View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0009504Kali LinuxKali Package Bugpublic2026-01-15 11:132026-01-15 11:13
Reportererikdervishi Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
Summary0009504: [Patch & Vulnerability Report] Steghide 0.5.1 - Fix for DoS via Memory Exhaustion (CWE-770)
Description

  1. Executive Summary A Denial of Service (DoS) vulnerability was identified in steghide v0.5.1. The application fails to validate BMP header dimensions (Width and Height) before memory allocation. This allows an attacker to trigger a massive memory allocation (e.g., >6 GB) using a tiny malformed file (0000016:0000060 bytes), resulting in a SIGABRT crash due to std::bad_alloc. Status: Vulnerability Confirmed & Patched.

  2. Technical Analysis

Component: src/BmpFile.cc, function BmpFile::readdata.

Root Cause: The BitmapData.resize() method is called with a size calculated directly from the file header without upper-bound checks.

Risk:

64-bit: Memory Exhaustion (DoS).

32-bit: Integer Overflow leading to Heap Buffer Overflow (Potential RCE).

  1. Proof of Concept (PoC) The following Python script generates dos.bmp, which claims a resolution of 50,000x50,000 pixels.

import struct

filename = "dos.bmp"
with open(filename, "wb") as f:

BMP Header + DIB Header (claiming 50k x 50k pixels)

header = b'BM' + b'\x00'*8 + struct.pack('<I', 54) 
dib = struct.pack('<IIIHHIIIIII', 40, 50000, 50000, 1, 24, 0, 0, 0, 0, 0, 0)
f.write(header + dib)

print(f"[+] Created {filename}. Run: steghide info {filename}")

  1. The Solution (Patch) I implemented a sanity check in src/BmpFile.cc that validates the total required memory before allocation. The patch uses unsigned long long to prevent integer overflows during the check itself.

Applied Fix:
// --- SECURITY PATCH ---
unsigned long long total_bytes_needed = (unsigned long long)height (unsigned long long)linelength;
const unsigned long long MAX_ALLOWED_BYTES = 500ULL 1024ULL * 1024ULL; // 500 MB Limit

if (total_bytes_needed > MAX_ALLOWED_BYTES) {
    fprintf(stderr, "[!] SECURITY ERROR: BMP requires %llu bytes. Limit is %llu bytes.\n", total_bytes_needed, MAX_ALLOWED_BYTES);
    exit(1);
}
// --- END PATCH ---

BitmapData.resize (height * linelength) ;
  1. Verification After recompiling steghide with the patch, executing the PoC no longer results in a crash/abort. Instead, the application handles the error gracefully:

[!] SECURITY ERROR: BMP requires 7499900000 bytes. Limit is 524288000 bytes.

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2026-01-15 11:13 erikdervishi New Issue