2005.09.28 02:21 "Re: [Tiff] PSP libtiff hack?", by Joris Van Damme

According to Slashdot a recent Sony PSP hack was accomplished using a vulnerability in libtiff (who knew libtiff was on the PSP?).

I read the same thing, and found it was all very weird... If only these people spend as much time on actual good documentation and specification of facts and exact vulnerability, as they do on fighting amongst themselves in SMS type language of wannabee hackers, we'd have a chance to know what is actually going on.

The file is available at:

  http://home.gdal.org/~warmerda/overflow.tif

In case anyone wants to test TIFF applications with it.

Thanks!

I'm seeing a more or less regular IFD, all valid values, except for BitsPerSample tag, which has 16496 SHORT values.

SamplesPerPixel is 3, which is slightly less. Judging from StripByteCounts with no compression and Photometric, BitsPerSample should be 8,8,8 to obtain a legit TIFF IFD.

But the actual BitsPerSample tag value, is 0,0,1, a handfull of 0's, some actual data that seems to contain a filename, and another massive load of 0's. So I'm guessing it's an overflow vulnerability in the handling of the BitsPerSample tag that is being used. It is of course entirely possible the vulnerability is already cured in current LibTiff, the hackers were to busy discussing who's entitled to put up PayPal stuff to be concerned with mentioning what version of LibTiff may be envolved.

What would be ideal is if one or more of these hardware makers using libtiff actually provided some funding for a detailed vulnerability analysis. Then they (and we) wouldn't have egg on our faces.

Right on!

Joris Van Damme
info@awaresystems.be
http://www.awaresystems.be/
Download your free TIFF tag viewer for windows here:
http://www.awaresystems.be/imaging/tiff/astifftagviewer.html