Bugzilla – Bug 59120
VUL-0: CVE-2004-1726: multiple buffer overflows in xv
Last modified: 2021-10-19 13:43:45 UTC
from bugtraq: Date: Fri, 20 Aug 2004 03:26:05 -0400 From: infamous41md@hotpop.com Subject: XV multiple buffer overflows, exploit included Program Description: xv is an interactive image manipulation program for the X Window System. It can operate on images in the GIF, JPEG, TIFF, PBM, PGM, PPM, XPM, X11 bitmap, Sun Rasterfile, Targa, RLE, RGB, BMP, PCX, FITS, and PM formats on all known types of X displays. It can generate PostScript files, and if you have ghostscript (version 2.6 or above) installed on your machine, it can also display them. Vulnerable Versions: probably all of them, but I only looked at the newest, 3.10a. Summary: there are at least 5 exploitable buffer and heap overflows in the image handling code. this allows someone to craft a malicious image, trick a user into viewing the file in xv, and upon viewing that image execute arbitrary code under privileges of the user viewing image. note the AT LEAST part of the above sentence. there is such a plethora of bad code that I just stopped reading after a while. there are at least 100 calls to sprintf() and strcpy() with no regards for bounds of buffers. 95% of these deal with program arguments or filenames, so they are of no interest to exploit. however I just got sick of reading this code after not too long. so im sure there are still other overflows in the image handling code for other image types. Details: xvbmp.c +168 - a user value is used to iterate a loop and copy data to a stack buffer. xviris.c +270 - multiple heap overflows due to integer overflows in memory allocation with user supplied values. xvpcx.c +226 - another integer overflow in memory allocation leading to a heap overflow. xvpm.c +141 - another integer overflow in memory allocation leading to a heap overflow. Exploits: an exploit for the first overflow is attached. I might write some more exploits for the rest when i'm bored, but atm there are more interesting things to try and exploit, ie Qt. if you're really in need of more exploits, email me at my REAL email address and i'll make some time to try and write them. Credits, Thanks, and Shouts: All vulnerabilities were found by myself. thanks to christian I don't know if he wants me to say his last name for suggesting I audit xv. shouts to peeps at byterage. Vendor Status: this guy doesn't answer emails.
<!-- SBZ_reproduce --> there was an exploit program attached, but it does not work on all platforms.
Created attachment 22856 [details] create-suckit-bmp.c $ ./create-suckit-bmp 0xff00ff00 $ xv suckit.bmp Speicherzugriffsfehler $ will only work on intel.
Fix for xvbmp.c:168 use limit check against biBitCount (biBitCount <= 8) Fix for rest (malloc related overflows): try limiting the number of bytes passed in there, so there is no integer overflow. :/
biBitCount can be 1, 4, 8, 16, 24, 32 bits.
The solution forthis problem is simply if (biClrUsed > (1 << biBitCount)) biClrUsed = (1 << biBitCount); in other word, do not allow more colors than the color depth can handle.
in palette mode it should have biBitCount of 8 or less (1,4,8), otherwise we overflow the r,g,b arrays.
Yep my check does the work. The suckit.bmp uses 700 colors and a deep of 4 and this will be catched now. Nevertheless I've added also some sanity checks to exit before allocation colors.
For xviris.c at line 307 ff if (rlebuflen < 0 || tablen < 0 || (tablen * sizeof(long)) < 0) { loaderr = "Bogus IRIS File!"; return (byte *)NULL; } this check may help.
Created attachment 22864 [details] v-3.10a-security.patch Should avoid described overflows
Can you submit packages with this patch for 8.1 up to 9.1 and STABLE? And also forward the patch to the maintainer? I will forward it to vendor-sec for review.
AFAIK xv isn't maintained anymore. For STABLE I've put it to /work/srd/done/STABLE/ other changes are in progress
submitted /work/src/done/PATCHINFO/xv.patch.{box,maintained) szubmitted laufzettel.
Hmmm ... then please remove my patchinfo files /work/src/done/PATCHINFO/xv.cEy7PE and /work/src/done/PATCHINFO/xv.rU9VL8
Btw: the bugzilla number is 44120 and not 41420
<!-- SBZ_reopen -->Reopened by meissner@suse.de at Tue Aug 24 15:43:40 2004
thanks! reopen for update tracking
packages approved
Should be CAN-2004-1725 CAN-2004-1726
CVE-2004-1726: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)