LibTiff Mailing List

On Sun, Aug 31, 2008 at 05:17:07PM -0500, Bob Friesenhahn wrote:
> While libtiff is for the large part high quality software, the 
> sophistication of the black-hats (and white-hats too) should not be 
> underestimated.  Earlier this year I discovered a jackpot of malicious 
> files (collected by a white-hat) and spent a few weeks fixing 
> GraphicsMagick so that it was resistent to them.  The level of genius 
> represented by these files is pretty astounding. 

The power of "randomness" is also big. 

If I'm guessing the current state of the software correctly, a lot can
already be gained by having a "test-file-generator".

The test-file-generator will take an example tiff (preferably from a
pool with different features turned on in the headers), and then flip
a small percentage of bytes.

The test-setup will then request a test-file from the generator, and
then for example try to convert it. (e.g.
 	t=0
        while true ; do 
         	generate-test-file 150 sourcetiff.tiff > test$t.tif
		tifftopnm test$t.tif > test$t.ppm
		t=`expr $t + 1`
	done
)

Of course you won't find a working exploit this way. What you will
find is that the program tifftopnm crashes occasionally. If you trace
the crash, you will likely (say about 50%) find a bug that can be
turned into a hack by the blackhats. 

	Roger. 

-- 
** R.E.Wolff@BitWizard.nl ** http://www.BitWizard.nl/ ** +31-15-2600998 **
**    Delftechpark 26 2628 XH  Delft, The Netherlands. KVK: 27239233    **
*-- BitWizard writes Linux device drivers for any device you may have! --*
Q: It doesn't work. A: Look buddy, doesn't work is an ambiguous statement. 
Does it sit on the couch all day? Is it unemployed? Please be specific! 
Define 'it' and what it isn't doing. --------- Adapted from lxrbot FAQ


AWARE [SYSTEMS]		Imaging expertise for the Delphi developer
		TIFF and LibTiff Mailing List Archive
	LibTiff Mailing List TIFF and LibTiff Mailing List Archive August 2008 Previous Thread Next Thread Previous by Thread Next by Thread Previous by Date Next by Date Contact The TIFF Mailing List Homepage This list is run by Frank Warmerdam Archive maintained by AWare Systems	Thread 2008.08.29 22:53 "Some security fixes from RHEL", by Even Rouault 2008.08.30 02:08 "Re: Some security fixes from RHEL", by Tom Lane 2008.09.01 22:18 "Re: libtiff security", by Dmitry V Levin 2008.08.31 15:17 "Re: Some security fixes from RHEL", by Frank Warmerdam 2008.08.31 15:38 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.08.31 21:09 "Re: Some security fixes from RHEL", by Rogier Wolff 2008.08.31 21:21 "Re: Some security fixes from RHEL", by <o.druemmer@callassoftware.com> 2008.08.31 21:51 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.08.31 22:08 "Re: Some security fixes from RHEL", by Lee Howard 2008.08.31 22:21 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.09.01 22:10 "Re: Some security fixes from RHEL", by Dmitry V Levin 2008.09.03 08:21 "Re: Some security fixes from RHEL", by Andrey Kiselev 2008.09.03 15:11 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.09.03 17:31 "Re: Some security fixes from RHEL", by <ron@debian.org> 2008.09.03 17:48 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.08.31 21:52 "Re: Some security fixes from RHEL", by Toby Thain 2008.08.31 22:01 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.08.31 21:59 "Re: Some security fixes from RHEL", by Lee Howard 2008.08.31 22:17 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.09.01 06:29 "Re: Some security fixes from RHEL", by Rogier Wolff 2008.09.01 06:53 "Re: Some security fixes from RHEL", by Toby Thain 2008.09.01 03:12 "Re: Some security fixes from RHEL", by Frank Warmerdam 2008.09.01 15:52 "Re: Some security fixes from RHEL", by Lee Howard 2008.09.01 21:33 "Re: Some security fixes from RHEL", by Frank Warmerdam 2008.09.03 16:38 "Re: Some security fixes from RHEL", by Lee Howard 2008.09.03 17:07 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.09.03 17:20 "Re: Some security fixes from RHEL", by Lee Howard 2008.09.03 18:02 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.09.03 18:13 "Re: Some security fixes from RHEL", by Lee Howard 2008.09.03 18:43 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.09.03 20:47 "Re: Some security fixes from RHEL", by Edward Lam 2008.09.03 21:01 "Re: Some security fixes from RHEL", by Lee Howard 2008.09.03 18:32 "Re: Some security fixes from RHEL", by Frank Warmerdam 2008.09.03 19:04 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.09.03 19:32 "Re: Some security fixes from RHEL", by <ron@debian.org> 2008.09.03 21:39 "Re: Some security fixes from RHEL", by Lee Howard 2008.09.03 21:59 "Re: Some security fixes from RHEL", by Even Rouault 2008.09.03 22:35 "Re: Some security fixes from RHEL", by <ron@debian.org> 2008.09.03 23:31 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.09.04 07:47 "Re: Some security fixes from RHEL", by <ron@debian.org> 2008.09.04 12:55 "Re: Some security fixes from RHEL", by Edward Lam 2008.09.06 01:20 "Re: Some security fixes from RHEL", by Jay Berkenbilt 2008.09.04 07:22 "Re: Some security fixes from RHEL", by Andrey Kiselev 2008.09.04 08:05 "Re: Some security fixes from RHEL", by Tom Lane 2008.09.04 08:52 "Re: Some security fixes from RHEL", by Andrey Kiselev 2008.09.04 20:06 "tiffsplit.c broken on Windows in trunk", by Edward Lam 2008.09.04 20:41 "Re: tiffsplit.c broken on Windows in trunk", by Toby Thain 2008.09.04 21:13 "Re: tiffsplit.c broken on Windows in trunk", by Edward Lam 2008.09.05 06:42 "Re: tiffsplit.c broken on Windows in trunk", by Andrey Kiselev 2008.09.03 17:16 "Re: Some security fixes from RHEL", by Frank Warmerdam 2008.09.04 07:45 "Re: Some security fixes from RHEL", by Andrey Kiselev 2008.09.01 22:30 "Re: Some security fixes from RHEL", by Dmitry V Levin 2008.09.03 08:05 "Re: Some security fixes from RHEL", by Andrey Kiselev 2008.09.01 05:11 "Re: Some security fixes from RHEL", by Tom Lane 2008.09.01 15:30 "Re: Some security fixes from RHEL", by Frank Warmerdam 2008.09.01 15:33 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.09.02 08:13 "Re: Some security fixes from RHEL", by Tom Lane 2008.09.02 08:24 "Re: Some security fixes from RHEL", by Tom Lane 2008.09.02 12:01 "Re: Some security fixes from RHEL", by Kai-uwe Behrmann 2008.09.02 15:49 "Re: Some security fixes from RHEL", by <ron@debian.org> 2008.09.03 08:14 "Re: Some security fixes from RHEL", by Andrey Kiselev 2008.09.03 14:07 "Re: Some security fixes from RHEL", by Frank Warmerdam 2008.09.03 15:53 "Re: Some security fixes from RHEL", by Frank Warmerdam 2008.09.01 16:23 "Re: Some security fixes from RHEL", by <ron@debian.org> 2008.09.01 18:00 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.09.01 22:04 "Re: Some security fixes from RHEL", by Dmitry V Levin 2008.09.01 15:40 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.09.01 18:19 "Re: Some security fixes from RHEL", by Rogier Wolff 2008.09.01 18:45 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.09.02 15:54 "Re: Some security fixes from RHEL", by <ron@debian.org> 2008.09.02 16:39 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.09.03 08:03 "Re: Some security fixes from RHEL", by Andrey Kiselev 2008.09.01 06:29 "Re: Some security fixes from RHEL", by Rogier Wolff On Sun, Aug 31, 2008 at 05:17:07PM -0500, Bob Friesenhahn wrote: > While libtiff is for the large part high quality software, the > sophistication of the black-hats (and white-hats too) should not be > underestimated. Earlier this year I discovered a jackpot of malicious > files (collected by a white-hat) and spent a few weeks fixing > GraphicsMagick so that it was resistent to them. The level of genius > represented by these files is pretty astounding. The power of "randomness" is also big. If I'm guessing the current state of the software correctly, a lot can already be gained by having a "test-file-generator". The test-file-generator will take an example tiff (preferably from a pool with different features turned on in the headers), and then flip a small percentage of bytes. The test-setup will then request a test-file from the generator, and then for example try to convert it. (e.g. t=0 while true ; do generate-test-file 150 sourcetiff.tiff > test$t.tif tifftopnm test$t.tif > test$t.ppm t=`expr $t + 1` done ) Of course you won't find a working exploit this way. What you will find is that the program tifftopnm crashes occasionally. If you trace the crash, you will likely (say about 50%) find a bug that can be turned into a hack by the blackhats. Roger. -- R.E.Wolff@BitWizard.nl http://www.BitWizard.nl/ +31-15-2600998 Delftechpark 26 2628 XH Delft, The Netherlands. KVK: 27239233 -- BitWizard writes Linux device drivers for any device you may have! -- Q: It doesn't work. A: Look buddy, doesn't work is an ambiguous statement. Does it sit on the couch all day? Is it unemployed? Please be specific! Define 'it' and what it isn't doing. --------- Adapted from lxrbot FAQ

LibTiff Mailing List

Thread

2008.09.01 06:29 "Re: Some security fixes from RHEL", by Rogier Wolff