Talos is disclosing TALOS-2016-0223 / CVE-2016-8710. An exploitable heap write out of bounds vulnerability exists in the decoding of BPG images in libbpg library. A crafted BPG image decoded by libbpg can cause an integer underflow vulnerability causing an out of bounds heap write leading to remote code execution. This vulnerability can be triggered via attempting to decode a crafted BPG image using libbpg.
BPG (Better Portable Graphics) is an image format created in 2014 based on the HECV video compression standard. BPG has been praised for its ability to produce the same quality image as the well known JPEG format, but in a much smaller file size. Talos is disclosing the presence of a remote code execution vulnerability in the libbpg library which is widely used to support the file format. During the decoding of a BPG, in the `restore_tqb_pixels` function, an attacker controlled integer underflow can occur during the calculation of offsets for the `src` and `dst` operands of a `mempcy`. Because of the underflows, the resulting addresses passed to the `memcpy` are outside the bounds of the original heap structures, resulting in an out of bounds write condition. This vulnerability can be used to create a specially crafted BPG image file which results in remote code execution when opened with any application using a vulnerable version of the libbpg library. The full details surrounding the vulnerability are available here.
Known vulnerable versionsLibbpg - 0.9.4 and 0.9.7
ConclusionThe ubiquity of image files on web sites and embedded within emails means that they are an excellent vector for attack since the presence of an image is unlikely to raise users’ suspicions. Vulnerabilities in widely supported image formats are a bonus for attackers, in that a single exploit can be used to attack many systems. Organizations need to be aware that such vulnerabilities do exist and are occasionally discovered. Talos is committed to discovering such vulnerabilities before the bad guys. This enables us to release detection that protects our customers from the malicious exploit of the vulnerability. If you are using vulnerable versions of the software you are ugred to apply the patch in the advisory.
The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.
Snort Rule: 41310 - 41311