Contribuez à SecuObs en envoyant des bitcoins ou des dogecoins.
Nouveaux articles (fr): 1pwnthhW21zdnQ5WucjmnF3pk9puT5fDF
Amélioration du site: 1hckU85orcGCm8A9hk67391LCy4ECGJca

Contribute to SecuObs by sending bitcoins or dogecoins.

Chercher :
Newsletter :  


Revues :
- Presse
- Presse FR
- Vidéos
- Twitter
- Secuobs





Sommaires :
- Tendances
- Failles
- Virus
- Concours
- Reportages
- Acteurs
- Outils
- Breves
- Infrastructures
- Livres
- Tutoriels
- Interviews
- Podcasts
- Communiques
- USBsploit
- Commentaires


Revue Presse:
- Tous
- Francophone
- Par mot clé
- Par site
- Le tagwall


Top bi-hebdo:
- Ensemble
- Articles
- Revue
- Videos
- Twitter
- Auteurs


Articles :
- Par mot clé
- Par auteur
- Par organisme
- Le tagwall


Videos :
- Toutes
- Par mot clé
- Par site
- Le tagwall


Twitter :
- Tous
- Par mot clé
- Par compte
- Le tagwall


Commentaires :
- Breves
- Virus
- Failles
- Outils
- Tutoriels
- Tendances
- Acteurs
- Reportages
- Infrastructures
- Interviews
- Concours
- Livres
- Communiques


RSS/XML :
- Articles
- Commentaires
- Revue
- Revue FR
- Videos
- Twitter


RSS SecuObs :
- sécurité
- exploit
- windows
- attaque
- outil
- microsoft


RSS Revue :
- security
- microsoft
- windows
- hacker
- attack
- network


RSS Videos :
- curit
- security
- biomet
- metasploit
- biometric
- cking


RSS Twitter :
- security
- linux
- botnet
- attack
- metasploit
- cisco


RSS Comments :
- Breves
- Virus
- Failles
- Outils
- Tutoriels
- Tendances
- Acteurs
- Reportages
- Infrastructures
- Interviews
- Concours
- Livres
- Communiques


RSS OPML :
- Français
- International











Revue de presse francophone :
- Appaloosa AppDome nouent un partenariat pour accompagner les entreprises dans le déploiement et la protection des applications mobiles
- D-Link offre une avec un routeur VPN sans fil AC
- 19 mai Paris Petit-Déjeuner Coreye Développer son business à l'abri des cyberattaques
- POYNTING PRESENTE LA NOUVELLE ANTENNE OMNI-291, SPECIALE MILIEU MARITIME, CÔTIER ET MILIEU HUMIDE
- Flexera Software Les utilisateurs français de PC progressent dans l'application de correctifs logiciels, mais des défis de tailles subsistent
- Riverbed lance SD-WAN basé sur le cloud
- Fujitsu multi-récompensé VMware lui décerne plusieurs Partner Innovation Awards à l'occasion du Partner Leadership Summit
- Zscaler Private Access sécuriser l'accès à distance en supprimant les risques inhérents aux réseaux privés virtuels
- QNAP annonce la sortie de QTS 4.2.1
- Une enquête réalisée par la société de cyber sécurité F-Secure a décelé des milliers de vulnérabilités graves, potentiellement utilisables par des cyber criminels pour infiltrer l'infrastru
- Trouver le juste équilibre entre une infrastructure dédiée et cloud le dilemme de la distribution numérique
- 3 juin - Fleurance - Cybersécurité Territoires
- Cyber-assurances Seules 40 pourcents des entreprises françaises sont couvertes contre les violations de sécurité et les pertes de données
- Des étudiants de l'ESIEA inventent CheckMyHTTPS un logiciel qui vérifie que vos connexions WEB sécurisées ne sont pas interceptées
- Les produits OmniSwitch d'Alcatel-Lucent Enterprise ALE gagnent en sécurité pour lutter contre les cyber-attaques modernes

Dernier articles de SecuObs :
- DIP, solution de partage d'informations automatisée
- Sqreen, protection applicative intelligente de nouvelle génération
- Renaud Bidou (Deny All): "L'innovation dans le domaine des WAFs s'oriente vers plus de bon sens et d'intelligence, plus de flexibilité et plus d'ergonomie"
- Mises à jour en perspective pour le système Vigik
- Les russes ont-ils pwn le système AEGIS ?
- Le ministère de l'intérieur censure une conférence au Canada
- Saut d'air gap, audit de firmware et (in)sécurité mobile au programme de Cansecwest 2014
- GCHQ: Le JTRIG torpille Anonymous qui torpille le JTRIG (ou pas)
- #FIC2014: Entrée en territoire inconnu
- Le Sénat investit dans les monnaies virtuelles

Revue de presse internationale :
- VEHICLE CYBERSECURITY DOT and Industry Have Efforts Under Way, but DOT Needs to Define Its Role in Responding to a Real-world Attack
- Demand letter served on poll body over disastrous Comeleak breach
- The Minimin Aims To Be The Simplest Theremin
- Hacking group PLATINUM used Windows own patching system against it
- Hacker With Victims in 100 Nations Gets 7 Years in Prison
- HPR2018 How to make Komboucha Tea
- Circuit Bender Artist bends Fresnel Lens for Art
- FBI Director Suggests iPhone Hacking Method May Remain Secret
- 2016 Hack Miami Conference May 13-15, 2016
- 8-bit Video Wall Made From 160 Gaming Keyboards
- In An Era Of Decline, News Sites Can t Afford Poor Web Performance
- BeautifulPeople.com experiences data breach 1m affected
- Swedish Air Space Infringed, Aircraft Not Required
- Why cybercriminals attack healthcare more than any other industry
- Setting the Benchmark in the Network Security Forensics Industry

Annuaire des videos
- FUZZING ON LINE PART THREE
- Official Maltego tutorial 5 Writing your own transforms
- Official Maltego tutorial 6 Integrating with SQL DBs
- Official Maltego tutorial 3 Importing CSVs spreadsheets
- install zeus botnet
- Eloy Magalhaes
- Official Maltego tutorial 1 Google s websites
- Official Maltego tutorial 4 Social Networks
- Blind String SQL Injection
- backdoor linux root from r57 php shell VPS khg crew redc00de
- How To Attaque Pc With Back Track 5 In Arabique
- RSA Todd Schomburg talks about Roundup Ready lines available in 2013
- Nessus Diagnostics Troubleshooting
- Panda Security Vidcast Panda GateDefender Performa Parte 2 de 2
- MultiPyInjector Shellcode Injection

Revue Twitter
- RT @fpalumbo: Cisco consistently leading the way ? buys vCider to boost its distributed cloud vision #CiscoONE
- @mckeay Looks odd... not much to go on (prob some slideshow/vid app under Linux)
- [SuggestedReading] Using the HTML5 Fullscreen API for Phishing Attacks
- RT @BrianHonan: Our problems are not technical but cultural. OWASP top 10 has not changed over the years @joshcorman #RSAC
- RT @mikko: Wow. Apple kernels actually have a function called PE_i_can_has_debugger:
- [Blog Spam] Metasploit and PowerShell payloads
- PinkiePie Strikes Again, Compromises Google Chrome in Pwnium Contest at Hack in the Box: For the second time thi...
- @mikko @fslabs y'all wldn't happen to have lat/long data sets for other botnets, wld you? Doing some research (free/open info rls when done)
- RT @nickhacks: Want to crash a remote host running Snow Leopard? Just use: nmap -P0 -6 --script=targets-ipv6-multicast-mld #wishiwaskidding
- An inexpensive proxy service called is actually a front for #malware distribution -

Mini-Tagwall
Revue de presse : security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone

+ de mots clés pour la revue de presse

Annuaires des videos : curit, security, biomet, metasploit, biometric, cking, password, windows, botnet, defcon, tutorial, crypt, xploit

+ de mots clés pour les videos

Revue Twitter : security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall

+ de mots clés pour la revue Twitter

Top bi-hebdo des articles de SecuObs
- [Ettercap – Partie 2] Ettercap par l'exemple - Man In the Middle et SSL sniffing
- [Infratech - release] version 0.6 de Bluetooth Stack Smasher
- [IDS Snort Windows – Partie 2] Installation et configuration
- [Infratech - vulnérabilité] Nouvelle version 0.8 de Bluetooth Stack Smasher
- Mises à jour en perspective pour le système Vigik
- USBDumper 2 nouvelle version nouvelles fonctions !
- EFIPW récupère automatiquement le mot de passe BIOS EFI des Macbook Pro avec processeurs Intel
- La sécurité des clés USB mise à mal par USBDUMPER
- Une faille critique de Firefox expose les utilisateurs de Tor Browser Bundle
- Installation sécurisée d'Apache Openssl, Php4, Mysql, Mod_ssl, Mod_rewrite, Mod_perl , Mod_security

Top bi-hebdo de la revue de presse
- StackScrambler and the Tale of a Packet Parsing Bug

Top bi-hebdo de l'annuaire des videos
- DC++ Botnet. How To DDos A Hub With Fake IPs.
- Comment creer un server botnet!!!!(Réseau de pc zombies)
- Defcon 14 Hard Drive Recovery Part 3

Top bi-hebdo de la revue Twitter
- RT @secureideas: I believe that all the XSS flaws announced are fixed in CVS. Will test again tomorrow if so, release 1.4.3. #BASESnort
- Currently, we do not support 100% of the advanced PDF features found in Adobe Reader... At least that's a good idea.
- VPN (google): German Foreign Office Selects Orange Business for Terrestrial Wide: Full
- @DisK0nn3cT Not really, mostly permission issues/info leak...they've had a couple of XSS vulns but nothing direct.
- Swatting phreaker swatted and heading to jail: A 19-year-old American has been sentenced to eleven years in pris..
- RT @fjserna You are not a true hacker if the calc.exe payload is not the scientific one... infosuck.org/0x0035.png

Top des articles les plus commentés
- [Metasploit 2.x – Partie 1] Introduction et présentation
- Microsoft !Exploitable un nouvel outil gratuit pour aider les développeurs à évaluer automatiquement les risques
- Webshag, un outil d'audit de serveur web
- Les navigateurs internet, des mini-systèmes d’exploitation hors de contrôle ?
- Yellowsn0w un utilitaire de déblocage SIM pour le firmware 2.2 des Iphone 3G
- CAINE un Live[CD|USB] pour faciliter la recherche légale de preuves numériques de compromission
- Nessus 4.0 placé sous le signe de la performance, de l'unification et de la personnalisation
- [Renforcement des fonctions de sécurité du noyau Linux – Partie 1] Présentation
- [IDS Snort Windows – Partie 1] Introduction aux IDS et à SNORT
- Origami pour forger, analyser et manipuler des fichiers PDF malicieux

GDCM buffer overflow in ImageRegionReader ReadIntoBuffer

Si vous voulez bloquer ce service sur vos fils RSS
Si vous voulez nous contacter ou nous proposer un fil RSS

Menu > Articles de la revue de presse : - l'ensemble [tous | francophone] - par mots clé [tous] - par site [tous] - le tagwall [voir] - Top bi-hebdo de la revue de presse [Voir]

S'abonner au fil RSS global de la revue de presse



GDCM buffer overflow in ImageRegionReader ReadIntoBuffer

Par www.census labs.com
Le [2016-01-11] à 07:33:51



Présentation : CENSUS ID CENSUS-2016-0001 CVE ID CVE-2015-8396 Affected Products Applications using GDCM versions YMax Internals-YMin 1 Internals-XMax Internals-XMin 1 Internals-ZMax Internals-ZMin 1 The above variables represent the dimensions of the DICOM image region that is to be copied, and are set via a call to gdcm ImageRegionReader SetRegion . In the most common case the region covers the entire image and is therefore controlled by the input file's DICOM headers, where the image dimensions are specified. Specially crafted dimensions can cause the multiplication to wrap around zero, thus making the return value smaller than the real size requirements. The return value is eventually saved in variable 'thelen' and then used in the buffer length check of gdcmImageRegionReader.cxx, line 445 bool ImageRegionReader ReadIntoBuffer char buffer, size_t buflen size_t thelen ComputeBufferLength if buflen GetFileOffset std streampos -1 gdcmDebugMacro Using FileOffset GetFileOffset std istream theStream GetStreamPtr theStream-seekg Internals-GetFileOffset bool success false if success success ReadRAWIntoBuffer buffer, buflen if success success ReadRLEIntoBuffer buffer, buflen if success success ReadJPEGIntoBuffer buffer, buflen if success success ReadJPEGLSIntoBuffer buffer, buflen if success success ReadJPEG2000IntoBuffer buffer, buflen return success As long as the length check is passed, all of the decoding functions ReadRAWIntoBuffer, etc. will assume that the input buffer is long enough so they will copy the image data into the buffer without further checks. The image copy operations are executed by a number of memcpy calls, such as the following one from gdcmJPEGLSCodec.cxx, line 514 memcpy buffer z-zmin rowsize colsize y-ymin rowsize bytesPerPixel , tmpBuffer1, rowsize bytesPerPixel An adversary can supply a specially crafted DICOM image file where the dimensions are such that the above discussed image size check will be bypassed through the integer overflow the number of bytes copied during memcpy i.e. the above rowsize bytesPerPixel argument will not be subject to an integer overflow and will be large enough to overflow the memcpy destination buffer This scenario would allow an attacker to overflow the target buffer with attacker-controlled data i.e. image data possibly leading, under certain conditions, to remote code execution. The buffer overflow may occur regardless of the size of the buffer allocated, just as if ImageRegionReader ReadIntoBuffer contained no buffer length checks. If a vulnerable version of the library must be used, there are proactive actions that can be taken to prevent the effects of the buffer overflow, such as detecting the dimensions-based integer overflow prior to calling the vulnerable API call. Exploitation Notes To further analyze the risk of this vulnerability we developed a proof-of-concept exploit following the strategy described below. In file gdcmImageRegionReader.cxx, line 458 we see that the application supports a number of image codecs bool success false if success success ReadRAWIntoBuffer buffer, buflen if success success ReadRLEIntoBuffer buffer, buflen if success success ReadJPEGIntoBuffer buffer, buflen if success success ReadJPEGLSIntoBuffer buffer, buflen if success success ReadJPEG2000IntoBuffer buffer, buflen Manipulating data in DICOM headers of any of the above image types will lead to a buffer overflow, but as it turns out only a few of them would allow us to avoid a segmentation fault due to the large number of bytes that will need to be copied . JPEG-LS proved to be a good choice in that regard. Eventually the program will reach gdcm JPEGLSCodec DecodeExtent in gdcmJPEGLSCodec.cxx bool JPEGLSCodec DecodeExtent char buffer, unsigned int xmin, unsigned int xmax, unsigned int ymin, unsigned int ymax, unsigned int zmin, unsigned int zmax, std istream is ... else if NumberOfDimensions 3 ... for unsigned int z zmin z zmax z ... std vector outv bool b DecodeByStreamsCommon dummy_buffer, buf_size, outv delete dummy_buffer if b return false unsigned char raw const unsigned int rowsize xmax xmin 1 const unsigned int colsize ymax ymin 1 const unsigned int bytesPerPixel pf.GetPixelSize const unsigned char tmpBuffer1 raw for unsigned int y ymin y ymax y size_t theOffset 0 0 dimensions 1 dimensions 0 y dimensions 0 xmin bytesPerPixel tmpBuffer1 raw theOffset memcpy buffer z-zmin rowsize colsize y-ymin rowsize bytesPerPixel , tmpBuffer1, rowsize bytesPerPixel ... This function goes through each JPEG-LS frame in the DICOM file by looping from 'zmin' to 'zmax' our file is multi-frame, meaning basically 3-dimensional , it decodes the frame by calling DecodeByStreamsCommon , then copies each frame to our small buffer by looping through 'ymin' and 'ymax' and calling memcpy for each row . This will cause the buffer to overflow at some point. Our goal is for the buffer to overflow by one of the memcpy calls without causing a segmentation fault and then for the code to immediately exit the loop, so as to to avoid a segmentation fault caused by a further call to memcpy . We note that the function will return if the return value of DecodeByStreamsCommon is false. As it turns out, it is not hard to arrange that bool JPEGLSCodec DecodeByStreamsCommon char buffer, size_t totalLen, std vector amprgbyteOut const BYTE pbyteCompressed const BYTE buffer size_t cbyteCompressed totalLen JlsParameters params if JpegLsReadHeader pbyteCompressed, cbyteCompressed, ampparams OK gdcmDebugMacro Could not parse JPEG-LS header return false ... What the attacker has to do to stop the loop is to provide a malformed JPEG-LS header, right after the frame which is responsible for the overflow. An input file that causes a crash is available here, and sample code triggering the bug is available here. Discussion Applications that use the ImageRegionReader ReadIntoBuffer API call from GDCM versions 2.6.1, 2.6.0 and possibly earlier versions to process untrusted medical image data may allow attackers to cause memory corruption, denial of service or possibly remote code execution on the systems hosting these applications. The GDCM project has released version 2.6.2 that addresses this issue. It is advised to upgrade all GDCM installations to the latest stable release. Disclosure Timeline CVE assignment December 2nd, 2015 Vendor Contact December 4th, 2015 Vendor Patch Release December 23rd, 2015 Public Advisory January 5th, 2016

Les mots clés de la revue de presse pour cet article : buffer overflow
Les videos sur SecuObs pour les mots clés : buffer overflow
Les éléments de la revue Twitter pour les mots clé : buffer overflow



AddThis Social Bookmark Widget



Les derniers articles du site "www.census labs.com" :

- GDCM buffer overflow in ImageRegionReader ReadIntoBuffer
- GDCM out of bounds read in JPEGLSCodec DecodeExtent
- Introducing Choronzon an approach at knowledge-based evolutionary fuzzing
- The road to efficient Android fuzzing
- Introducing wifiphisher - BSides London 2015
- Fuzzing Objects dART - Hack In The Box 2015 Amsterdam
- ORLYEH The Shadow over Firefox INFILTRATE 2015
- DTrace talk at CONFidence 2015
- 5th InfoCom Security Conference
- 5th InfoCom Mobile World Conference




S'abonner au fil RSS global de la revue de presse

Menu > Articles de la revue de presse : - l'ensemble [tous | francophone] - par mots clé [tous] - par site [tous] - le tagwall [voir] - Top bi-hebdo de la revue de presse [Voir]



Si vous voulez bloquer ce service sur vos fils RSS :
- avec iptables "iptables -A INPUT -s 88.190.17.190 --dport 80 -j DROP"
- avec ipfw et wipfw "ipfw add deny from 88.190.17.190 to any 80"
- Nous contacter par mail




SecuToolBox :

Mini-Tagwall des articles publiés sur SecuObs :

Mini-Tagwall de l'annuaire video :

Mini-Tagwall des articles de la revue de presse :

Mini-Tagwall des Tweets de la revue Twitter :