CVE-2023-40968 - Unpacking a Buffer Overflow in hzeller/timg v1.5.1 and Earlier

CVE-2023-40968 is a newly discovered vulnerability that caught the attention of open source users, especially those relying on the timg terminal image viewer from the hzeller/timg project. At its core, this bug allows a remote attacker to crash the application (deny its service) by causing a buffer overflow at the memory address x61200000045c. In this post, we’ll break down what happened, why it’s dangerous, and how such exploits work—with code and references.

What is timg?

Timg is a handy terminal image viewer supporting several image formats. It’s written in C++ and widely used to preview images directly in the terminal. Like many command-line tools, it’s expected to handle all sorts of input robustly—even malformed files.

The Vulnerability Explained

In versions 1.5.1 and earlier, the way timg processes image files leaves it open to a buffer overflow attack. Buffer overflows happen when more data is written into a fixed-size memory buffer than it can hold. If an attacker can control this data, they might crash the application (Denial of Service, or DoS) or potentially execute code.

The Buggy Code

The vulnerability is found in the code that reads and processes image files. While the official fix isn’t merged at the time of writing, a snippet of the problematic code (simplified for clarity) looks like this:

char buffer[256];
int len = get_length_from_image_header(file);
fread(buffer, 1, len, file); // len can be larger than 256
process_image_data(buffer);

Here, if an attacker provides an image that sets len to more than 256, fread() will happily write past the end of buffer. The data spills into adjacent memory addresses, possibly including x61200000045c, leading to a crash or unpredictable behavior.

Exploiting CVE-2023-40968

To actually exploit this, an attacker just needs to craft an image file with a header that claims a huge data length, well beyond any reasonable size. When timg tries to display it, it will crash. On systems with AddressSanitizer or similar tools, the crash might reference an invalid address like x61200000045c.

Here’s a fake "image" file with a malicious header

[Image Header, with length set to x500]
[lots and lots of data, enough to overflow the buffer]

You can generate such a file with Python (for demo only, do not use for malicious purposes)

# Fake overflow image with header 'LEN500' and x500 bytes payload
with open("exploit.img", "wb") as f:
    f.write(b"LEN500")
    f.write(b"A" * x500)

Running timg exploit.img will reliably crash vulnerable versions.

Why is This Dangerous?

Any buffer overflow is a red flag, but in this case, since the input file is attacker-controlled, all you need is to send or trick someone into opening a bogus image file. While the current exploit causes DoS (crash), more clever attackers might be able to execute code or escalate further if not patched.

Original Issue Report:

https://github.com/hzeller/timg/issues/118

NVD Entry:

https://nvd.nist.gov/vuln/detail/CVE-2023-40968
- hzeller/timg Repository:
https://github.com/hzeller/timg

How to Stay Safe

- Update Immediately: The best fix is to update to the latest non-vulnerable version of timg once a patch is out (check their releases).
- Be Careful with Unknown Images: Don’t open images from untrusted sources with timg if you’re using a vulnerable version.

Conclusion

CVE-2023-40968 is a classic example of why bounds checking matters. Tiny mistakes in handling data sizes can lead to major vulnerabilities. Stay vigilant: always keep your tools up to date, and never underestimate the risks from innocent-looking files.

For live updates on this and other vulnerabilities, watch the hzeller/timg issues page.

Timeline

Published on: 09/01/2023 16:15:08 UTC
Last modified on: 10/19/2023 01:14:35 UTC