discovered that LibTIFF incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 101833 published 2017-07-20 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101833 title Ubuntu 12.04 LTS : tiff vulnerabilities (USN-3212-3) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-3212-3. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(101833); script_version("3.5"); script_cvs_date("Date: 2019/09/18 12:31:46"); script_cve_id("CVE-2015-7554", "CVE-2015-8668", "CVE-2016-10092", "CVE-2016-3623", "CVE-2016-3624", "CVE-2016-3632", "CVE-2016-3990", "CVE-2016-3991", "CVE-2016-5321", "CVE-2016-5322", "CVE-2016-8331", "CVE-2016-9453", "CVE-2016-9533", "CVE-2016-9534", "CVE-2016-9536", "CVE-2016-9537"); script_xref(name:"USN", value:"3212-3"); script_name(english:"Ubuntu 12.04 LTS : tiff vulnerabilities (USN-3212-3)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "USN-3212-1 and USN-3212-2 fixed a vulnerabilitiy in LibTIFF. This update provides a subset of corresponding update for Ubuntu 12.04 ESM. It was discovered that LibTIFF incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/3212-3/" ); script_set_attribute( attribute:"solution", value:"Update the affected libtiff-tools and / or libtiff4 packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libtiff-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libtiff4"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.04:-:lts"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/01/08"); script_set_attribute(attribute:"patch_publication_date", value:"2017/07/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/20"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(12\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 12.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"12.04", pkgname:"libtiff-tools", pkgver:"3.9.5-2ubuntu1.10")) flag++; if (ubuntu_check(osver:"12.04", pkgname:"libtiff4", pkgver:"3.9.5-2ubuntu1.10")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libtiff-tools / libtiff4"); }NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-1835-1.NASL description This update for tiff fixes the following security issues : - CVE-2017-5225: Prevent heap buffer overflow in the tools/tiffcp that could have caused DoS or code execution via a crafted BitsPerSample value (bsc#1019611) - CVE-2018-7456: Prevent a NULL pointer dereference in the function TIFFPrintDirectory when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013 (bsc#1082825) - CVE-2017-11613: Prevent denial of service in the TIFFOpen function. During the TIFFOpen process, td_imagelength is not checked. The value of td_imagelength can be directly controlled by an input file. In the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc function is called based on td_imagelength. If the value of td_imagelength is set close to the amount of system memory, it will hang the system or trigger the OOM killer (bsc#1082332) - CVE-2016-10266: Prevent remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image, related to libtiff/tif_read.c:351:22 (bsc#1031263) - CVE-2018-8905: Prevent heap-based buffer overflow in the function LZWDecodeCompat via a crafted TIFF file (bsc#1086408) - CVE-2016-9540: Prevent out-of-bounds write on tiled images with odd tile width versus image width (bsc#1011839). - CVE-2016-9535: tif_predict.h and tif_predict.c had assertions that could have lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling (bsc#1011846). - CVE-2016-9535: tif_predict.h and tif_predict.c had assertions that could have lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling (bsc#1011846). - Removed assert in readSeparateTilesIntoBuffer() function (bsc#1017689). - CVE-2016-10095: Prevent stack-based buffer overflow in the _TIFFVGetField function that allowed remote attackers to cause a denial of service (crash) via a crafted TIFF file (bsc#1017690). - CVE-2016-8331: Prevent remote code execution because of incorrect handling of TIFF images. A crafted TIFF document could have lead to a type confusion vulnerability resulting in remote code execution. This vulnerability could have been be triggered via a TIFF file delivered to the application using LibTIFF last seen 2020-06-01 modified 2020-06-02 plugin id 110803 published 2018-06-29 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110803 title SUSE SLES11 Security Update : tiff (SUSE-SU-2018:1835-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3212-1.NASL description It was discovered that LibTIFF incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 97434 published 2017-02-28 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97434 title Ubuntu 14.04 LTS / 16.04 LTS / 16.10 : tiff vulnerabilities (USN-3212-1) NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-677.NASL description This update for tiff fixes the following issues : These security issues were fixed : - CVE-2017-18013: There was a NULL pointer Dereference in the tif_print.c TIFFPrintDirectory function, as demonstrated by a tiffinfo crash. (bsc#1074317) - CVE-2018-10963: The TIFFWriteDirectorySec() function in tif_dirwrite.c allowed remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726. (bsc#1092949) - CVE-2018-7456: Prevent a NULL pointer dereference in the function TIFFPrintDirectory when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013 (bsc#1082825) - CVE-2017-11613: Prevent denial of service in the TIFFOpen function. During the TIFFOpen process, td_imagelength is not checked. The value of td_imagelength can be directly controlled by an input file. In the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc function is called based on td_imagelength. If the value of td_imagelength is set close to the amount of system memory, it will hang the system or trigger the OOM killer (bsc#1082332) - CVE-2018-8905: Prevent heap-based buffer overflow in the function LZWDecodeCompat via a crafted TIFF file (bsc#1086408) - CVE-2016-8331: Prevent remote code execution because of incorrect handling of TIFF images. A crafted TIFF document could have lead to a type confusion vulnerability resulting in remote code execution. This vulnerability could have been be triggered via a TIFF file delivered to the application using LibTIFF last seen 2020-06-05 modified 2018-06-29 plugin id 110802 published 2018-06-29 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110802 title openSUSE Security Update : tiff (openSUSE-2018-677) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-693.NASL description Version 4.0.2-6+deb7u7 introduced changes that resulted in libtiff being unable to write out tiff files when the compression scheme in use relies on codec-specific TIFF tags embedded in the image. This problem manifested itself with errors like those: $ tiffcp -r 16 -c jpeg sample.tif out.tif _TIFFVGetField: out.tif: Invalid tag last seen 2020-03-17 modified 2016-11-03 plugin id 94474 published 2016-11-03 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94474 title Debian DLA-693-2 : tiff regression update NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201701-16.NASL description The remote host is affected by the vulnerability described in GLSA-201701-16 (libTIFF: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in libTIFF. Please review the CVE identifier and bug reports referenced for details. Impact : A remote attacker could entice a user to process a specially crafted image file, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 96373 published 2017-01-10 reporter This script is Copyright (C) 2017 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/96373 title GLSA-201701-16 : libTIFF: Multiple vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-1826-1.NASL description This update for tiff fixes the following issues: These security issues were fixed : - CVE-2017-18013: There was a NULL pointer Dereference in the tif_print.c TIFFPrintDirectory function, as demonstrated by a tiffinfo crash. (bsc#1074317) - CVE-2018-10963: The TIFFWriteDirectorySec() function in tif_dirwrite.c allowed remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726. (bsc#1092949) - CVE-2018-7456: Prevent a NULL pointer dereference in the function TIFFPrintDirectory when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013 (bsc#1082825) - CVE-2017-11613: Prevent denial of service in the TIFFOpen function. During the TIFFOpen process, td_imagelength is not checked. The value of td_imagelength can be directly controlled by an input file. In the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc function is called based on td_imagelength. If the value of td_imagelength is set close to the amount of system memory, it will hang the system or trigger the OOM killer (bsc#1082332) - CVE-2018-8905: Prevent heap-based buffer overflow in the function LZWDecodeCompat via a crafted TIFF file (bsc#1086408) - CVE-2016-8331: Prevent remote code execution because of incorrect handling of TIFF images. A crafted TIFF document could have lead to a type confusion vulnerability resulting in remote code execution. This vulnerability could have been be triggered via a TIFF file delivered to the application using LibTIFF last seen 2020-06-01 modified 2020-06-02 plugin id 110763 published 2018-06-28 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110763 title SUSE SLED12 / SLES12 Security Update : tiff (SUSE-SU-2018:1826-1)
Seebug
| bulletinFamily | exploit |
| description | ### Summary An exploitable remote code execution vulnerability exists in the handling of TIFF images in LibTIFF. A crafted TIFF document can lead to a type confusion vulnerability resulting in remote code execution. This vulnerability can be triggered via a TIFF file delivered to the application using LibTIFF's tag extension functionality. ### Tested Versions LibTIFF - 4.0.6 ### Product URLs http://www.remotesensing.org/libtiff/ ### CVSSv3 Score 8.1 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H ### Details There exists a vulnerability in the parsing and handling of TIFF images. A specially crafted TIFF image file can lead to an out of bounds write and ultimately to remote code execution. This vulnerability is present in the LibTIFF api and is present in the standard build. TIFF offers support for tag extensions allowing for more tags than the standard TIFF specification. One such tag is number 326, BadFaxLines. When using this tag in LibTIFF it is possible to have a type confusion vulnerability where LibTIFF attempts to read a mistyped argument off of the variable argument list. Running the provided trigger through the Thumbnail utility provided by LibTIFF gives us the following crash. ``` 1130 case TIFF_DOUBLE: -> 1131 *va_arg(ap, double*) = 1132 *(double *)val; (lldb) h -=[registers]=- [rax: 0x00000001003002d0] [rbx: 0x0000000000000146] [rcx: 0x0000390000003a03] [rdx: 0x0000000000000020] [rsi: 0x0000000000000018] [rdi: 0x0000000100300170] [rsp: 0x00007fff5fbff8e0] [rbp: 0x00007fff5fbff910] [ pc: 0x000000010001e08b] [ r8: 0x0000000000000040] [ r9: 0x00007fff71d71110] [r10: 0xffffffffffffffff] [r11: 0x0000000000000246] [r12: 0x0000000000000000] [r13: 0x0000000100300110] [r14: 0x00007fff5fbff9d0] [r15: 0x0000000000000000] [efl: 0x0000000000010202] [rflags: 00000000 NZ NS NO NC ND NI] -=[stack]=- 7fff5fbff8e0 | 0000000000000001 0000000101002c00 | .........,...... 7fff5fbff8f0 | eb008c3017da5776 0000000101002c00 | vW..0....,...... 7fff5fbff900 | 0000000000000146 0000000000000000 | F............... 7fff5fbff910 | 00007fff5fbffa10 0000000100011338 | ..._....8....... -=[disassembly]=- 0x10001e080 <+9504>: lea rsp, [rsp + 0x98] 0x10001e088 <+9512>: mov rcx, qword ptr [rcx] -> 0x10001e08b <+9515>: mov qword ptr [rcx], rax 0x10001e08e <+9518>: jmp 0x10001e30e ; <+10158> at tif_dir.c:855 0x10001e093 <+9523>: nop word ptr cs:[rax + rax] 0x10001e0a0 <+9536>: lea rsp, [rsp - 0x98] (lldb) bt * thread #1: tid = 0x3008d362, 0x000000010001e08b libtiff.5.dylib`_TIFFVGetField(tif=<unavailable>, tag=326, ap=<unavailable>) + 9515 at tif_dir.c:1131, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x390000003a03) * frame #0: 0x000000010001e08b libtiff.5.dylib`_TIFFVGetField(tif=<unavailable>, tag=326, ap=<unavailable>) + 9515 at tif_dir.c:1131 frame #1: 0x0000000100011338 libtiff.5.dylib`TIFFGetField [inlined] TIFFVGetField(tif=0x0000000101002c00, tag=326) + 335 at tif_dir.c:1176 frame #2: 0x00000001000111e9 libtiff.5.dylib`TIFFGetField(tif=0x0000000101002c00, tag=326) + 345 at tif_dir.c:1160 frame #3: 0x0000000100001c7b thumbnail`main + 12 at thumbnail.c:178 frame #4: 0x0000000100001c6f thumbnail`main [inlined] cpTags at thumbnail.c:310 frame #5: 0x0000000100001c6f thumbnail`main [inlined] cpIFD at thumbnail.c:386 frame #6: 0x0000000100001c6f thumbnail`main(argc=<unavailable>, argv=<unavailable>) + 2415 at thumbnail.c:133 frame #7: 0x00007fff8260f5ad libdyld.dylib`start + 1 frame #8: 0x00007fff8260f5ad libdyld.dylib`start + 1 ``` The crash occurs at the following lines of code: ``` tif_dir.c 1130 case TIFF_DOUBLE: -> 1131 *va_arg(ap, double*) = 1132 *(double *)val; ``` Recall that `va_arg` retrieves the next available argument from the argument list `ap`. Let's take a look at where this function was called. ``` int TIFFGetField(TIFF * tif, uint32 tag, ...) { int status; va_list ap; va_start(ap, tag) status = TIFFVGetField(tif, tag, ap); // Crash happens here va_end(ap); return (status); } ``` We see that we are passing in the variable argument list from TIFFGetField into TIFFVGetField. Effectively this is a wrapper for creating the variable list that will be handled by each individual tag. Let's traverse up one more function to see how `TIFFGetField` is called. ``` tools/thumbnail.c 136 #define CopyField(tag, v) \ 137 if (TIFFGetField(in, tag, &v)) TIFFSetField(out, tag, v) 165 case TIFF_LONG: 166 { uint32 longv; 167 CopyField(tag, longv); // Call to TIFFGetField 168 } 169 break; ``` Analyzing the crash a bit we can see the tag that we are crashing on is indeed number 326. Looking into the source we can see a double value is expected on the argument list but instead there is nothing there. ``` tif_dir.c:599 switch (fip->field_type) { ... tif_dir.c:659 case TIFF_DOUBLE: *va_arg(ap, double*) = *(double *)val; ret_val = 1; break; default: ret_val = 0; break; } ``` The vulnerability arises due to the field type being determined to be a double, yet the variable argument list is empty causing an out of bounds write and ultimately leading to an exploitable condition. ### Crash Information ``` Crashed thread log = : Dispatch queue: com.apple.main-thread 0 libtiff.5.dylib 0x00000001045ea5e0 _TIFFVGetField + 2784 (tif_dir.c:1132) 1 libtiff.5.dylib 0x00000001045e774b TIFFGetField + 219 (tif_dir.c:1177) 2 thumbnail 0x00000001045d8c7b main + 2427 (thumbnail.c:178) 3 libdyld.dylib 0x00007fff8260f5ad start + 1 log name is: ./crashlogs/libtiff-thumbnail-report_badfaxlines_tif.crashlog.txt --- exception=EXC_BAD_ACCESS:signal=11:is_exploitable=yes:instruction_disassembly=movq %rax,(%rcx):instruction_address=0x00000001045ea5e0:access_type=write:access_address=0x0000430000004403: Crash accessing invalid address. Consider running it again with libgmalloc(3) to see if the log changes. ``` ### Timeline * 2016-07-25 - Vendor Disclosure * 2016-10-25 - Public Release |
| id | SSV:96665 |
| last seen | 2017-11-19 |
| modified | 2017-10-12 |
| published | 2017-10-12 |
| reporter | Root |
| title | LibTIFF Tag Extension Remote Code Execution Vulnerability(CVE-2016-8331) |
Talos
| id | TALOS-2016-0190 |
| last seen | 2019-05-29 |
| published | 2016-10-25 |
| reporter | Talos Intelligence |
| source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0190 |
| title | LibTIFF Tag Extension Remote Code Execution Vulnerability |