cbcvebase.
CVE-2016-3074
published 2016-04-26

CVE-2016-3074: Integer signedness error in GD Graphics Library 2.1.1 (aka libgd or libgd2) allows remote attackers to cause a denial of service (crash) or potentially execute…

PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
36.97%
98.3th percentile
Integer signedness error in GD Graphics Library 2.1.1 (aka libgd or libgd2) allows remote attackers to cause a denial of service (crash) or potentially execute arbitrary code via crafted compressed gd2 data, which triggers a heap-based buffer overflow.

Affected

14 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debianlibgd2< libgd2 2.1.1-4.1 (bookworm)libgd2 2.1.1-4.1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
libgdlibgd
opensuseopensuse
phpphp>= 5.5.0 < 5.5.355.5.35
phpphp>= 5.6.0 < 5.6.215.6.21
phpphp>= 7.0.0 < 7.0.67.0.6

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39736.zip
urlhttps://github.com/dyntopia/exploits/tree/master/CVE-2016-3074
urlhttps://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19
pathlibgd-2.1.1/src/gd_gd2.c
  • Trigger is a crafted compressed gd2 image file with a negative/oversized signed integer in the chunk index size field of the GD2 header, causing heap overflow via gdCalloc(compMax, 1) with a wrapped large value.
  • The vulnerable code path is in _gd2GetHeader() in gd_gd2.c: the chunk index size is stored as a signed int (t_chunk_info.size), and a negative value passes the compMax check, then compMax++ wraps to a large positive value used in gdCalloc(), allocating a tiny buffer that is subsequently overflowed.
  • Monitor PHP-FPM processes (php5-fpm / php-fpm) processing user-supplied GD2 image uploads for heap corruption crashes or unexpected code execution under www-data context.
  • The exploit PoC uses a bind-shell technique over a configurable port (e.g. 5555); monitor for unexpected outbound/inbound connections from web server worker processes after image upload requests.
  • Inspect uploaded files for the .gd2 / compressed GD2 format magic bytes being submitted to PHP endpoints that invoke GD image processing functions (e.g. imagecreatefromgd2()).
  • ·The exploit PoC was demonstrated specifically against Ubuntu 15.10 amd64 with nginx + php5-fpm + php5-gd; exploitability and offset values will differ on other distributions, architectures, or PHP versions.
  • ·The bind-port used in the PoC (5555) is a configurable parameter and not a fixed indicator; attackers may use any port.
  • ·Red Hat marked all affected packages (php, gd on RHEL 5/6/7 and php54-php/php55-php in RHSC) as 'Will not fix', so patched RPMs are not available from Red Hat for those platforms.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.