疑似Oday
# CVE-2025-55891: Heap Corruption in TIFFCP.EXE (docuPrinter Pro) via Malformed TIFF File
## Summary
A heap corruption vulnerability exists in `TIFFCP.EXE`, a command-line utility bundled with [Neevia docuPrinter Pro](https://www.neevia.com/products/dppro/), due to the use of an outdated and vulnerable version of libtiff (v3.5.7). By supplying a specially crafted TIFF file, an attacker can trigger a segmentation fault during LZW decompression, potentially leading to arbitrary code execution.
This issue has been reproduced on both Linux (via the open-source `tiffcp` compiled from libtiff 3.5.7) and on Windows using the proprietary `TIFFCP.EXE` distributed with docuPrinter Pro. On Windows, the crash results in a `STATUS_ACCESS_VIOLATION` and occurs without requiring any special privileges.
## Affected Software
- `TIFFCP.EXE` as distributed in **Neevia docuPrinter Pro 7.3 and earlier**
- libtiff version **3.5.7** (original upstream vulnerability point)
## Technical Details
The vulnerability is triggered in the LZW decoding logic within `tif_lzw.c` at the following assertion:
```c
assert(&sp->dec_codetab[0] <= free_entp && free_entp < &sp->dec_codetab[CSIZE]);
```
## Disclaimers
For authorized use only. This research was performed independently of any employer. Protected under Section 1201 exemption of the DMCA for good-faith security research.
[4.0K] /data/pocs/58701f4db2c80d63513a908d047945ac15d0be1c
├── [104K] Heap-Based Buffer Overflow in TIFFCP.pdf
├── [1.3K] poc_gen.py
├── [303K] poc.tif
└── [1.3K] README.md
0 directories, 4 files