CVE-2009-3895

Today we reproduce CVE-2009-3895.

We have produce the seed we need to figure out why make it core dumped with AFL++.

https://github.com/antonio-morales/Fuzzing101/issues/11
The makefile iusses I find…

gdb-reverse debug
Now we need to re-complie it with default compiler, and use gdb to find what the problem in it.

Collapse chain is main -> exif_loader_get_data -> exif_data_load_data -> exif_get_short -> exif_get_sshort

d+6+offset is unaccessable memory address, so when rip run it will error!

We should figure out what is d and offset!

buf=0x55565558c8e3 <error: Cannot access memory at address 0x55565558c8e3>

The big problem we found is this offset!
Normal offset is 0x8
Malicious offset is 0xfffffffd

offset = exif_get_long (d + 10, data->priv->order);

Normal

The crash jpg

We can found 00000020

00 2a ff ff ff fd

45 78 69 66 ----> Exif
ff ff ff fd ----> b+10

Normal

It will return 0xfffffffd and make p+6+offset unacessable.

So we fix the bug in rudeness…