Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20170122132251.GA11536@pepper.home.stoeckmann.org>
Date: Sun, 22 Jan 2017 14:22:51 +0100
From: Tobias Stoeckmann <tobias@...eckmann.org>
To: oss-security@...ts.openwall.com
Subject: CVE Request: libXpm < 3.5.12 heap overflow

SUMMARY
=======
An out of boundary write has been found in libXpm < 3.5.12 which can be
exploited by an attacker through maliciously crafted XPM files.

PREREQUISITE
============
For this vulnerability to step in, a program must explicitly request
to also parse XPM extensions while reading files. The motif toolkit and
xdm are two among some programs that set the flag (XpmReturnExtensions).
It can only be exploited on 64 bit systems.

DETAILS
=======
The affected code is prone to two 32 bit integer overflows while parsing
extensions: the amount of extensions and their concatenated length. The
fact that two such overflows exist makes it possible to have full
control of the memory management. The attacker can choose:

- how much heap space is allocated
- how many bytes will overflow
- the content of the bytes that overflow

Due to the integrated gzip compression in XPM files, the file can be
as small as 4 MB to trigger this issue, and doesn't need to be larger
than 8 MB for a fully arbitrary attack.

PROOF OF CONCEPT
================
I have attached two files: poc.c is a vulnerable program that uses
libXpm to parse an XPM file, including its extensions. The second file
is a maliciously crafted XPM file, which is gzip-compressed thrice to
reduce its size to be friendlier for e-mail transmissions. You have to
gunzip it twice, which increases its size back to 4 MB. If used with a
vulnerable version, the program will trigger a segmentation fault.

SOLUTION
========
It is recommend to update to the released libXpm version 3.5.12.

The commit that fixes the issue can be found here:
https://cgit.freedesktop.org/xorg/lib/libXpm/commit/?id=d1167418f0fd02a27f617ec5afd6db053afbe185

View attachment "poc.c" of type "text/plain" (586 bytes)

Download attachment "poc.xpm.gz.gz.gz" of type "application/x-gunzip" (1058 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.