Show Notes

124 - ImageGear JPEG Vulns, NetFilter, and a LibCurl Memory Disclosure

There is an out-of-bounds access that comes because of a difference between parsing the huffman tables vs using the huffman tables. While parsing the table, the function ensures that each identifier can only be between 0 and 3. Later on when parsing the element indices into the huffman tables it uses 4bit wide variaibles, or a range of 0-15. Leading to out-of-bounds access.

Off-by-one issue in computing the bits_required value. This computation was performed with a while loop, right-shifting the vlaue by 1 until it is zero, number of shifts is the number of bits needed.

while (NE_field = NE_field >> 1, NE_field != 0) { 
	bit_required = bit_required + 1;

The problem is that the bits_required value is tracking one behind the number of shifts actually performed. Since it starts off by performing a right-shift and comparing with 0. If the value was 0x01, right-sift by one results in 0x00, which matches the NE_field != 0 check and the escapes the loop without ever incrementing the bits_required value. Similarly for any value, the last right-shift will not be counted.

The core problem is an integer truncation due to a difference in the size of the long primitive type between Windows and Linux systems. On Linux and BSD systems, sizeof(long) will return 8, but on Windows this value is 4.

In the AddHttpPost function, a size_t bufferlength value is assigned to the post->bufferlength the bufferlength field in post however is a long. An attacker who is able to influence the size of the file upload, can choose a length of 0x00000000FFFFFFFF (4294967295). When truncated to 4 bytes on Windows it will become -1 which is the constant CURL_ZERO_TERMINATED. Meaning libcurl will then try to determine the size of the buffer by reading, and uploading all content until there is a null byte, potentially reading outside of the expected buffer.

This is one of those cases where assumptions about state are made that can be violated. In nft_fwd_dup_netdev_offload when offloading a dup or fwd rule to hardware the num_actions value is used to index the actions array and incremented. The problem is that the actions array is allocated based on the number of immediate expressions types. As it is possible to manually create a dup or fwd rule that does not have a corresponding immediate expression, the increment can arbitrarily go out of bounds.

} }