View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0009503Kali LinuxKali Package Bugpublic2026-01-15 01:432026-01-15 01:44
Reportererikdervishi Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
Summary0009503: Steghide 0.5.1-15 crashes (stack smashing detected) on long paths, causing sensitive data leak via core dump
Description

Package: steghide Version: 0.5.1-15 Architecture: amd64 Maintainer: Debian Security Team

Scenario: I installed steghide from the official Kali Linux repositories. I attempted to embed data into a valid WAV file located in a directory path that, combined with the filename, exceeds 200 bytes in length. Upon execution, the application crashes immediately.

Analysis: The crash is caused by a stack-based buffer overflow in src/Embedder.cc. The application uses an unsafe sprintf call to write the status message into a fixed-size buffer (char buf[200]) without bounds checking. The system's Stack Smashing Protector (SSP) correctly detects this violation and terminates the process to prevent arbitrary code execution.

Error Message:
buffer overflow detected : terminated
Aborted (core dumped)

Impact Analysis:

  1. Denial of Service (DoS): The application crashes reliably (Always reproducible).
    2.Information Disclosure (Critical): The crash happens after sensitive user data (passphrase and secret payload) has been loaded into memory. I have verified by analyzing the generated core dump (using strings) that the user's passphrase is written to disk in plain text within the crash dump file.

System Information:
Kernel (uname -a): Linux eriknet 6.12.25-amd64 0000001 SMP PREEMT_DYNAMIC kali 6.12.25-1kali1 (2025-04-30) x86_64 GNU/linux
C Library (dpkg -s libc6 | grep ^Version): Version: 2.41-6

Proposed Fix: The original upstream project is inactive. I have submitted a patch to the community fork (StegHigh) that replaces the unsafe sprintf with snprintf. Pull Request: https://github.com/StegHigh/steghide/pull/21

Steps to Reproduce:

  1. Create a script named reproduce_issue.sh with the following content:

#!/bin/bash

1. Enable core dumps to verify leak

ulimit -c unlimited

2. Define long path > 200 bytes

LONG_DIR=$(python3 -c "print('A' 200)")
LONG_NAME=$(python3 -c "print('A' 200 + '.wav')")
mkdir -p "$LONG_DIR"

3. Generate valid 50KB WAV file (Header + Silence)

Required to bypass initial file format checks and reach the vulnerable code

python3 -c "
import struct
file_path = '$LONG_DIR/$LONG_NAME'
total_len = 50000
data_len = total_len - 36
with open(file_path, 'wb') as f:
f.write(b'RIFF' + struct.pack('<I', total_len) + b'WAVEfmt ' + struct.pack('<I', 16) + struct.pack('<HHIIHH', 1, 1, 44100, 44100, 2, 16) + b'data' + struct.pack('<I', data_len))
f.write(b'\x00' * data_len)
"

4. Create dummy secret

echo "secret data" > secret.txt

5. Run Steghide with a specific password

echo "Launching steghide with password 'MY_SECRET_PASS'..."
steghide embed -cf "$LONG_DIR/$LONG_NAME" -ef secret.txt -p MY_SECRET_PASS

  1. Make the script executable (chmod +x reproduce_issue.sh) and run it: ./reproduce_issue.sh

3 .Verify the Data Leak: Locate the core dump and search for the password string.

Using coredumpctl (systemd default on Kali)

coredumpctl dump steghide > crash.dump
strings crash.dump | grep "MY_SECRET_PASS"

Result: The strings command outputs MY_SECRET_PASS multiple times, confirming the passphrase leaked to disk.

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2026-01-15 01:43 erikdervishi New Issue