Skip to content

CVE-2006-2656

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History
 
 

CVE-2006-2656

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
1831.tar.gz
1831.tar.gz
 
 
README.md
README.md
 
 
brute.sh
brute.sh
 
 
fs.tif
fs.tif
 
 
tiffspl33t.pl
tiffspl33t.pl
 
 

README.md

CVE-2006-2656

Experiment Environment

Ubuntu 10.04 LTS

INSTALL & Configuration

wget https://github.com/mudongliang/source-packages/raw/master/CVE-2006-2656/tiff-3.8.2.tar.gz tar -xvf tiff-3.8.2.tar.gz cd tiff-3.8.2 ./configure make sudo make install

Problems in Installation & Configuration

How to trigger vulnerability

./tiffspl33t.pl 5000000

PoCs

tiffsplit (libtiff 3.8.2) - Local Stack Buffer Overflow

Vulnerability Patch

Root Cause

Stack-based buffer overflow in the tiffsplit command in libtiff 3.8.2 and earlier might might allow attackers to execute arbitrary code via a long filename.

 if (argc > 2) strcpy(fname, argv[2]);

Stack Trace

Patch

diff -ruN tiff-3.7.4-old/tools/tiffsplit.c tiff-3.7.4/tools/tiffsplit.c --- tiff-3.7.4-old/tools/tiffsplit.c	2005-05-26 20:38:48.000000000 +0200 +++ tiff-3.7.4/tools/tiffsplit.c	2006-06-01 16:00:11.000000000 +0200 @@ -60,14 +60,13 @@	return (-3);	}	if (argc > 2) -	strcpy(fname, argv[2]); +	snprintf(fname, sizeof(fname), "%s", argv[2]);	in = TIFFOpen(argv[1], "r");	if (in != NULL) {	do {	char path[1024+1];	newfilename(); -	strcpy(path, fname); -	strcat(path, ".tif"); +	snprintf(path, sizeof(path), "%s.tif", fname);	out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl");	if (out == NULL)	return (-2);

References