By using this website, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
Accept
Green Plus icon
Home
/
Research
/
Zero Day Discovery
/
CVE-2019-11024: Infinite loop in function load_pnm( ) – Libsixel – 1.8.2

CVE-2019-11024: Infinite loop in function load_pnm( ) – Libsixel – 1.8.2

Vulnerability Reports
April 8, 2019
Profile Icon

Jason Franscisco

Infinite loop in function load_pnm( ) – Libsixel – 1.8.2

Loginsoft-2019-1112

8 April, 2019

CVE Number

CVE-2019-11024

CWE

CWE – 20 : Improper Input Validation

Product Details

A SIXEL encoder/decoder implementation derived from kmiya’s sixel. This package provides encoder/decoder implementation for DEC SIXEL graphics, and some converter programs.
URL: https://github.com/saitoha/libsixel

Vulnerable Versions

1.8.2

Vulnerability Details

As per our research on libsixel we found an infinite loop generating recursively at function load_pnm( ) at file frompnm.c which can lead to a denial of service attack

SYNOPSIS

During our research on libsixel we found an infinite loop generating at function load_pnm () at file frompnm.c The function load_pnm( ) which loads sixelstatus and when a crafted file is passed to the binary there is an infinite while loop generating recursively and enters into function pnm_get_line( ) at this line of code while (line[0] == ‘#’); where, the value of line[O] is 0x0 which does not satisfy the condition and recursively generates an infinite loop which can lead to a denial of service.

Vulnerable Source code

  while (*s == '\0') {
                       if (p >= end) {
                           break;
                       }
                       p = pnm_get_line(p, end, tmp);
                       s = tmp;
                   }
Analysis

DEBUG:
GDB :


  Gdb:  [ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax   : 0x00007fffffffd160  →  0x43434380f0314300
$rbx   : 0x00007fffffffd2a0  →  0x00007fffffffd660  →  0x0000000000000000
$rcx   : 0x00007fffffffd100  →  0x0000000000000000
$rdx   : 0x0               
$rsp   : 0x00007fffffffcf50  →  0x000060400000dfd0  →  0xbebebebe00000003
$rbp   : 0x00007fffffffd2c0  →  0x00007fffffffd690  →  0x00007fffffffd780  →  0x00007fffffffd7f0  →  0x00007fffffffddb0  →  0x0000000000401c00  →   push r15
$rsi   : 0x0               
$rdi   : 0x0               
$rip   : 0x00007ffff6c08ec1  →   mov rax, QWORD PTR [rbp-0x2f0]
$r8    : 0x3               
$r9    : 0x184d0           
$r10   : 0x2b1             
$r11   : 0x00007ffff6ef6ab0  →   push rbp
$r12   : 0x00000ffffffff9fc  →  0x0000000000000000
$r13   : 0x00007fffffffcfe0  →  0x0000000041b58ab3
$r14   : 0x00007fffffffcfe0  →  0x0000000041b58ab3
$r15   : 0x0               
$eflags: [CARRY PARITY ADJUST zero SIGN trap INTERRUPT direction overflow resume virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000 
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007fffffffcf50│+0x0000: 0x000060400000dfd0  →  0xbebebebe00000003     ← $rsp
0x00007fffffffcf58│+0x0008: 0x000060700000dfd4  →  0x0000000000000003
0x00007fffffffcf60│+0x0010: 0x000060700000dfd0  →  0x00000003ffffffff  →  0x0000000000000000
0x00007fffffffcf68│+0x0018: 0x0000000000000000
0x00007fffffffcf70│+0x0020: 0x000060700000dfcc  →  0xffffffff00000000
0x00007fffffffcf78│+0x0028: 0x000060700000dfc8  →  0x0000000000000000
0x00007fffffffcf80│+0x0030: 0x000060700000dfb8  →  0x000060300000efb0  →  0xffff000000000000
0x00007fffffffcf88│+0x0038: 0x000060400000dfd0  →  0xbebebebe00000003
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
   0x7ffff6c08eac   mov    QWORD PTR [rbp-0x328], rax
   0x7ffff6c08eb3   lea    rax, [rbx-0x140]
   0x7ffff6c08eba   mov    QWORD PTR [rbp-0x2f0], rax
→ 0x7ffff6c08ec1   mov    rax, QWORD PTR [rbp-0x2f0]
   0x7ffff6c08ec8   mov    rdx, rax
   0x7ffff6c08ecb   shr    rdx, 0x3
   0x7ffff6c08ecf   add    rdx, 0x7fff8000
   0x7ffff6c08ed6   movzx  edx, BYTE PTR [rdx]
   0x7ffff6c08ed9   test   dl, dl
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:frompnm.c+229 ────
    224         for (y = 0 ; y < height ; y++) {
    225             for (x = 0 ; x < width ; x++) {
    226                 b = (maps == 2 ? 3 : 1);
    227                 for (i = 0 ; i = end) {
    231                                 break;
    232                             }
    233                             p = pnm_get_line(p, end, tmp);
    234                             s = tmp;
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "img2sixel", stopped, reason: SIGINT
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x7ffff6c08ec1 → load_pnm(p=0x62d00000a427 "\027", '\276' , length=0x28, allocator=0x60400000dfd0, result=0x60700000dfb8, psx=0x60700000dfc8, psy=0x60700000dfcc, ppalette=0x0, pncolors=0x60700000dfd0, ppixelformat=0x60700000dfd4)
[#1] 0x7ffff6c077b3 → load_with_builtin(pchunk=0x60300000efe0, fstatic=0x0, fuse_palette=0x0, reqcolors=0x100, bgcolor=0x0, loop_control=0x1, fn_load=0x7ffff6c16ad6 , context=0x610000007f40)
[#2] 0x7ffff6c0836f → sixel_helper_load_image_file(filename=0x7fffffffe2b1 "hang10", fstatic=0x0, fuse_palette=0x0, reqcolors=0x100, bgcolor=0x0, loop_control=0x1, fn_load=0x7ffff6c16ad6 , finsecure=0x1, cancel_flag=0x606ac0 , context=0x610000007f40, allocator=0x60400000dfd0)
[#3] 0x7ffff6c16f5b → sixel_encoder_encode(encoder=0x610000007f40, filename=0x7fffffffe2b1 "hang10")
[#4] 0x4019ce → main(argc=0xd, argv=0x7fffffffde98)
Proof of Concept

./img2sixel -78eIkiugv -w 4 -h 8 -q auto -l force -o out $POC
Vendor Disclosure: 2019-3-28
Public Disclosure: 2019-4-9

Credit

Discovered by ACE Team – Loginsoft

Explore Cybersecurity Platforms

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros.

Discover Lovi

Sign up to our Newsletter

Cybersecurity Solutions
Vulnerability IntelligenceSecurity & Threat Intelligence IntegrationsVulnerability & Configuration ManagementOSS - Software Composition AnalysisOSS - Dependancy DefenceOSS - Zero-Day DiscoveryThreat IntelligenceExternal Attack Surface DiscoveryCloud Security Posture ManagementCloud Workload Protection
IT Solutions
Data Science & AISoftware Development  & SupportQA AutomationStaff Augmentation
Platforms
LOVICytellite
Company
BlogsReportsAbout usCareers
Research
Research-as-a -ServiceZero-Day Discovery
1-703-956-7410info@loginsoft.com
© 2024 - Copyright
Privacy policy