CVE-2018-20099 infinite loop in Exiv2::Jp2Image::encodeJp2Header of jp2image.cpp

[zjuchenyuan]

Describe the bug
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20099

There is an infinite loop in Exiv2::Jp2Image::encodeJp2Header of jp2image.cpp in Exiv2 0.27-RC3. A crafted input will lead to a remote denial of service attack.

This has been reported in #590 , but @piponazo ignored due to not cp CVE-2018-20099 CVE-2018-20099.exv

This CVE has not been fixed on current commit 1de8e734

To Reproduce
Steps to reproduce the behaviour:

1. download the POC file
2. Provide exact command to reproduce the issue

wget https://github.com/TeamSeri0us/pocs/raw/master/exiv2/20181206/jp2image-infiniteloop-poc-5
mv jp2image-infiniteloop-poc-5 CVE-2018-20099
cp CVE-2018-20099 CVE-2018-20099.exv
./exiv2 insert CVE-2018-20099

Expected behavior
infinite loop

Desktop (please complete the following information):

• OS: Ubuntu 16.04
• Compiler & Version gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.11)
• Compilation mode and/or compiler flags: using afl-gcc and ASAN

Additional context

press Ctrl+Break to let gdb break

root@66b85dd83778:/d/cvepoc/exiv2# gdb /d/p/latest/1.exiv2
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /d/p/latest/1.exiv2...done.
(gdb) r insert CVE-2018-20099
Starting program: /d/p/latest/1.exiv2 insert CVE-2018-20099
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
^C
Program received signal SIGINT, Interrupt.
0x00007ffff64e4820 in Exiv2::getLong (buf=0x7fffffffb534 "olr\001", byteOrder=<optimized out>) at /d/p/latest/exiv2/src/types.cpp:339
339                        | (byte)buf[2] <<  8 | (byte)buf[3];
(gdb) bt
#0  0x00007ffff64e4820 in Exiv2::getLong (buf=0x7fffffffb534 "olr\001", byteOrder=<optimized out>) at /d/p/latest/exiv2/src/types.cpp:339
#1  0x00000ffffffff6a6 in ?? ()
#2  0x000000006f6c7201 in ?? ()
#3  0x0000000000000000 in ?? ()
(gdb) list
334                 return   (byte)buf[3] << 24 | (byte)buf[2] << 16
335                        | (byte)buf[1] <<  8 | (byte)buf[0];
336             }
337             else {
338                 return   (byte)buf[0] << 24 | (byte)buf[1] << 16
339                        | (byte)buf[2] <<  8 | (byte)buf[3];
340             }
341         }
342
343         Rational getRational(const byte* buf, ByteOrder byteOrder)
(gdb) finish
Run till exit from #0  0x00007ffff64e4820 in Exiv2::getLong (buf=0x7fffffffb534 "olr\001", byteOrder=<optimized out>) at /d/p/latest/exiv2/src/types.cpp:339
^C
Program received signal SIGINT, Interrupt.
0x00007ffff6ef65ed in __asan_memcpy () from /usr/lib/x86_64-linux-gnu/libasan.so.2
(gdb) bt
#0  0x00007ffff6ef65ed in __asan_memcpy () from /usr/lib/x86_64-linux-gnu/libasan.so.2
#1  0x00007ffff63f51a1 in Exiv2::Jp2Image::encodeJp2Header (this=this@entry=0x61200000bd40, boxBuf=..., outBuf=...) at /d/p/latest/exiv2/src/jp2image.cpp:678
#2  0x00007ffff63f752f in Exiv2::Jp2Image::doWriteMetadata (this=this@entry=0x61200000bd40, outIo=...) at /d/p/latest/exiv2/src/jp2image.cpp:789
#3  0x00007ffff6403c0b in Exiv2::Jp2Image::writeMetadata (this=0x61200000bd40) at /d/p/latest/exiv2/src/jp2image.cpp:612
#4  0x00000000004c8776 in (anonymous namespace)::metacopy (source="./CVE-2018-20099.exv", tgt="CVE-2018-20099", targetType=targetType@entry=Exiv2::ImageType::none, preserve=preserve@entry=true) at /d/p/latest/exiv2/src/actions.cpp:2021
#5  0x00000000004ccd00 in Action::Insert::run (this=<optimized out>, path="CVE-2018-20099") at /d/p/latest/exiv2/src/actions.cpp:1163
#6  0x000000000040980c in main (argc=<optimized out>, argv=<optimized out>) at /d/p/latest/exiv2/src/exiv2.cpp:77

[D4N]

Thank you for bringing this to our attention!

The issue is relatively simple: the length of the generated subBox is zero, which means that the while loop in this line never terminates.

[piponazo]

Thanks @zjuchenyuan for insisting on this. I have reproduced the issue and @D4N seems to be on the right track.

[clanmills]

This is an important matter. It may already be fixed in the code base. I've opened an issue for v1.00 to investigate replacing jp2image.cpp with bmffimage.cpp #1525

[kevinbackhouse]

This was fixed by #1591.