| GEN:SID | 1:2673 |
| Message | WEB-CLIENT libpng tRNS overflow attempt |
| Summary | This event is generated when an attempt is made to exploit a buffer overflow associated with the processing of a Portable Network Graphics (PNG) file by libpng.
|
| Impact | A successful attack may cause a buffer overflow and the subsequent execution of arbitrary code on a vulnerable client host.
|
| Detailed Information | A vulnerability exists in the way libpng handles the transparency chunk of a PNG file, enabling a buffer overflow and the subsequent execution of abitrary code on a vulnerable client. A PNG datastream consists of a PNG marker followed by a sequence of chunks that have a specific format and function.
When libpng processes a PNG datastream, it expects to find chunk types in a particular order. For an image with palette color type, the PLTE (palette) chunk must precede a tRNS (transparency) chunk. If it does not, an error is generated, but decoding continues. Due to a logic error, the length associated with the tRNS chunk is not properly validated. A length of greater than 256 bytes can cause a buffer overflow and the subsequent execution of arbitrary code when the PNG image is processed.
|
| Affected Systems | Hosts running libpng 1.2.5 and prior Hosts running libpng 1.0.15 and prior
|
| Attack Scenarios | An attacker can create a malformed PNG file on a web server, entice a user to download it, possibly causing a buffer overflow on a vulnerable client.
|
| Ease of Attack | Simple. Exploit code exists.
|
| Corrective Action | Upgrade to the latest non-affected version of the software.
|
| Additional References | |
| Rule References | bugtraq: 10872
cve: 2004-0597
|