CVE-2006-3459
published 2006-08-03CVE-2006-3459: Multiple stack-based buffer overflows in the TIFF library (libtiff) before 3.8.2, as used in Adobe Reader 9.3.0 and other products, allow context-dependent…
PriorityP259high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
50.98%
98.8th percentile
Multiple stack-based buffer overflows in the TIFF library (libtiff) before 3.8.2, as used in Adobe Reader 9.3.0 and other products, allow context-dependent attackers to execute arbitrary code or cause a denial of service via unspecified vectors, including a large tdir_count value in the TIFFFetchShortPair function in tif_dirread.c.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | tiff | < tiff 3.8.2-6 (bookworm) | tiff 3.8.2-6 (bookworm) |
| libtiff | libtiff | <= 3.8.1 | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x49\x49\x2a\x00\x1e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x01\x03\x00\x01\x00\x00\x00\x08\x00\x00\x00\x01\x01\x03\x00\x01\x00\x00\x00\x08\x00\x00\x00\x03\x01\x03\x00\x01\x00\x00\x00\xaa\x00\x00\x00\x06\x01\x03\x00\x01\x00\x00\x00\xbb\x00\x00\x00\x11\x01\x04\x00\x01\x00\x00\x00\x08\x00\x00\x00\x17\x01\x04\x00\x01\x00\x00\x00\x15\x00\x00\x00\x1c\x01\x03\x00\x01\x00\x00\x00\x01\x00\x00\x00\x50\x01\x03\x00
- →The MobileMail exploit vector delivers the malicious TIFF as an email attachment with extensions jpg, tiff, or tif — monitor for TIFF-structured files (magic bytes 49 49 2A 00) arriving as email attachments with those extensions. ↗
- →The exploit targets the return address gadget at 0x300d562c inside _swap_m88110_thread_state_impl_t() in libSystem.dylib; shellcode is placed at heap address 0x00802000+196. Memory forensics or crash dumps showing PC/LR near 0x300d562c on ARM iPhone firmware 1.00–1.1.1 indicate exploitation. ↗
- →The MobileSafari exploit is served over HTTP; detect by inspecting HTTP responses with Content-Type 'image/tiff' whose body begins with the static TIFF header bytes 49 49 2A 00 1E 00 00 00 and contains the characteristic IFD tag sequence with 0xAA and 0xBB photometric/compression values. ↗
- →The exploit payload on ARM uses a vfork/exit stub prepended to shellcode; the ARM instruction sequence e3a0c042 ef000080 e3500000 1a000001 e3a0c001 ef000080 in memory or network traffic is a strong indicator of this specific exploit payload. ↗
- ·The exploit only affects Apple iPhone firmware versions 1.00, 1.01, 1.02, and 1.1.1; the hardcoded heap and magic ROP addresses are firmware-specific and will not work on other versions. ↗
- ·iPhones without BSD tools installed require a special payload; the standard payload space is 1800 bytes with no bad characters. ↗
- ·The MobileMail module uses a passive stance and requires MAILTO/MAILFROM/SUBJECT datastore options; it is not an active exploit and waits for the target to open the email. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
tiff vulnerabilities
vendor_ubuntu·2006-08-03
CVE-2006-3459 tiff vulnerabilities
Title: tiff vulnerabilities
Summary: tiff vulnerabilities
Tavis Ormandy discovered that the TIFF library did not sufficiently
check handled images for validity. By tricking an user or an automated
system into processing a specially crafted TIFF image, an attacker
could exploit these weaknesses to execute arbitrary code with the
target application's privileges.
This library is used in many client and server applications, thus you
should reboot your computer after the upgrade to ensure that all
running programs use the new version of the library.
Instructions: After a standard system upgrade you need to reboot your computer to
effect the necessary changes.
Red Hat
Multiple libtiff flaws (CVE-2006-3460 CVE-2006-3461 CVE-2006-3462 CVE-2006-3463 CVE-2006-3464 CVE-2006-3465)
vendor_redhat·2006-08-01·CVSS 7.5
CVE-2006-3459 [HIGH] Multiple libtiff flaws (CVE-2006-3460 CVE-2006-3461 CVE-2006-3462 CVE-2006-3463 CVE-2006-3464 CVE-2006-3465)
Multiple libtiff flaws (CVE-2006-3460 CVE-2006-3461 CVE-2006-3462 CVE-2006-3463 CVE-2006-3464 CVE-2006-3465)
Multiple stack-based buffer overflows in the TIFF library (libtiff) before 3.8.2, as used in Adobe Reader 9.3.0 and other products, allow context-dependent attackers to execute arbitrary code or cause a denial of service via unspecified vectors, including a large tdir_count value in the TIFFFetchShortPair function in tif_dirread.c.
Statement: Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
Debian
CVE-2006-3459: tiff - Multiple stack-based buffer overflows in the TIFF library (libtiff) before 3.8.2...
vendor_debian·2006·CVSS 7.5
CVE-2006-3459 [HIGH] CVE-2006-3459: tiff - Multiple stack-based buffer overflows in the TIFF library (libtiff) before 3.8.2...
Multiple stack-based buffer overflows in the TIFF library (libtiff) before 3.8.2, as used in Adobe Reader 9.3.0 and other products, allow context-dependent attackers to execute arbitrary code or cause a denial of service via unspecified vectors, including a large tdir_count value in the TIFFFetchShortPair function in tif_dirread.c.
Scope: local
bookworm: resolved (fixed in 3.8.2-6)
bullseye: resolved (fixed in 3.8.2-6)
forky: resolved (fixed in 3.8.2-6)
sid: resolved (fixed in 3.8.2-6)
trixie: resolved (fixed in 3.8.2-6)
GHSA
GHSA-m9p7-26x3-qmg3: Multiple stack-based buffer overflows in the TIFF library (libtiff) before 3
ghsa_unreviewed·2022-05-03
CVE-2006-3459 [HIGH] CWE-119 GHSA-m9p7-26x3-qmg3: Multiple stack-based buffer overflows in the TIFF library (libtiff) before 3
Multiple stack-based buffer overflows in the TIFF library (libtiff) before 3.8.2, as used in Adobe Reader 9.3.0 and other products, allow context-dependent attackers to execute arbitrary code or cause a denial of service via unspecified vectors, including a large tdir_count value in the TIFFFetchShortPair function in tif_dirread.c.
OSV
CVE-2006-3459: Multiple stack-based buffer overflows in the TIFF library (libtiff) before 3
osv·2006-08-03·CVSS 7.5
CVE-2006-3459 [HIGH] CVE-2006-3459: Multiple stack-based buffer overflows in the TIFF library (libtiff) before 3
Multiple stack-based buffer overflows in the TIFF library (libtiff) before 3.8.2, as used in Adobe Reader 9.3.0 and other products, allow context-dependent attackers to execute arbitrary code or cause a denial of service via unspecified vectors, including a large tdir_count value in the TIFFFetchShortPair function in tif_dirread.c.
No detection rules found.
Exploit-DB
Apple iOS Mobile Safari - LibTIFF Buffer Overflow (Metasploit)
exploitdb·2012-10-09
CVE-2010-0188 Apple iOS Mobile Safari - LibTIFF Buffer Overflow (Metasploit)
Apple iOS Mobile Safari - LibTIFF Buffer Overflow (Metasploit)
---
##
# $Id: safari_libtiff.rb 15950 2012-10-09 18:31:08Z rapid7 $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'Apple iOS MobileSafari LibTIFF Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in the version of
libtiff shipped with firmware versions 1.00, 1.01, 1.02, and
1.1.1 of the Apple iPhone. iPhones which have not had the BSD
tools installed will need to use a special payload.
},
'License' => MSF_LICENSE,
'Author' => ['hdm', 'kf'],
'Version' => '$Revision: 1595
Exploit-DB
Apple iOS Mobile Mail - LibTIFF Buffer Overflow (Metasploit)
exploitdb·2012-10-09
CVE-2010-0188 Apple iOS Mobile Mail - LibTIFF Buffer Overflow (Metasploit)
Apple iOS Mobile Mail - LibTIFF Buffer Overflow (Metasploit)
---
##
# $Id: mobilemail_libtiff.rb 15950 2012-10-09 18:31:08Z rapid7 $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'Apple iOS MobileMail LibTIFF Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in the version of
libtiff shipped with firmware versions 1.00, 1.01, 1.02, and
1.1.1 of the Apple iPhone. iPhones which have not had the BSD
tools installed will need to use a special payload.
},
'License' => MSF_LICENSE,
'Author' => ['hdm', 'kf'],
'Version' => '$Revision: 1595
Exploit-DB
Apple iPhone MobileSafari LibTIFF - 'email' Remote Buffer Overflow (Metasploit) (2)
exploitdb·2010-09-20
CVE-2006-3459 Apple iPhone MobileSafari LibTIFF - 'email' Remote Buffer Overflow (Metasploit) (2)
Apple iPhone MobileSafari LibTIFF - 'email' Remote Buffer Overflow (Metasploit) (2)
---
##
# $Id: safari_libtiff.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'iPhone MobileSafari LibTIFF Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in the version of
libtiff shipped with firmware versions 1.00, 1.01, 1.02, and
1.1.1 of the Apple iPhone. iPhones which have not had the BSD
tools installed will need to use a special payload.
},
'License' => MSF_LICENSE,
'Author' => ['hdm',
Exploit-DB
iPhone MobileMail - LibTIFF Buffer Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2006-3459 iPhone MobileMail - LibTIFF Buffer Overflow (Metasploit)
iPhone MobileMail - LibTIFF Buffer Overflow (Metasploit)
---
##
# $Id: mobilemail_libtiff.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'iPhone MobileMail LibTIFF Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in the version of
libtiff shipped with firmware versions 1.00, 1.01, 1.02, and
1.1.1 of the Apple iPhone. iPhones which have not had the BSD
tools installed will need to use a special payload.
},
'License' => MSF_LICENSE,
'Author' => ['hdm', 'kf'],
'Version' => '$Re
Exploit-DB
Apple iPhone MobileSafari LibTIFF - 'browser' Remote Buffer Overflow (Metasploit) (1)
exploitdb·2010-09-20
CVE-2006-3459 Apple iPhone MobileSafari LibTIFF - 'browser' Remote Buffer Overflow (Metasploit) (1)
Apple iPhone MobileSafari LibTIFF - 'browser' Remote Buffer Overflow (Metasploit) (1)
---
##
# $Id: safari_libtiff.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'iPhone MobileSafari LibTIFF Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in the version of
libtiff shipped with firmware versions 1.00, 1.01, 1.02, and
1.1.1 of the Apple iPhone. iPhones which have not had the BSD
tools installed will need to use a special payload.
},
'License' => MSF_LICENSE,
'Author' => ['hdm
Exploit-DB
Adobe Reader PDF - LibTiff Integer Overflow Code Execution
exploitdb·2010-03-17
CVE-2010-0188 Adobe Reader PDF - LibTiff Integer Overflow Code Execution
Adobe Reader PDF - LibTiff Integer Overflow Code Execution
---
__doc__='''
Title: Adobe PDF LibTiff Integer Overflow Code Execution.
Product: Adobe Acrobat Reader
Version:
1.65
1
1
*
pdf
'''+self.tiff64 +'''
'''
return xml
def gen_pdf(self):
xml = zlib.compress(self.gen_xml())
pdf='''%PDF-1.6
1 0 obj
>
stream
''' + xml+'''
endstream
endobj
2 0 obj
>
endobj
3 0 obj
>
endobj
4 0 obj
>/TP 1>>/P 5 0 R/FT /Btn/TU (ImageField1)/Ff 65536/Parent 3 0 R/F 4/DA (/CourierStd 10 Tf 0 g)/Subtype /Widget/Type /Annot/T (ImageField1[0])/Rect [107.385 705.147 188.385 709.087]>>
endobj
5 0 obj
>/Parent 6 0 R/Type /Page/PieceInfo null>>
endobj
6 0 obj
>
endobj
7 0 obj
>/Lang (en-us)/AcroForm 8 0 R/Type /Catalog>>
endobj
8 0 obj
>
endobj xref
trailer
>
startxref
14765
%%EOF'''
return pdf
if __na
Metasploit
Apple iOS MobileMail LibTIFF Buffer Overflow
metasploit
Apple iOS MobileMail LibTIFF Buffer Overflow
Apple iOS MobileMail LibTIFF Buffer Overflow
This module exploits a buffer overflow in the version of libtiff shipped with firmware versions 1.00, 1.01, 1.02, and 1.1.1 of the Apple iPhone. iPhones which have not had the BSD tools installed will need to use a special payload.
Metasploit
Apple iOS MobileSafari LibTIFF Buffer Overflow
metasploit
Apple iOS MobileSafari LibTIFF Buffer Overflow
Apple iOS MobileSafari LibTIFF Buffer Overflow
This module exploits a buffer overflow in the version of libtiff shipped with firmware versions 1.00, 1.01, 1.02, and 1.1.1 of the Apple iPhone. iPhones which have not had the BSD tools installed will need to use a special payload.
Bugzilla
CVE-2006-3459 kfax affected by libtiff flaws (CVE-2006-3460 CVE-2006-3461 CVE-2006-3462 CVE-2006-3463 CVE-2006-3464 CVE-2006-3465)
bugzilla·2006-08-04·CVSS 7.5
CVE-2006-3459 [HIGH] CVE-2006-3459 kfax affected by libtiff flaws (CVE-2006-3460 CVE-2006-3461 CVE-2006-3462 CVE-2006-3463 CVE-2006-3464 CVE-2006-3465)
CVE-2006-3459 kfax affected by libtiff flaws (CVE-2006-3460 CVE-2006-3461 CVE-2006-3462 CVE-2006-3463 CVE-2006-3464 CVE-2006-3465)
+++ This bug was initially created as a clone of Bug #199111 +++
From: Tavis Ormandy
(with edits from Mark Cox)
Hi there, Google have sponsored me to perform a security audit of
libtiff-3.8.2, in which a number of critical security flaws have been
uncovered. These flaws could be leveraged by an attacker to compromise
or disrupt any services that support the processing of tiff images.
Several buffer overflows have been discovered, including a stack
buffer overflow via TIFFFetchShortPair() in tif_dirread.c, which is
used to read two unsigned shorts from the input file. While a bounds
check is performed via CheckDirCount(), no action is taken on the
result all
Bugzilla
CVE-2006-3459 Multiple libtiff flaws (CVE-2006-3460 CVE-2006-3461 CVE-2006-3462 CVE-2006-3463 CVE-2006-3464 CVE-2006-3465)
bugzilla·2006-07-17·CVSS 7.5
CVE-2006-3459 [HIGH] CVE-2006-3459 Multiple libtiff flaws (CVE-2006-3460 CVE-2006-3461 CVE-2006-3462 CVE-2006-3463 CVE-2006-3464 CVE-2006-3465)
CVE-2006-3459 Multiple libtiff flaws (CVE-2006-3460 CVE-2006-3461 CVE-2006-3462 CVE-2006-3463 CVE-2006-3464 CVE-2006-3465)
From: Tavis Ormandy
(with edits from Mark Cox)
Hi there, Google have sponsored me to perform a security audit of
libtiff-3.8.2, in which a number of critical security flaws have been
uncovered. These flaws could be leveraged by an attacker to compromise
or disrupt any services that support the processing of tiff images.
Several buffer overflows have been discovered, including a stack
buffer overflow via TIFFFetchShortPair() in tif_dirread.c, which is
used to read two unsigned shorts from the input file. While a bounds
check is performed via CheckDirCount(), no action is taken on the
result allowing a pathological tdir_count to read an arbitrary number
of unsigned sh
ftp://patches.sgi.com/support/free/security/advisories/20060801-01-Pftp://patches.sgi.com/support/free/security/advisories/20060901-01-P.aschttp://lists.apple.com/archives/security-announce/2006//Aug/msg00000.htmlhttp://lwn.net/Alerts/194228/http://secunia.com/advisories/21253http://secunia.com/advisories/21274http://secunia.com/advisories/21290http://secunia.com/advisories/21304http://secunia.com/advisories/21319http://secunia.com/advisories/21334http://secunia.com/advisories/21338http://secunia.com/advisories/21346http://secunia.com/advisories/21370http://secunia.com/advisories/21392http://secunia.com/advisories/21501http://secunia.com/advisories/21537http://secunia.com/advisories/21598http://secunia.com/advisories/21632http://secunia.com/advisories/22036http://secunia.com/advisories/27181http://secunia.com/advisories/27222http://secunia.com/advisories/27832http://secunia.com/blog/76http://securitytracker.com/id?1016628http://securitytracker.com/id?1016671http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.536600http://sunsolve.sun.com/search/document.do?assetkey=1-26-103160-1http://sunsolve.sun.com/search/document.do?assetkey=1-66-201331-1http://support.avaya.com/elmodocs2/security/ASA-2006-166.htmhttp://www.debian.org/security/2006/dsa-1137http://www.gentoo.org/security/en/glsa/glsa-200608-07.xmlhttp://www.mandriva.com/security/advisories?name=MDKSA-2006:136http://www.mandriva.com/security/advisories?name=MDKSA-2006:137http://www.novell.com/linux/security/advisories/2006_44_libtiff.htmlhttp://www.osvdb.org/27723http://www.redhat.com/support/errata/RHSA-2006-0603.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0648.htmlhttp://www.securityfocus.com/bid/19283http://www.securityfocus.com/bid/19289http://www.ubuntu.com/usn/usn-330-1http://www.us-cert.gov/cas/techalerts/TA06-214A.htmlhttp://www.vupen.com/english/advisories/2006/3101http://www.vupen.com/english/advisories/2006/3105http://www.vupen.com/english/advisories/2007/3486http://www.vupen.com/english/advisories/2007/4034https://issues.rpath.com/browse/RPL-558https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11497ftp://patches.sgi.com/support/free/security/advisories/20060801-01-Pftp://patches.sgi.com/support/free/security/advisories/20060901-01-P.aschttp://lists.apple.com/archives/security-announce/2006//Aug/msg00000.htmlhttp://lwn.net/Alerts/194228/http://secunia.com/advisories/21253http://secunia.com/advisories/21274http://secunia.com/advisories/21290http://secunia.com/advisories/21304http://secunia.com/advisories/21319http://secunia.com/advisories/21334http://secunia.com/advisories/21338http://secunia.com/advisories/21346http://secunia.com/advisories/21370http://secunia.com/advisories/21392http://secunia.com/advisories/21501http://secunia.com/advisories/21537http://secunia.com/advisories/21598http://secunia.com/advisories/21632http://secunia.com/advisories/22036http://secunia.com/advisories/27181http://secunia.com/advisories/27222http://secunia.com/advisories/27832http://secunia.com/blog/76http://securitytracker.com/id?1016628http://securitytracker.com/id?1016671http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.536600http://sunsolve.sun.com/search/document.do?assetkey=1-26-103160-1http://sunsolve.sun.com/search/document.do?assetkey=1-66-201331-1http://support.avaya.com/elmodocs2/security/ASA-2006-166.htmhttp://www.debian.org/security/2006/dsa-1137http://www.gentoo.org/security/en/glsa/glsa-200608-07.xmlhttp://www.mandriva.com/security/advisories?name=MDKSA-2006:136http://www.mandriva.com/security/advisories?name=MDKSA-2006:137http://www.novell.com/linux/security/advisories/2006_44_libtiff.htmlhttp://www.osvdb.org/27723http://www.redhat.com/support/errata/RHSA-2006-0603.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0648.htmlhttp://www.securityfocus.com/bid/19283http://www.securityfocus.com/bid/19289http://www.ubuntu.com/usn/usn-330-1http://www.us-cert.gov/cas/techalerts/TA06-214A.htmlhttp://www.vupen.com/english/advisories/2006/3101http://www.vupen.com/english/advisories/2006/3105http://www.vupen.com/english/advisories/2007/3486http://www.vupen.com/english/advisories/2007/4034https://issues.rpath.com/browse/RPL-558https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11497
2006-08-03
Published