LibTiff Mailing List

Frank Warmerdam wrote:
> According to Slashdot a recent Sony PSP hack was accomplished
> using a vulnerability in libtiff (who knew libtiff was on the PSP?).

I read the same thing, and found it was all very weird... If only these
people spend as much time on actual good documentation and specification
of facts and exact vulnerability, as they do on fighting amongst
themselves in SMS type language of wannabee hackers, we'd have a chance
to know what is actually going on.

> The file is available at:
>
>   http://home.gdal.org/~warmerda/overflow.tif
>
> In case anyone wants to test TIFF applications with it.

Thanks!

I'm seeing a more or less regular IFD, all valid values, except for
BitsPerSample tag, which has 16496 SHORT values.

SamplesPerPixel is 3, which is slightly less. Judging from
StripByteCounts with no compression and Photometric, BitsPerSample
should be 8,8,8 to obtain a legit TIFF IFD.

But the actual BitsPerSample tag value, is 0,0,1, a handfull of 0's,
some actual data that seems to contain a filename, and another massive
load of 0's. So I'm guessing it's an overflow vulnerability in the
handling of the BitsPerSample tag that is being used. It is of course
entirely possible the vulnerability is already cured in current LibTiff,
the hackers were to busy discussing who's entitled to put up PayPal
stuff to be concerned with mentioning what version of LibTiff may be
envolved.

> What would be ideal is if one or more of these hardware makers
> using libtiff actually provided some funding for a detailed
> vulnerability analysis.  Then they (and we) wouldn't have egg on our
> faces.

Right on!

Joris Van Damme
info@awaresystems.be
http://www.awaresystems.be/
Download your free TIFF tag viewer for windows here:
http://www.awaresystems.be/imaging/tiff/astifftagviewer.html


AWARE [SYSTEMS]
		TIFF and LibTiff Mailing List Archive
	LibTiff Mailing List TIFF and LibTiff Mailing List Archive September 2005 Previous Thread Next Thread Previous by Thread Next by Thread Previous by Date Next by Date Contact The TIFF Mailing List Homepage Archive maintained by AWare Systems	Thread 2005.09.28 00:49 "PSP libtiff hack?", by Frank Warmerdam 2005.09.28 02:21 "Re: PSP libtiff hack?", by Joris Van Damme 2005.09.28 04:04 "Re: PSP libtiff hack?", by <edward@sidefx.com> 2005.09.28 13:50 "Re: PSP libtiff hack?", by Frank Warmerdam 2005.09.28 14:49 "Re: PSP libtiff hack?", by Bob Friesenhahn 2005.09.28 04:20 "Re: PSP libtiff hack?", by Chris Cox 2005.09.28 13:39 "Re: PSP libtiff hack?", by Dmitry V Levin 2005.09.28 02:21 "Re: PSP libtiff hack?", by Joris Van Damme Frank Warmerdam wrote: > According to Slashdot a recent Sony PSP hack was accomplished > using a vulnerability in libtiff (who knew libtiff was on the PSP?). I read the same thing, and found it was all very weird... If only these people spend as much time on actual good documentation and specification of facts and exact vulnerability, as they do on fighting amongst themselves in SMS type language of wannabee hackers, we'd have a chance to know what is actually going on. > The file is available at: > > http://home.gdal.org/~warmerda/overflow.tif > > In case anyone wants to test TIFF applications with it. Thanks! I'm seeing a more or less regular IFD, all valid values, except for BitsPerSample tag, which has 16496 SHORT values. SamplesPerPixel is 3, which is slightly less. Judging from StripByteCounts with no compression and Photometric, BitsPerSample should be 8,8,8 to obtain a legit TIFF IFD. But the actual BitsPerSample tag value, is 0,0,1, a handfull of 0's, some actual data that seems to contain a filename, and another massive load of 0's. So I'm guessing it's an overflow vulnerability in the handling of the BitsPerSample tag that is being used. It is of course entirely possible the vulnerability is already cured in current LibTiff, the hackers were to busy discussing who's entitled to put up PayPal stuff to be concerned with mentioning what version of LibTiff may be envolved. > What would be ideal is if one or more of these hardware makers > using libtiff actually provided some funding for a detailed > vulnerability analysis. Then they (and we) wouldn't have egg on our > faces. Right on! Joris Van Damme info@awaresystems.be http://www.awaresystems.be/ Download your free TIFF tag viewer for windows here: http://www.awaresystems.be/imaging/tiff/astifftagviewer.html

LibTiff Mailing List

Thread

2005.09.28 02:21 "Re: PSP libtiff hack?", by Joris Van Damme