Attack by TIFF images: What are the vulnerabilities in LibTIFF?

Cisco Talos researchers found three vulnerabilities in the LibTIFF library, which is a set of functions that supports TIFF images. Each flaw can lead to remote code execution attacks, but at last check, only two of the vulnerabilities had patches. What are the flaws and how would attacks on them occur? What can enterprises do to address the unpatched vulnerability?

The Tagged Image File Format (TIFF) is a widely-used file format for storing raster graphic images. It is supported by many image-manipulation and publishing applications, and is used by scanning and fax systems to process images. The LibTIFF software library and utilities are free resources for reading, writing and manipulating TIFF images and are available for various operating platforms. The three vulnerabilities found by researchers Tyler Bohan and Mathias Svensson can be used by attackers who would trick users into processing a malformed TIFF document with software that uses the LibTIFF library, in order to achieve remote code execution on the targeted system -- a major objective for most hackers.

The first vulnerability (CVE-2016-5652) is found in the TIFF2PDF tool and occurs when a TIFF file is converted to a PDF file. If the JPEG compression option is used, a specially crafted TIFF file can lead to an out-of-bounds write due to errors in the way the image tile size is calculated. An attacker who can trick a user into using TIFF2PDF to convert a crafted TIFF document can cause a heap-based buffer overflow. The second flaw (CVE-2016-5875) is present in the way LibTIFF uses the zlib compression library to decompress PixarLog compressed data inside of TIFF images. If the buffer used to hold the parameters to be passed to zlib is too small, it can cause a heap overflow.

The third vulnerability (CVE-2016-8331) occurs during the parsing and handling of TIFF images using the LibTIFF API that is present in the standard build. RFC 2306 defines a series of fields used within the TIFF format specifically for fax systems. The way LibTIFF handles the "BadFaxLines" field, can result in a write to out-of-bounds memory. Attackers can create a specially crafted TIFF file to exploit this vulnerability and execute arbitrary code on affected systems.

LibTIFF is written in C, which is not a memory safe computer language, so great care has to be taken to avoid potential out-of-bound writes that can corrupt the content of adjacent objects. These three vulnerabilities are all due to flaws in the way LibTIFF code handles objects in memory. There has not been an official LibTIFF release that addresses these issues but patches for CVE-2016-5652 & CVE-2016-5875 can be downloaded from the library's CVS repository. However, CVE-2016-8331 remains unpatched and some organizations may need to reconsider whether to continue using LibTIFF, as it's not entirely clear how well supported the codebase is. There are mitigation options for these attacks; Talos has released Snort rules that detect attempts to exploit these vulnerabilities.