Menu

Search for hundreds of thousands of exploits

"GIMP 2.8.0 - '.FIT' File Format Denial of Service"

Author

Exploit author

"Joseph Sheridan"

Platform

Exploit platform

multiple

Release date

Exploit published date

2012-06-30

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
Summary
=======

There is a file handling DoS in GIMP (the GNU Image Manipulation Program) for
the 'fit' file format affecting all versions (Windows and Linux) up to and 
including 2.8.0. A file in the fit format with a malformed 'XTENSION' header 
will cause a crash in the GIMP program.

CVE number: CVE-2012-3236
Vendor Homepage: http://www.gimp.org/
Date reported to vendor: 25/05/2012
Found by Joseph Sheridan:
href="http://www.reactionpenetrationtesting.co.uk/joseph-sheridan.html

This advisory is posted at:
http://www.reactionpenetrationtesting.co.uk/FIT-file-handling-DoS.html

PoC file is available here:
http://www.reactionpenetrationtesting.co.uk/vuln.fit
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/19482.fit


Affected Products
=================

Vulnerable Products
+------------------

The following products are known to be affected by this vulnerability:

* GIMP <= 2.8.0 (Windows or Linux builds)

Products Not Vulnerable
+--------------------------------
* GIMP 2.8.1

Details
=======

There is a file handling DoS in GIMP (the GNU Image Manipulation Program) for
the 'fit' file format affecting all versions (Windows and Linux) up to 2.8.0. 
A file in the fit format with a malformed 'XTENSION' header will cause a crash 
in the GIMP program. The flaw is triggered by opening a crafted 'fit' file or 
allowing the file explorer dialog to preview the file.

A file in the fit format starting as follows will trigger the crash:
XTENSIONaaaaaaaaaaaaaaaaaaaaaa...aaaaaaaaaaaaaaaaaaaaaaaaHEADER2...

The vulnerable code is in the fits-io.c lines where the program attempts to 
copy from a null pointer:

{
fdat = fits_decode_card (fits_search_card (hdr, "XTENSION"), typ_fstring);
strcpy (hdulist->xtension, fdat->fstring);
}

This code can be patched by changing it to the following (as GIMP 2.8.1):

fdat = fits_decode_card (fits_search_card (hdr, "XTENSION"), typ_fstring);
if(fdat != NULL) {
strcpy (hdulist->xtension, fdat->fstring);
} else {
strcpy (errmsg, "No valid XTENSION header found.");
goto err_return;
}

Impact
======

Successful exploitation of the vulnerability may result in an application 
crash and denial of service.

Solution
===========
The GIMP team have provided an update for this issue (release 2.8.1).

Workarounds
===========

The fits-io.c file can be patched as above.

Distribution
============

In addition to posting on the website, a text version of this notice
is posted to the following e-mail and Usenet news recipients.

* bugtraq () securityfocus com
* full-disclosure () lists grok org uk
* oss [dash] security [dash] subscribe [at] lists [dot] openwall [dot] com

Future updates of this advisory, if any, will be placed on the ReactionIS
corporate website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the URL below for any updates:

http://www.reactionpenetrationtesting.co.uk/FIT-file-handling-DoS.html

========================================================================
====

Reaction Information Security 
Lombard House Business Centre,
Suite 117,
12-17 Upper Bridge Street,
Canterbury, Kent, CT1 2NF

Phone: +44 (0)1227 785050
Email: research () reactionis {dot} co {dot} uk
Web: http://www.reactionpenetrationtesting.co.uk

Joseph Sheridan
Technical Director
Principal Consultant
CHECK Team Leader, CREST Infrastructure, CREST Application, CISSP
Tel: 07812052515
Web: www.reactionis.com
Email: joe (at) reactionis.co (dot) uk [email concealed]

Reaction Information Security Limited.
Registered in England No: 6929383
Registered Office: 1, The Mews, 69 New Dover Road, Canterbury, CT1 3DZ

This email and any files transmitted with it are confidential and are intended solely for the use of the individual to whom they are addressed. If you are not the intended recipient please notify the sender. Any unauthorised dissemination or copying of this email or its attachments and any use or disclosure of any information contained in them, is strictly prohibited.

 Please consider the environment before printing this email
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "Expense Management System - 'description' Stored Cross Site Scripting" webapps multiple "Nikhil Kumar"
2020-12-02 "Bakeshop Online Ordering System 1.0 - 'Owner' Persistent Cross-site scripting" webapps multiple "Parshwa Bhavsar"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "ILIAS Learning Management System 4.3 - SSRF" webapps multiple Dot
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Under Construction Page with CPanel 1.0 - SQL injection" webapps multiple "Mayur Parmar"
Release Date Title Type Platform Author
2013-04-25 "Hornbill Supportworks ITSM 1.0.0 - SQL Injection" webapps php "Joseph Sheridan"
2012-11-26 "Forescout CounterACT - 'a' Open Redirection" webapps multiple "Joseph Sheridan"
2012-10-04 "XnView 1.99.1 - '.JLS' File Decompression Heap Overflow" dos windows "Joseph Sheridan"
2012-06-30 "IrfanView JLS Formats PlugIn - Heap Overflow" dos windows "Joseph Sheridan"
2012-06-30 "GIMP 2.8.0 - '.FIT' File Format Denial of Service" dos multiple "Joseph Sheridan"
2012-05-31 "GIMP 2.6 script-fu < 2.8.0 - Buffer Overflow (PoC)" dos windows "Joseph Sheridan" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected