Tuesday, March 17, 2009

LittleCMS vulnerabilities

Today, vendor updates should be flowing for vulnerabilities in LittleCMS, sometimes known just as "lcms" or "liblcms". LittleCMS is a very useful open-source colour profile parsing and conversion tool. Some technical details of the various vulnerabilities (stack-based buffer overflows, integer overflows, etc). are given here:


The most interesting thing about LittleCMS is how quickly it has become a very critical building block for UNIX desktops. Let's enumerate some of the pieces of software impacted by any lcms vulnerabilities:
  • OpenJDK. OpenJDK uses lcms to parse colour profiles embedded in JPEG or BMP files. OpenJDK is on the default browser attack surface of a lot of Linux installations, e.g. Fedora 10.

  • Firefox. Firefox 3.1beta uses lcms to parse colour profiles embedded in JPEG files -- by default. (Firefox 3.0 has this ability but not by default, so thankfully this can be addressed before 3.1 goes production).

  • GIMP. GIMP uses the system liblcms library to parse colour profiles embedded in at least JPEG files.
I don't usually do this, but I took the trouble to write an exploit for one of the bugs, because it was fun and had some quirks. It's probably not a great idea to release it just yet -- look for a separate blog post soon.

Finally, some notes on the various Linux system protections that do or don't help defend against the exploit for this stack-based buffer overflow:
  • My exploit targets, but is not limited to, systems with executable heaps. Interestingly 32-bit Ubuntu 8.10 on my laptop shows the heap as non-executable in /proc/<pid>/maps, but it lies because the installed kernel is non-PAE.

  • For systems with non-executable heaps, such as 64-bit Ubuntu 8.10 on my desktop, an exploit is still possible because you can point registers other than rip into the heap (e.g. rbp). I've not written this exploit.

  • Systems with stack smashing detection, such as Fedora 10, do make the exploit hard or impossible. However, the somewhat risky OpenJDK package on such a system is not compiled with stack smashing detection, leaving the default browsing experience vulnerable.

  • I noticed that the Fedora 10 stack smashing detection does not exit cleanly, but gives a SIGSEGV. On 32-bit, the faulting instruction is cmpw $0xb858,(%eax) where %eax == 0x1. Stack frames is __stack_chk_fail __fortify_fail __libc_message backtrace _Unwind_Backtrace ??. Leave a comment if you know what's going on. Sounds dangerous to me.


Unknown said...

Aside from stack smashing, I'd be interested in seeing the exploit run on Fedora 10 with and without SELinux in enforcing. More traditional stack smashing relies on an executable stack, which SELinux plays a direct role in mitigating (orthognal to ASLR/PIE/et al).

However, you could still leverage the ret2{libc,etc} vectors....

Anonymous said...

I recently came accross your blog and have been reading along. I thought I would leave my first comment. I dont know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often.



The Fuzz said...

great post

Anonymous said...

Sounds like Fedora also messes with glibc's handling of stack-smashes.
Or maybe it is Ubuntu (since it seems those are the systems you diff between).
I know the hardened gentoo project wrote their own code [1] for those terminations becouse they thought the original one in glibc did not do a good enought.

You may want to look into that in this case.

[1] http://sources.gentoo.org/viewcvs.py/gentoo-x86/sys-libs/glibc/files/2.6/glibc-2.6-gentoo-stack_chk_fail.c?rev=1.4&view=markup

Anonymous said...

The original for something to compare with.


Anonymous said...

At this FFXI GIL point, a white Knight Online Gold flowing Perfect World gold purple Ling, Yu Mian Lip, handsome extraordinary, a Dragonica Gold
black silk-fat Metin2 Yang dish Ragnarok Zeny into a Knight Online Gold bun, the hands of a delicate paper fan, 2Moons Dil full scholar dressed, but refined it Cabal Alz without Flyff Penya losing the charming woman, so that Brothel woman to see her every air of obsession, winks thrown straight, she was mistakenly treated as a handsome son of FFXIV GIL extraordinary Columbia.
"Originally, rumors of Red Allods Gold House Lane, is this look like, and do not have any particular Well!" Purple Spirit freely cast a glance of the much Allods Gold slower to catch, and Jade Dynasty Gold some Jade Dynasty Gold disappointment Road.

Anonymous said...

'I see her aion gold second child Eighty FFXIV GIL per cent of that, to aion power leveling which advocacy to the beauty aion gold of the quilt, and this is wow power leveling not, but wow power leveling also by his buy wow gold Shui come 2! Idol ah! Sure wow gold enough, worthy of two wow power leveling ah! 'Honests and four fertilizer Guo looked beautiful and feminine on the sofa, Chen Ying Yang runes of magic gold Si Yu month and Common Sense, roses, heart, the worship maple story mesos of his brother Ben ah like mad cow chaos out of control ... ... ... ...