I find myself focused on bugs and exploitation lately, monitoring any patches for bugs that cause memory corruption and can be exploited.
Such an example is CVE-2011-3026, described on the libpng site as:
All versions of libpng from 1.0.6 through 1.5.8, 1.4.8, 1.2.46, and 1.0.56, respectively, fail to correctly validate a heap allocation in png_decompress_chunk(), which can lead to a buffer-overrun and the possibility of execution of hostile code on 32-bit systems. This serious vulnerability has been assigned ID CVE-2011-3026 and is fixed in version 1.5.9 (and versions 1.4.9, 1.2.47, and 1.0.57, respectively, on the older branches), released 18 February 2012.
CVE-2011-3045
Integer signedness error in pngrutil.c in libpng before 1.4.10beta01, as used in Google Chrome before 17.0.963.83 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file, a different vulnerability than CVE-2011-3026.
Before the patch, memory could be allocated with the size, prefix_size + expanded_size + 1 , so a huge prefix and expanded size will cause an integer overflow, png_malloc_warn( wrapper around malloc) will then allocate a smaller size. A few lines afterwards the allocated memory and the huge expanded size is passed to png_inflate. CVE-2011-3045 comes into play here, int copy is assigned to expanded size(unsigned) resulting in a type conversion. Copy will become a negative value, passing the "if ( avail < copy) " check.
new_size = png_inflate(png_ptr, (png_bytep)(png_ptr->chunkdata + prefix_size), chunklength - prefix_size, (png_bytep)(text + prefix_size), expanded_size);
Patch for CVE-2011-3045
png_memcpy( replaced with rep movs) then uses copy as a very large size parameter :).
No comments:
Post a Comment