GEN:SID | 1:2673 |
Message | WEB-CLIENT libpng tRNS overflow attempt |
Summary | This event is generated when an attempt is made to exploit a buffer overflow associated with the processing of a Portable Network Graphics (PNG) file by libpng.
|
Impact | A successful attack may cause a buffer overflow and the subsequent execution of arbitrary code on a vulnerable client host.
|
Detailed Information | A vulnerability exists in the way libpng handles the transparency chunk of a PNG file, enabling a buffer overflow and the subsequent execution of abitrary code on a vulnerable client. A PNG datastream consists of a PNG marker followed by a sequence of chunks that have a specific format and function.
When libpng processes a PNG datastream, it expects to find chunk types in a particular order. For an image with palette color type, the PLTE (palette) chunk must precede a tRNS (transparency) chunk. If it does not, an error is generated, but decoding continues. Due to a logic error, the length associated with the tRNS chunk is not properly validated. A length of greater than 256 bytes can cause a buffer overflow and the subsequent execution of arbitrary code when the PNG image is processed.
|
Affected Systems | Hosts running libpng 1.2.5 and prior Hosts running libpng 1.0.15 and prior
|
Attack Scenarios | An attacker can create a malformed PNG file on a web server, entice a user to download it, possibly causing a buffer overflow on a vulnerable client.
|
Ease of Attack | Simple. Exploit code exists.
|
Corrective Action | Upgrade to the latest non-affected version of the software.
|
Additional References | |
Rule References | bugtraq: 10872
cve: 2004-0597
|