cbcvebase.
CVE-2006-3459
published 2006-08-03

CVE-2006-3459: Multiple stack-based buffer overflows in the TIFF library (libtiff) before 3.8.2, as used in Adobe Reader 9.3.0 and other products, allow context-dependent…

PriorityP259high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
50.98%
98.8th percentile
Multiple stack-based buffer overflows in the TIFF library (libtiff) before 3.8.2, as used in Adobe Reader 9.3.0 and other products, allow context-dependent attackers to execute arbitrary code or cause a denial of service via unspecified vectors, including a large tdir_count value in the TIFFFetchShortPair function in tif_dirread.c.

Affected

18 ranges
VendorProductVersion rangeFixed in
debiantiff< tiff 3.8.2-6 (bookworm)tiff 3.8.2-6 (bookworm)
libtifflibtiff<= 3.8.1
libtifflibtiff
libtifflibtiff
libtifflibtiff
libtifflibtiff
libtifflibtiff
libtifflibtiff
libtifflibtiff
libtifflibtiff
libtifflibtiff
libtifflibtiff
libtifflibtiff
libtifflibtiff
libtifflibtiff
libtifflibtiff
libtifflibtiff
libtifflibtiff

Detection & IOCsextracted from sources · hover to see the quote

bytes
\x49\x49\x2a\x00\x1e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x01\x03\x00\x01\x00\x00\x00\x08\x00\x00\x00\x01\x01\x03\x00\x01\x00\x00\x00\x08\x00\x00\x00\x03\x01\x03\x00\x01\x00\x00\x00\xaa\x00\x00\x00\x06\x01\x03\x00\x01\x00\x00\x00\xbb\x00\x00\x00\x11\x01\x04\x00\x01\x00\x00\x00\x08\x00\x00\x00\x17\x01\x04\x00\x01\x00\x00\x00\x15\x00\x00\x00\x1c\x01\x03\x00\x01\x00\x00\x00\x01\x00\x00\x00\x50\x01\x03\x00
  • The MobileMail exploit vector delivers the malicious TIFF as an email attachment with extensions jpg, tiff, or tif — monitor for TIFF-structured files (magic bytes 49 49 2A 00) arriving as email attachments with those extensions.
  • The exploit targets the return address gadget at 0x300d562c inside _swap_m88110_thread_state_impl_t() in libSystem.dylib; shellcode is placed at heap address 0x00802000+196. Memory forensics or crash dumps showing PC/LR near 0x300d562c on ARM iPhone firmware 1.00–1.1.1 indicate exploitation.
  • The MobileSafari exploit is served over HTTP; detect by inspecting HTTP responses with Content-Type 'image/tiff' whose body begins with the static TIFF header bytes 49 49 2A 00 1E 00 00 00 and contains the characteristic IFD tag sequence with 0xAA and 0xBB photometric/compression values.
  • The exploit payload on ARM uses a vfork/exit stub prepended to shellcode; the ARM instruction sequence e3a0c042 ef000080 e3500000 1a000001 e3a0c001 ef000080 in memory or network traffic is a strong indicator of this specific exploit payload.
  • ·The exploit only affects Apple iPhone firmware versions 1.00, 1.01, 1.02, and 1.1.1; the hardcoded heap and magic ROP addresses are firmware-specific and will not work on other versions.
  • ·iPhones without BSD tools installed require a special payload; the standard payload space is 1800 bytes with no bad characters.
  • ·The MobileMail module uses a passive stance and requires MAILTO/MAILFROM/SUBJECT datastore options; it is not an active exploit and waits for the target to open the email.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.