Summary
Uninitialized memory disclosure can be achieved by parsing a truncated RAW picture.
Severity
High - It is possible to exploit the vulnerable pattern in multiple ways and it may lead to complete memory reconstruction of the target allocation - whose size is controllable through TIFF tags - by an attacker with access to the bitmap result or the parsed metadata.
Proof of Concept
- Compile LibRaw following the instructions on https://github.com/LibRaw/LibRaw/blob/0.21.2/INSTALL
- Run the
bin/simple_dcraw sample binary with the provided file: bin/simple_dcraw poc.bin
Further Analysis
LibRaw supports a wide range of RAW picture formats. In order to do so, it employs a format recognition system based on which TIFF tags are found in the file. Once a format is recognized, the load_raw function pointer - responsible for extracting the raw image from the input file - is populated with the appropriate handler. Such functions commonly use LibRaw_buffer_datastream::read to read from the input buffer, which is semantically equivalent to libc’s fread. A number of load_raw functions [1] do not check the return value of LibRaw_buffer_datastream::read or if the end of input has been reached. This leaves part of the raw image backing buffer uninitialized and allows an attacker to reconstruct portions of heap memory by analyzing the bitmap result. Similarly, some metadata [2] is parsed via the same API and may allow an attacker with access to the parsed metadata to directly read uninitialized heap memory.
These functions are affected by the vulnerable pattern:
[1]
[2]
Timeline
Date reported: 09/13/2024
Date fixed: 09/18/2024
Date disclosed: 10/18/2024
polict Finder
Summary
Uninitialized memory disclosure can be achieved by parsing a truncated RAW picture.
Severity
High - It is possible to exploit the vulnerable pattern in multiple ways and it may lead to complete memory reconstruction of the target allocation - whose size is controllable through TIFF tags - by an attacker with access to the bitmap result or the parsed metadata.
Proof of Concept
bin/simple_dcrawsample binary with the provided file: bin/simple_dcraw poc.binFurther Analysis
LibRaw supports a wide range of RAW picture formats. In order to do so, it employs a format recognition system based on which TIFF tags are found in the file. Once a format is recognized, the
load_rawfunction pointer - responsible for extracting the raw image from the input file - is populated with the appropriate handler. Such functions commonly useLibRaw_buffer_datastream::readto read from the input buffer, which is semantically equivalent to libc’s fread. A number ofload_rawfunctions [1] do not check the return value ofLibRaw_buffer_datastream::reador if the end of input has been reached. This leaves part of the raw image backing buffer uninitialized and allows an attacker to reconstruct portions of heap memory by analyzing the bitmap result. Similarly, some metadata [2] is parsed via the same API and may allow an attacker with access to the parsed metadata to directly read uninitialized heap memory.These functions are affected by the vulnerable pattern:
[1]
LibRaw::nikon_coolscan_load_raw: https://github.com/LibRaw/LibRaw/blob/0.21.2/src/decoders/decoders_libraw_dcrdefs.cpp#L144 (exploited in the proof of concept below)LibRaw::sony_arw2_load_raw: https://github.com/LibRaw/LibRaw/blob/0.21.2/src/decoders/decoders_dcraw.cpp#L1479LibRaw::rollei_load_raw: https://github.com/LibRaw/LibRaw/blob/0.21.2/src/decoders/decoders_dcraw.cpp#L990LibRaw::unpack_thumb: https://github.com/LibRaw/LibRaw/blob/0.21.2/src/decoders/unpack_thumb.cpp#L136LibRaw::nikon_14bit_load_raw: https://github.com/LibRaw/LibRaw/blob/0.21.2/src/decoders/decoders_libraw.cpp#L203LibRaw::fuji_14bit_load_raw: https://github.com/LibRaw/LibRaw/blob/0.21.2/src/decoders/decoders_libraw.cpp#L223LibRaw::nikon_load_padded_packed_raw: https://github.com/LibRaw/LibRaw/blob/0.21.2/src/decoders/decoders_libraw.cpp#L254LibRaw::nikon_load_sraw: https://github.com/LibRaw/LibRaw/blob/0.21.2/src/decoders/decoders_libraw.cpp#L566LibRaw::pana_data: https://github.com/LibRaw/LibRaw/blob/0.21.2/src/decoders/decoders_dcraw.cpp#L1102[2]
LibRaw::parse_tiff_ifd: https://github.com/LibRaw/LibRaw/blob/0.21.2/src/metadata/tiff.cpp#L589LibRaw::parseSonyMakernotes: https://github.com/LibRaw/LibRaw/blob/0.21.2/src/metadata/sony.cpp#L1106LibRaw::PentaxLensInfo: https://github.com/LibRaw/LibRaw/blob/0.21.2/src/metadata/pentax.cpp#L140Timeline
Date reported: 09/13/2024
Date fixed: 09/18/2024
Date disclosed: 10/18/2024