Saturday, May 12, 2012

CVE-2011-3026 and CVE-2011-3045


I find myself focused on bugs and exploitation lately,  monitoring any patches for bugs that cause memory corruption and can be exploited.

Such an example is CVE-2011-3026, described on the libpng site as:

All versions of libpng from 1.0.6 through 1.5.8, 1.4.8, 1.2.46, and 1.0.56, respectively, fail to correctly validate a heap allocation in png_decompress_chunk(), which can lead to a buffer-overrun and the possibility of execution of hostile code on 32-bit systems. This serious vulnerability has been assigned ID CVE-2011-3026 and is fixed in version 1.5.9 (and versions 1.4.9, 1.2.47, and 1.0.57, respectively, on the older branches), released 18 February 2012. 

CVE-2011-3045

Integer signedness error in pngrutil.c in libpng before 1.4.10beta01, as used in Google Chrome before 17.0.963.83 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file, a different vulnerability than CVE-2011-3026. 


Before the patch, memory could be allocated with the size, prefix_size + expanded_size + 1 , so a huge prefix and expanded size will cause an integer overflow, png_malloc_warn( wrapper around malloc) will then allocate a smaller size. A few lines afterwards the allocated memory and the huge expanded size is passed to png_inflate. CVE-2011-3045 comes into play here, int copy is assigned to expanded size(unsigned) resulting in a type conversion. Copy will become a negative value, passing the "if ( avail < copy) " check.

new_size = png_inflate(png_ptr,
                (png_bytep)(png_ptr->chunkdata + prefix_size),
                chunklength - prefix_size,
                (png_bytep)(text + prefix_size), expanded_size);



Patch for CVE-2011-3045











png_memcpy( replaced with rep movs) then uses copy as a very large size parameter :).






No comments:

Post a Comment