CVE-2016-9297#

Description#

CVE-2016-9297

Aggregating intelligence...

Compile#

Download#

虽然 Mitre 的 description 写是 4.0.6 版本的漏洞，但是 chall 的 description 说 4.0.4，那就用 4.0.4 吧。

git clone https://gitlab.com/libtiff/libtiff.git && cd libtiff
git checkout v4.0.4

Build#

mkdir ../libtiff-build-fuzz
cd ../libtiff-build-fuzz
CC=afl-clang-lto \
CXX=afl-clang-lto++ \
../libtiff/configure \
  --prefix="$(realpath ../libtiff-fuzz)" \
  --disable-shared
make clean && make -j`nproc` && make install

mkdir ../libtiff-build-fuzz-asan
cd ../libtiff-build-fuzz-asan
AFL_USE_ASAN=1 \
CC=afl-clang-lto \
CXX=afl-clang-lto++ \
../libtiff/configure \
  --prefix="$(realpath ../libtiff-fuzz-asan)" \
  --disable-shared
make clean && AFL_USE_ASAN=1 make -j`nproc` && AFL_USE_ASAN=1 make install

make 的时候遇到两个定义不完整的报错，直接在 tif_predict.h 中加入下面两行即可：

1
#include "tiffio.h"
2
#include "tiffiop.h"

Samples#

1
#!/usr/bin/env python
2

3
import os
4
import subprocess
5
import struct
6

7
def run_cmd(cmd):
8
    try:
9
        subprocess.run(cmd, check=True, capture_output=True)
10
    except subprocess.CalledProcessError as e:
11
        print(f"Error running {' '.join(cmd)}: {e}")
12

13
def create_minimal_tiff(filename, width=8, height=8):
14
    # Minimal 8x8 BW TIFF (1 bit per pixel)
15
    # Header
16
    header = b'II' + struct.pack('<HI', 42, 8) # II, 42, offset to IFD=8
17

18
    # IFD
19
    num_entries = 11
20
    ifd_offset = 8
21
    next_ifd_offset = 0
22

23
    # Tags:
24
    # 256 (Width), 257 (Height), 258 (BitsPerSample), 259 (Compression),
25
    # 262 (Photometric), 273 (StripOffsets), 277 (SamplesPerPixel),
26
    # 278 (RowsPerStrip), 279 (StripByteCounts), 282 (XRes), 283 (YRes)
27

28
    # Each entry is 12 bytes
29
    entries = []
30
    def add_entry(tag, type, count, value):
31
        entries.append(struct.pack('<HHII', tag, type, count, value))
32

33
    add_entry(256, 3, 1, width)  # Width
34
    add_entry(257, 3, 1, height) # Height
35
    add_entry(258, 3, 1, 1)      # BitsPerSample
36
    add_entry(259, 3, 1, 1)      # Compression (None)
37
    add_entry(262, 3, 1, 1)      # Photometric (MinIsBlack)
38
    add_entry(273, 4, 1, 8 + 2 + num_entries*12 + 4 + 16) # StripOffsets (after IFD and Res values)
39
    add_entry(277, 3, 1, 1)      # SamplesPerPixel
40
    add_entry(278, 3, 1, height) # RowsPerStrip
41
    add_entry(279, 4, 1, (width * height + 7) // 8) # StripByteCounts
42
    add_entry(282, 5, 1, 8 + 2 + num_entries*12 + 4) # XRes (offset)
43
    add_entry(283, 5, 1, 8 + 2 + num_entries*12 + 4 + 8) # YRes (offset)
44

45
    ifd = struct.pack('<H', num_entries) + b''.join(entries) + struct.pack('<I', next_ifd_offset)
46

47
    # Rational values for XRes, YRes (72/1)
48
    res_values = struct.pack('<IIII', 72, 1, 72, 1)
49

50
    # Image data (all zeros for simplicity)
51
    data = b'\x00' * ((width * height + 7) // 8)
52

53
    with open(filename, 'wb') as f:
54
        f.write(header)
55
        f.write(ifd)
56
        f.write(res_values)
57
        f.write(data)
58

59
def create_grayscale_tiff(filename, width=8, height=8, bpp=8):
60
    # Header
61
    header = b'II' + struct.pack('<HI', 42, 8)
62

63
    num_entries = 11
64
    entries = []
65
    def add_entry(tag, type, count, value):
66
        entries.append(struct.pack('<HHII', tag, type, count, value))
67

68
    data_offset = 8 + 2 + num_entries*12 + 4 + 16
69

70
    add_entry(256, 3, 1, width)  # Width
71
    add_entry(257, 3, 1, height) # Height
72
    add_entry(258, 3, 1, bpp)    # BitsPerSample
73
    add_entry(259, 3, 1, 1)      # Compression
74
    add_entry(262, 3, 1, 1)      # Photometric (MinIsBlack)
75
    add_entry(273, 4, 1, data_offset) # StripOffsets
76
    add_entry(277, 3, 1, 1)      # SamplesPerPixel
77
    add_entry(278, 3, 1, height) # RowsPerStrip
78
    add_entry(279, 4, 1, width * height * (bpp // 8)) # StripByteCounts
79
    add_entry(282, 5, 1, 8 + 2 + num_entries*12 + 4) # XRes
80
    add_entry(283, 5, 1, 8 + 2 + num_entries*12 + 4 + 8) # YRes
81

82
    ifd = struct.pack('<H', num_entries) + b''.join(entries) + struct.pack('<I', 0)
83
    res_values = struct.pack('<IIII', 72, 1, 72, 1)
84
    data = b'\x80' * (width * height * (bpp // 8)) # Gray data
85

86
    with open(filename, 'wb') as f:
87
        f.write(header)
88
        f.write(ifd)
89
        f.write(res_values)
90
        f.write(data)
91

92
def create_rgb_tiff(filename, width=8, height=8):
93
    header = b'II' + struct.pack('<HI', 42, 8)
94
    num_entries = 12
95
    entries = []
96
    def add_entry(tag, type, count, value):
97
        entries.append(struct.pack('<HHII', tag, type, count, value))
98

99
    bps_offset = 8 + 2 + num_entries*12 + 4
100
    res_offset = bps_offset + 6
101
    data_offset = res_offset + 16
102

103
    add_entry(256, 3, 1, width)  # Width
104
    add_entry(257, 3, 1, height) # Height
105
    add_entry(258, 3, 3, bps_offset) # BitsPerSample (3 values)
106
    add_entry(259, 3, 1, 1)      # Compression
107
    add_entry(262, 3, 1, 2)      # Photometric (RGB)
108
    add_entry(273, 4, 1, data_offset) # StripOffsets
109
    add_entry(277, 3, 1, 3)      # SamplesPerPixel
110
    add_entry(278, 3, 1, height) # RowsPerStrip
111
    add_entry(279, 4, 1, width * height * 3) # StripByteCounts
112
    add_entry(282, 5, 1, res_offset) # XRes
113
    add_entry(283, 5, 1, res_offset + 8) # YRes
114
    add_entry(284, 3, 1, 1)      # PlanarConfig (Contig)
115

116
    ifd = struct.pack('<H', num_entries) + b''.join(entries) + struct.pack('<I', 0)
117
    bps_values = struct.pack('<HHH', 8, 8, 8)
118
    res_values = struct.pack('<IIII', 72, 1, 72, 1)
119
    data = b'\xff\x00\x00' * (width * height) # Red image
120

121
    with open(filename, 'wb') as f:
122
        f.write(header)
123
        f.write(ifd)
124
        f.write(bps_values)
125
        f.write(res_values)
126
        f.write(data)
127

128
def create_palette_tiff(filename, width=8, height=8):
129
    header = b'II' + struct.pack('<HI', 42, 8)
130
    num_entries = 12
131
    entries = []
132
    def add_entry(tag, type, count, value):
133
        entries.append(struct.pack('<HHII', tag, type, count, value))
134

135
    cmap_offset = 8 + 2 + num_entries*12 + 4
136
    res_offset = cmap_offset + 256 * 3 * 2 # 256 colors, RGB, 2 bytes each
137
    data_offset = res_offset + 16
138

139
    add_entry(256, 3, 1, width)  # Width
140
    add_entry(257, 3, 1, height) # Height
141
    add_entry(258, 3, 1, 8)      # BitsPerSample
142
    add_entry(259, 3, 1, 1)      # Compression
143
    add_entry(262, 3, 1, 3)      # Photometric (Palette)
144
    add_entry(273, 4, 1, data_offset) # StripOffsets
145
    add_entry(277, 3, 1, 1)      # SamplesPerPixel
146
    add_entry(278, 3, 1, height) # RowsPerStrip
147
    add_entry(279, 4, 1, width * height) # StripByteCounts
148
    add_entry(282, 5, 1, res_offset) # XRes
149
    add_entry(283, 5, 1, res_offset + 8) # YRes
150
    add_entry(320, 3, 256 * 3, cmap_offset) # ColorMap
151

152
    ifd = struct.pack('<H', num_entries) + b''.join(entries) + struct.pack('<I', 0)
153

154
    # Color map: 256 RGB values, each 2 bytes (16-bit)
155
    cmap = b''
156
    for i in range(256): cmap += struct.pack('<H', i * 256) # Red
157
    for i in range(256): cmap += struct.pack('<H', i * 256) # Green
158
    for i in range(256): cmap += struct.pack('<H', i * 256) # Blue
159

160
    res_values = struct.pack('<IIII', 72, 1, 72, 1)
161
    data = bytes([i % 256 for i in range(width * height)])
162

163
    with open(filename, 'wb') as f:
164
        f.write(header)
165
        f.write(ifd)
166
        f.write(cmap)
167
        f.write(res_values)
168
        f.write(data)
169

170
def main():
171
    corpus_dir = "corpus"
172
    if not os.path.exists(corpus_dir):
173
        os.makedirs(corpus_dir)
174

175
    base_tiff = os.path.join(corpus_dir, "base_bw.tif")
176
    create_minimal_tiff(base_tiff)
177

178
    base_gray8 = os.path.join(corpus_dir, "base_gray8.tif")
179
    create_grayscale_tiff(base_gray8, bpp=8)
180

181
    base_gray16 = os.path.join(corpus_dir, "base_gray16.tif")
182
    create_grayscale_tiff(base_gray16, bpp=16)
183

184
    base_rgb = os.path.join(corpus_dir, "base_rgb.tif")
185
    create_rgb_tiff(base_rgb)
186

187
    base_palette = os.path.join(corpus_dir, "base_palette.tif")
188
    create_palette_tiff(base_palette)
189

190
    bases = [base_tiff, base_gray8, base_gray16, base_rgb, base_palette]
191

192
    # Use tiffcp to create variations
193
    compressions = ["none", "lzw", "zip", "packbits", "zstd"]
194
    for base in bases:
195
        base_name = os.path.basename(base).split('.')[0]
196
        for comp in compressions:
197
            out = os.path.join(corpus_dir, f"{base_name}_{comp}.tif")
198
            run_cmd(["tiffcp", "-c", comp, base, out])
199

200
            out_tile = os.path.join(corpus_dir, f"{base_name}_{comp}_tile.tif")
201
            run_cmd(["tiffcp", "-c", comp, "-t", "-w", "8", "-l", "8", base, out_tile])
202

203
    # Special compressions for BW
204
    for comp in ["g3", "g4"]:
205
        run_cmd(["tiffcp", "-c", comp, base_tiff, os.path.join(corpus_dir, f"bw_{comp}.tif")])
206

207
    # JPEG for RGB
208
    run_cmd(["tiffcp", "-c", "jpeg", base_rgb, os.path.join(corpus_dir, "rgb_jpeg.tif")])
209

210
    # BigTIFF
211
    run_cmd(["tiffcp", "-8", base_rgb, os.path.join(corpus_dir, "bigtiff_rgb.tif")])
212

213
    # Byte order
214
    run_cmd(["tiffcp", "-B", base_rgb, os.path.join(corpus_dir, "big_endian_rgb.tif")])
215

216
    # Planar configuration
217
    run_cmd(["tiffcp", "-p", "separate", base_rgb, os.path.join(corpus_dir, "separate_rgb.tif")])
218

219
    # Add some tags
220
    tagged_tiff = os.path.join(corpus_dir, "tagged_rgb.tif")
221
    run_cmd(["cp", base_rgb, tagged_tiff])
222
    run_cmd(["tiffset", "-s", "315", "Fuzzer", tagged_tiff])
223

224
    # Broken cases
225
    # Circular IFD (from base_bw)
226
    circular = os.path.join(corpus_dir, "circular.tif")
227
    with open(base_tiff, 'rb') as f:
228
        data = bytearray(f.read())
229
    # Find next_ifd_offset (last 4 bytes of IFD)
230
    # IFD starts at 8, has 11 entries (11*12=132), + 2 bytes for count = 134.
231
    # next_ifd_offset is at index 142
232
    if len(data) >= 146:
233
        data[142:146] = struct.pack('<I', 8)
234
        with open(circular, 'wb') as f:
235
            f.write(data)
236

237
    # Huge dimensions
238
    huge_dim = os.path.join(corpus_dir, "huge_dim.tif")
239
    create_minimal_tiff(huge_dim)
240
    run_cmd(["tiffset", "-s", "256", "1000000", huge_dim])
241
    run_cmd(["tiffset", "-s", "257", "1000000", huge_dim])
242

243
    # Invalid compression tag
244
    invalid_comp = os.path.join(corpus_dir, "invalid_comp.tif")
245
    create_minimal_tiff(invalid_comp)
246
    run_cmd(["tiffset", "-s", "259", "65535", invalid_comp])
247

248
    print(f"Generated {len(os.listdir(corpus_dir))} samples in {corpus_dir}")
249

250
if __name__ == "__main__":
251
    main()

除了 AI 生成的这些样本外，test/images/ 中也有一些样本可以拿来用。

Fuzzing#

编译出来发现有一堆程序，哪个才是我们的目标呢？

查看 Mitre 给出的 references，其中 Bug 2590 - CVE-2016-9297: segfault in _TIFFPrintField (tif_print.c:127) 写道：

Triggered in libtiff 4.0.6 with AFL and ASAN. Only crashes if I LD_PRELOAD AFL’s libdislocator (more info: https://github.com/mirrorer/afl/tree/master/libdislocator).

LD_PRELOAD=/root/afl-2.35b/libdislocator/libdislocator.so ./tiffinfo -i test000

由此可知我们 fuzz 的目标是 tiffinfo 。

我们将所有的输出参数都用上，以便提高覆盖率，这里只开了两个线程 fuzz：

mkdir -p /dev/shm/{normal,asan}

AFL_TMPDIR=/dev/shm/asan \
afl-fuzz -i corpus \
         -o outs \
         -m none \
         -M asan \
         -- ../libtiff-fuzz-asan/bin/tiffinfo -Dcjrsw @@

AFL_TMPDIR=/dev/shm/normal \
afl-fuzz -i corpus \
         -o outs \
         -m none \
         -S normal \
         -- ../libtiff-fuzz/bin/tiffinfo -Dcjrsw @@

刚跑了两分钟，ASAN 那个线程以每秒一百多 crashes 的速度产出……吓坏了（

Analysis#

Coverage#

这个 chall 主要是让我们使用 lcov 来生成覆盖率报告的，不过我选择 llvm-cov，而不是 lcov 。

先单独编译一个 cov 插桩的版本：

mkdir ../libtiff-build-cov
cd libtiff-build-cov
CC=clang \
CXX=clang++ \
CFLAGS="-fprofile-instr-generate -fcoverage-mapping" \
CXXFLAGS="$CFLAGS" \
../libtiff/configure \
  --prefix="$(realpath ../libtiff-cov)" \
  --disable-shared
make clean && AFL_USE_ASAN=1 make -j`nproc` && AFL_USE_ASAN=1 make install

然后可以使用如下脚本自动生成覆盖率报告：

1
#!/usr/bin/env python
2

3
import os
4
import subprocess
5
import glob
6
import argparse
7

8
def run_cmd(cmd, env=None):
9
    """Run a shell command and return the output."""
10
    try:
11
        result = subprocess.run(cmd, shell=True, env=env, capture_output=True, text=True)
12
        return result.returncode, result.stdout, result.stderr
13
    except Exception as e:
14
        return 1, "", str(e)
15

16
def main():
17
    parser = argparse.ArgumentParser(description="Generate llvm-cov report from AFL++ samples.")
18
    parser.add_argument("--bin", required=True, help="Path to the instrumented binary.")
19
    parser.add_argument("--samples", required=True, help="Directory containing AFL++ samples (e.g., output/default/queue).")
20
    parser.add_argument("--out", default="coverage_report", help="Directory to save the HTML report (default: coverage_report).")
21
    parser.add_argument("--profraw-dir", default="profraws", help="Directory to store intermediate .profraw files.")
22
    parser.add_argument("--args", default="", help="Additional arguments to pass to the binary (use {} as placeholder for sample path).")
23

24
    args = parser.parse_args()
25

26
    # Create directories
27
    if not os.path.exists(args.profraw_dir):
28
        os.makedirs(args.profraw_dir)
29
    if not os.path.exists(args.out):
30
        os.makedirs(args.out)
31

32
    # Find all samples
33
    samples = glob.glob(os.path.join(args.samples, "*"))
34
    # Filter only files (AFL++ directories might have subfolders)
35
    samples = [s for s in samples if os.path.isfile(s)]
36

37
    if not samples:
38
        print(f"No samples found in {args.samples}")
39
        return
40

41
    print(f"Found {len(samples)} samples. Running coverage...")
42

43
    # Set up environment for LLVM profile generation
44
    # %p is PID, %m is binary hash to avoid collisions
45
    env = os.environ.copy()
46

47
    for i, sample in enumerate(samples):
48
        profraw_path = os.path.abspath(os.path.join(args.profraw_dir, f"sample_{i}.profraw"))
49
        env["LLVM_PROFILE_FILE"] = profraw_path
50

51
        # Construct command
52
        if "{}" in args.args:
53
            cmd = f"{args.bin} {args.args.format(sample)}"
54
        else:
55
            cmd = f"{args.bin} {args.args} {sample}"
56

57
        print(f"[{i+1}/{len(samples)}] Running: {cmd}", end="\r")
58
        run_cmd(cmd, env=env)
59

60
    print("\nMerging profile data...")
61
    profdata_file = "merged.profdata"
62
    profraw_pattern = os.path.join(args.profraw_dir, "*.profraw")
63
    merge_cmd = f"llvm-profdata merge -sparse {profraw_pattern} -o {profdata_file}"
64
    rc, stdout, stderr = run_cmd(merge_cmd)
65

66
    if rc != 0:
67
        print(f"Error merging data: {stderr}")
68
        return
69

70
    print(f"Generating HTML report in {args.out}...")
71
    report_cmd = f"llvm-cov show {args.bin} -instr-profile={profdata_file} -format=html -output-dir={args.out}"
72
    rc, stdout, stderr = run_cmd(report_cmd)
73

74
    if rc != 0:
75
        print(f"Error generating report: {stderr}")
76
        return
77

78
    # Also generate a summary report
79
    print("\nCoverage Summary:")
80
    summary_cmd = f"llvm-cov report {args.bin} -instr-profile={profdata_file}"
81
    rc, stdout, stderr = run_cmd(summary_cmd)
82
    print(stdout)
83

84
    print(f"Report generated successfully in directory: {args.out}")
85
    print(f"You can view it by opening {os.path.join(args.out, 'index.html')} in a browser.")
86

87
if __name__ == "__main__":
88
    main()

./gen_coverage.py --bin ./bin/tiffinfo --args "-Dcjrsw {}" --samples ../libtiff-workshop/outs/asan/queue

最后的 web 报告如下：

出于进度优先的考虑，之后的（包括前面的 libtiff）chall 我都没有深入分析它们的漏洞成因，想着早点把 fuzz 基本要点都玩明白后去自己写一个结合了 AI 的 fuzzer 。还有一个原因是 Fuzzing 101 的可复现性不怎么高，能不能跑出和 CVE 描述对应的 crash 完全是看运气，所以意义不大，没必要浪费时间去磨一个一模一样的 crash 样本。