A heap overflow vulnerability exists in the way the GIF parser decodes LZW compressed streams in Accusoft ImageGear 19.8. A specially crafted malformed file can trigger a heap overflow, which can result in arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

**Summary**

A heap overflow vulnerability exists in the way the GIF parser decodes LZW compressed streams in Accusoft ImageGear 19.8. A specially crafted malformed file can trigger a heap overflow, which can result in arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

**Tested Versions**

Accusoft ImageGear Accusoft ImageGear 19.8

**Product URLs**

ImageGear - https://www.accusoft.com/products/imagegear-collection/

**CVSSv3 Score**

9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-122 - Heap-based Buffer Overflow

**Details**

The ImageGear library is a document-imaging developer toolkit that offers image conversion, creation, editing, annotation and more. It supports more than 100 formats such as DICOM, PDF, Microsoft Office and others.

ImageGear implements a decoder for GIF file format. Lack of bounds checking can lead to heap based buffer overflow while parsing GIF images with specially crafted image data.

GIF image is composed of a number of different headers and structures, most important of which is DATA block which in turn contains ImageDescriptor and ImageData blocks. For the purposes of this vulnerability, it is important to note that ImageData block can contain a number of different subblocks which contain LZW compressed data.

Opening the supplied proof of concept GIF image in ImageGear leads to the following crash:

    (690.1130): Access violation - code c0000005 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    eax=1094d002 ebx=00004548 ecx=00000006 edx=1334aab8 esi=00000009 edi=fffffff8
    eip=6ad73f5f esp=012fe884 ebp=012fea10 iopl=0         nv up ei ng nz ac po cy
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010293
    igLZW19d+0x3f5f:
    6ad73f5f 880413          mov     byte ptr [ebx+edx],al      ds:002b:1334f000=??
    0:000> dd edx
    1334aab8  02020202 02020202 02020202 02020202
    1334aac8  02020202 02020202 02020202 02020202
    1334aad8  02020202 02020202 02020202 02020202
    1334aae8  02020202 02020202 02020202 02020202
    1334aaf8  02020202 02020202 02020202 02020202
    1334ab08  02020202 02020202 02020202 02020202
    1334ab18  02020202 02020202 02020202 02020202
    1334ab28  02020202 02020202 02020202 02020202
    0:000> !heap -p -a edx
        address 1334aab8 found in
        _DPH_HEAP_ROOT @ 5bf1000
        in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                    132e2dd0:         1334aab8             4545 -         1334a000             6000
              unknown!fillpattern
        6b25abb0 verifier!AVrfDebugPageHeapAllocate+0x00000240
        77cd245b ntdll!RtlDebugAllocateHeap+0x00000039
        77c36dd9 ntdll!RtlpAllocateHeap+0x000000f9
        77c35ec9 ntdll!RtlpAllocateHeapInternal+0x00000179
        77c35d3e ntdll!RtlAllocateHeap+0x0000003e
        6ad9dcff MSVCR110!malloc+0x00000049
        6af661de igCore19d!AF_memm_alloc+0x0000001e
        6ad73b1e igLZW19d+0x00003b1e
        6ad738b4 igLZW19d+0x000038b4
        6ad7254d igLZW19d+0x0000254d
        6af410d9 igCore19d!IG_image_savelist_get+0x00000b29
        6af80557 igCore19d!IG_mpi_page_set+0x00014807
        6af7feb9 igCore19d!IG_mpi_page_set+0x00014169
        6af15777 igCore19d!IG_load_file+0x00000047
    

From the above debugger output, we can observe a couple of things. First, the crash is due to access violation while writing to invalid memory pointed to by ebx+edx. From heap debug information we can see that the memory buffer pointed to by edx is of size 0x4545 and that value of 0x4548 in ebx makes this memory write fall outside the bounds of the buffer. If we examine the code surrounding the point of crash , we see the following:

    .text:10003F50 loc_10003F50:                           ; CODE XREF: sub_10003A50+4F8↑j
    .text:10003F50                                         ; sub_10003A50+53B↓j
    .text:10003F50                 mov     eax, [ebp+var_130]
    .text:10003F56                 mov     edx, [ebp+dest_buffer]                                            [1]
    .text:10003F5C                 mov     al, [ecx+eax]
    .text:10003F5F                 mov     [ebx+edx], al                                                     [2]
    .text:10003F62                 mov     eax, [ebp+eax_buffer_unknown]                                     [3]
    .text:10003F68                 mov     edx, [ebp+var_13C]
    .text:10003F6E                 movzx   ecx, word ptr [eax+ecx*2]                                         [4]
    .text:10003F72                 inc     ebx                                                               [5]
    .text:10003F73                 mov     [ebp+var_140], ebx
    .text:10003F79                 cmp     ecx, 0FFFFh                                                       [6]
    .text:10003F7F                 jz      loc_10004172
    .text:10003F85                 cmp     ecx, 0FFFEh
    .text:10003F8B                 jnz     short loc_10003F50                                                [7]
    

First of all, we can see that the above code constitutes a copy loop of some kind as conditional jump at \[7\] points to the begining of the block. At \[1\], address of destination buffer is retrieved into edx and a byte value from al is written into edx buffer at offset ebx at \[2\]. At \[3\], pointer to another, source, buffer is retrieved which is then used to set value of ecx at \[4\]. We can also observe that copy index , the value in ebx, is incremented by one in each iteration of the loop at \[5\]. Finally, the only ways to break out of the loop are at \[6\] and \[7\] where value in ecx is compared against 0xFFFF or 0xFFFE, if neither of these is true, the loop continues.

From analysis of the attached proof of concept file, we can conclude that heap overflow happens while processing compressed LZW stream because as we can observe the source buffer pointed to by eax being populated while decoding.

The vulnerability stems from the fact that above loop makes no checks to make sure that the copy index in ebx is smaller than the size of the buffer. Once the loop is entered, unless it’s terminated by 0xFFFF or 0xFFFE in ecx, the index in ebx will continue to grow past the bounds of the buffer which leads to heap buffer overflow as observed in the above crash.

Additionally, from PoC file analysis, we can show that overflown buffer size is under direct control and in fact comes from ImageWidth value in ImageDescriptor field. With precise control over size of destination buffer and precise control over results of LZW stream decoding it is possible to overwrite adjacent heap memory causing futher memory corruption which can ultimately lead to arbitrary code execution.

**Crash Information**

        0:000> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Exception Analysis                                   *
    *                                                                             *
    *******************************************************************************
    DUMP_CLASS: 2
    DUMP_QUALIFIER: 0
    FAULTING_IP: 
    igLZW19d+3f5f
    6ad73f5f 880413          mov     byte ptr [ebx+edx],al
    EXCEPTION_RECORD:  (.exr -1)
    ExceptionAddress: 6ad73f5f (igLZW19d+0x00003f5f)
       ExceptionCode: c0000005 (Access violation)
      ExceptionFlags: 00000000
    NumberParameters: 2
       Parameter[0]: 00000001
       Parameter[1]: 1334f000
    Attempt to write to address 1334f000
    FAULTING_THREAD:  00001130
    FOLLOWUP_IP: 
    igLZW19d+3f5f
    6ad73f5f 880413          mov     byte ptr [ebx+edx],al
    WRITE_ADDRESS:  1334f000 
    ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
    EXCEPTION_CODE_STR:  c0000005
    EXCEPTION_PARAMETER1:  00000001
    EXCEPTION_PARAMETER2:  1334f000
    WATSON_BKT_PROCSTAMP:  5f732f32
    WATSON_BKT_PROCVER:  1.0.0.2
    PROCESS_VER_PRODUCT:  Fuzzme
    WATSON_BKT_MODULE:  igLZW19d.dll
    WATSON_BKT_MODSTAMP:  5f3ec43d
    WATSON_BKT_MODOFFSET:  3f5f
    WATSON_BKT_MODVER:  19.8.0.0
    MODULE_VER_PRODUCT:  Accusoft ImageGear
    BUILD_VERSION_STRING:  17134.1.x86fre.rs4_release.180410-1804
    MODLIST_WITH_TSCHKSUM_HASH:  e753365c5948f36a0d0dda7434e6452388200aaa
    MODLIST_SHA1_HASH:  80c4e65037a99371ebd47e3f748fe58ab869701f
    NTGLOBALFLAG:  2100000
    APPLICATION_VERIFIER_FLAGS:  0
    PRODUCT_TYPE:  1
    SUITE_MASK:  272
    DUMP_TYPE:  fe
    APPLICATION_VERIFIER_LOADED: 1
    PROCESS_NAME:  unknown
    ANALYSIS_SESSION_TIME:  10-23-2020 18:10:21.0042
    ANALYSIS_VERSION: 10.0.17763.1 x86fre
    THREAD_ATTRIBUTES: 
    OS_LOCALE:  ENU
    BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_AVRF
    DEFAULT_BUCKET_ID:  INVALID_POINTER_WRITE_AVRF
    PRIMARY_PROBLEM_CLASS:  APPLICATION_FAULT
    PROBLEM_CLASSES: 
        ID:     [0n313]
        Type:   [@ACCESS_VIOLATION]
        Class:  Addendum
        Scope:  BUCKET_ID
        Name:   Omit
        Data:   Omit
        PID:    [Unspecified]
        TID:    [0x1130]
        Frame:  [0] : igLZW19d
        ID:     [0n286]
        Type:   [INVALID_POINTER_WRITE]
        Class:  Primary
        Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
                BUCKET_ID
        Name:   Add
        Data:   Omit
        PID:    [Unspecified]
        TID:    [0x1130]
        Frame:  [0] : igLZW19d
        ID:     [0n98]
        Type:   [AVRF]
        Class:  Addendum
        Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
                BUCKET_ID
        Name:   Add
        Data:   Omit
        PID:    [0x690]
        TID:    [0x1130]
        Frame:  [0] : igLZW19d
    LAST_CONTROL_TRANSFER:  from 6ad738b4 to 6ad73f5f
    STACK_TEXT:  
    WARNING: Stack unwind information not available. Following frames may be wrong.
    012fea10 6ad738b4 012ff55c 10000026 0bed9ff0 igLZW19d+0x3f5f
    012fea60 6ad7254d 012ff55c 10000026 0bed9ff0 igLZW19d+0x38b4
    012ff4d4 6af410d9 012ff55c 0bed9ff0 00000001 igLZW19d+0x254d
    012ff50c 6af80557 00000000 0bed9ff0 012ff55c igCore19d!IG_image_savelist_get+0xb29
    012ff788 6af7feb9 00000000 0a086fe0 00000001 igCore19d!IG_mpi_page_set+0x14807
    012ff7a8 6af15777 00000000 0a086fe0 00000001 igCore19d!IG_mpi_page_set+0x14169
    012ff7c8 00bc20d0 0a086fe0 012ff7dc 09fd4fc0 igCore19d!IG_load_file+0x47
    
    
    STACK_COMMAND:  ~0s ; .cxr ; kb
    THREAD_SHA1_HASH_MOD_FUNC:  2ce14bea4e604d248b5b15a2510c032aa5d1921b
    THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  38dd752a58275002ed88ae16bc5ae5f26c0f650a
    THREAD_SHA1_HASH_MOD:  76476422c95de9d51201ea0d5862c350bd728e86
    FAULT_INSTR_CODE:  8b130488
    SYMBOL_STACK_INDEX:  0
    SYMBOL_NAME:  igLZW19d+3f5f
    FOLLOWUP_NAME:  MachineOwner
    MODULE_NAME: igLZW19d
    IMAGE_NAME:  igLZW19d.dll
    DEBUG_FLR_IMAGE_TIMESTAMP:  5f3ec43d
    FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_AVRF_c0000005_igLZW19d.dll!Unknown
    BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_WRITE_AVRF_igLZW19d+3f5f
    FAILURE_EXCEPTION_CODE:  c0000005
    FAILURE_IMAGE_NAME:  igLZW19d.dll
    BUCKET_ID_IMAGE_STR:  igLZW19d.dll
    FAILURE_MODULE_NAME:  igLZW19d
    BUCKET_ID_MODULE_STR:  igLZW19d
    FAILURE_FUNCTION_NAME:  Unknown
    BUCKET_ID_FUNCTION_STR:  Unknown
    BUCKET_ID_OFFSET:  3f5f
    BUCKET_ID_MODTIMEDATESTAMP:  5f3ec43d
    BUCKET_ID_MODCHECKSUM:  18bd0
    BUCKET_ID_MODVER_STR:  19.8.0.0
    BUCKET_ID_PREFIX_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_AVRF_
    FAILURE_PROBLEM_CLASS:  APPLICATION_FAULT
    FAILURE_SYMBOL_NAME:  igLZW19d.dll!Unknown
    TARGET_TIME:  2020-10-23T16:10:25.000Z
    OSBUILD:  17134
    OSSERVICEPACK:  753
    SERVICEPACK_NUMBER: 0
    OS_REVISION: 0
    OSPLATFORM_TYPE:  x86
    OSNAME:  Windows 10
    OSEDITION:  Windows 10 WinNt SingleUserTS
    USER_LCID:  0
    OSBUILD_TIMESTAMP:  1998-02-05 12:31:21
    BUILDDATESTAMP_STR:  180410-1804
    BUILDLAB_STR:  rs4_release
    BUILDOSVER_STR:  10.0.17134.1.x86fre.rs4_release.180410-1804
    ANALYSIS_SESSION_ELAPSED_TIME:  63bc
    ANALYSIS_SOURCE:  UM
    FAILURE_ID_HASH_STRING:  um:invalid_pointer_write_avrf_c0000005_iglzw19d.dll!unknown
    FAILURE_ID_HASH:  {287bbd66-8a9f-e2d7-91d6-15aac92a66ff}
    Followup:     MachineOwner
    ---------
    

**Timeline**

2020-10-29 - Vendor Disclosure  
2021-02-05 - Vendor Patched  
2021-02-09 - Public Release

Discovered by Emmanuel Tacheau and Marcin Towalski of Cisco Talos.

CVE-2020-13572: TALOS-2020-1183 || Cisco Talos Intelligence Group

An out-of-bounds write vulnerability exists in the Obj.cpp load_obj() functionality of Prusa Research PrusaSlicer 2.2.0 and Master (commit 4b040b856). A specially crafted obj file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2020-28595: TALOS-2020-1219 || Cisco Talos Intelligence Group

A stack-based buffer overflow vulnerability exists in the Objparser::objparse() functionality of Prusa Research PrusaSlicer 2.2.0 and Master (commit 4b040b856). A specially crafted obj file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.

**Summary**

A stack-based buffer overflow vulnerability exists in the Objparser::objparse() functionality of Prusa Research PrusaSlicer 2.2.0 and Master (commit 4b040b856). A specially crafted obj file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.

**Tested Versions**

Prusa Research PrusaSlicer 2.2.0  
Prusa Research PrusaSlicer Master (commit 4b040b856)

**Product URLs**

https://www.prusa3d.com/prusaslicer/

**CVSSv3 Score**

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-121 - Stack-based Buffer Overflow

**Details**

Prusa Slicer is an open-source 3-D printer slicing program forked off Slic3r that can convert various 3-D model file formats and can output corresponding 3-D printer-readable Gcode.

One of the input file formats PrusaSlicer can deal with is .obj files, the code mainly handling this can be found in PrusaSlicer/src/libslic3r/Format/OBJ.cpp and PrusaSlicer/src/libslic3r/Format/objparser.cpp. We now proceed to trace the code-path from entry to vulnerability:

    bool load_obj(const char *path, TriangleMesh *meshptr){
        if(meshptr == nullptr) return false;
    
        // Parse the OBJ file.
        ObjParser::ObjData data;
        if (! ObjParser::objparse(path, data)) {   // [1]
            //    die "Failed to parse $file\n" if !-e $path;
            return false;
        }
        // [...]
    

At \[1\], we provide a path to a .obj file, which is then processed into the ObjParser::ObjData object, which we will examine the structure of when needed. Continuing into ObjParser::objparse:

    bool objparse(const char *path, ObjData &data)
    {
        FILE *pFile = boost::nowide::fopen(path, "rt");
        if (pFile == 0)
            return false;
    
        try {
            char buf[65536 * 2];  // [1]
            size_t len = 0;
            size_t lenPrev = 0;
            while ((len = ::fread(buf + lenPrev, 1, 65536, pFile)) != 0) { // [2]
                len += lenPrev;
                size_t lastLine = 0;
                for (size_t i = 0; i < len; ++ i)
                    if (buf[i] == '\r' || buf[i] == '\n') {
                        buf[i] = 0;
                        char *c = buf + lastLine;
                        while (*c == ' ' || *c == '\t')
                            ++ c;
                        obj_parseline(c, data);
                        lastLine = i + 1;
                    }
                lenPrev = len - lastLine; //  
                memmove(buf, buf + lastLine, lenPrev);
            }
        }
        catch (std::bad_alloc&) {
            printf("Out of memory\r\n");
        }
        ::fclose(pFile);
    
        // printf("vertices: %d\r\n", data.vertices.size() / 4);
        // printf("coords: %d\r\n", data.coordinates.size());
        return true;
    }
    

At \[2\] we can clearly see the call to fread reading into a fixed-size stack buffer at \[1\] inside of a while loop that is completely at the input file’s behest, resulting in a stack-based buffer overflow that can lead to arbitrary code execution.

**Crash Information**

    =================================================================
    ==593876==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff5b94fd80 at pc 0x0000004d3521 bp 0x7fff5b92fc70 sp 0x7fff5b92f438
    WRITE of size 12928 at 0x7fff5b94fd80 thread T0
        #0 0x4d3520 in fread (/root/boop/assorted_fuzzing/prusaslicer/obj_fuzzdir/fuzzobj.bin+0x4d3520)
        #1 0x7f2f2ceb7a94 in ObjParser::objparse(char const*, ObjParser::ObjData&) boop/assorted_fuzzing/prusaslicer/PrusaSlicer/src/libslic3r/Format/objparser.cpp:332:17
    
    Address 0x7fff5b94fd80 is located in stack of thread T0 at offset 131104 in frame
        #0 0x7f2f2ceb78af in ObjParser::objparse(char const*, ObjParser::ObjData&) /boop/assorted_fuzzing/prusaslicer/PrusaSlicer/src/libslic3r/Format/objparser.cpp:323
    
      This frame has 1 object(s):
        [32, 131104) 'buf' (line 329) <== Memory access at offset 131104 overflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow (/boop/assorted_fuzzing/prusaslicer/obj_fuzzdir/fuzzobj.bin+0x4d3520) in fread
    Shadow bytes around the buggy address:
      0x10006b721f60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10006b721f70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10006b721f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10006b721f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10006b721fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x10006b721fb0:[f3]f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
      0x10006b721fc0: f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
      0x10006b721fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10006b721fe0: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00
      0x10006b721ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10006b722000: 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 f2
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==593876==ABORTING
    

**Timeline**

2020-12-14 - Vendor disclosure  
2021-01-14 - Vendor patched  
2021-04-21 - Public release

Discovered by Lilith >\_> of Cisco Talos.

CVE-2020-28596: TALOS-2020-1220 || Cisco Talos Intelligence Group

A code execution vulnerability exists in the WS-Addressing plugin functionality of Genivia gSOAP 2.8.107. A specially crafted SOAP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.

**Summary**

A code execution vulnerability exists in the WS-Addressing plugin functionality of Genivia gSOAP 2.8.107. A specially crafted SOAP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.

**Tested Versions**

Genivia gSOAP 2.8.107

**Product URLs**

https://www.genivia.com/products.html#gsoap

**CVSSv3 Score**

9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-680 - Integer Overflow to Buffer Overflow

**Details**

The gSOAP toolkit is a C/C++ library for developing XML-based web services. It includes several plugins to support the implementation of SOAP and web service standards. The framework also provides multiple deployment options including modules for both IIS and Apache, standalone CGI scripts and its own standalone HTTP service.

One of the many plugins provided by gSOAP includes the wsa plugin for supporting the WS-Addressing specification which provides an asynchronous mechanism for routing SOAP requests and responses. The specification includes a element for providing URI parameters to a number of different parts of both requests and responses. The URIs may include a username and password for the resource in a standard format. http://user:password@somehost.com A buffer overflow vulnerability existing in the parsing of these extra parameters.

It starts by looking for the : in the uri and assumes that if it’s not part of :// that is is the seperator between the username and password.

    21234   s = strchr(endpoint, ':');
    21235   if (s && s[1] == '/' && s[2] == '/') // Skip the :// part of the parameter
    21236     s += 3;
    21237   else // Assume it's the seperator and start from the beginning of the element
    21238     s = endpoint;  
    

Processing continues by trying to find the @ to seperate the user:pass from the hostname. At this point, parsing of the username and password occurs assuming we have found both seperators (@ and :)

    21240   t = strchr(s, '@'); // attempts to find the seperator 
    21241
    21242   if (t && *s != ':' && *s != '@')
    21243   {
    21244     size_t l = t - s + 1;  // Calculate the size of the user:pass part of the string
    21245     char *r = (char*)soap_malloc(soap, l); // Allocate enough storage to hold both the user and pass
    21246     n = s - endpoint;
    21247     if (r)
    21248     {
    21249       s = soap_decode(r, l, s, ":@");  // s is still pointing to the beginning of the data in this element
    21250       soap->userid = r; // r is now a copy of the user part of the string up to the :
    21251       soap->passwd = SOAP_STR_EOS;
    21252       if (*s == ':') // s now points to the : seperator
    21253       {
    21254         s++; // Step past the seperator and now we should be pointing to the password section
    21255         if (*s != '@') // Make sure the password isn't empty
    21256         {
    21257           l = t - s + 1; // t points to the @ seperator so here we calculate the length of the password by subtracting between the two seperators
    21258           r = r + strlen(r) + 1; // r currently points to the copied username so we skip past to copy the password into the same buffer.
    21259           s = soap_decode(r, l, s, "@"); // l is now a very large number allowing us to write us much data to the head as we like and cleanly terminate the copy with an @
    21260           soap->passwd = r;
    21261         }
    21262       }
    21263     }
    21264     s++;
    21265     soap_strcpy(soap->endpoint + n, sizeof(soap->endpoint) - n, s);
    21266   }
    

Here the code makes an assumption about the order of the : and @ seperators. It assumes that the @ (t) is after :(s) and calculates the size for the second soap\_decode based on this assumption. If the : comes after the @, this calculation causes the calculated size to be negative and wrap around and become a very large length value to soap_decode to parse the password.

Within soap\_decode, an attempt to copy the data into a the new heap buffer occurs. As the length is a very large number and the counter is counting backwards, we are able to write an arbitrary amount of data past our destination buffer.

    7919 soap_decode(char *buf, size_t len, const char *val, const char *sep)
    7920 {
    7921   const char *s;
    7922   char *t = buf;
    7923   size_t i = len;
    7924   for (s = val; *s; s++)
    7925     if (*s != ' ' && *s != '\t' && !strchr(sep, *s))
    7926       break;
    7927   if (len > 0)
    7928   {
    7929     if (*s == '"')
    7930     {
    7931       s++;
    7932  
    7933       while (*s && *s != '"' && --i)
    7934         *t++ = *s++;
    7935     }
    

**Crash Information**

    Starting program: /gsoap-2.8/gsoap/samples/wsa/wsademo 8080
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    Server is running
    malloc(): memory corruption
    
    Program received signal SIGABRT, Aborted.
    __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
    51	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    (gdb) bt
    #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
    #1  0x00007ffff70af8b1 in __GI_abort () at abort.c:79
    #2  0x00007ffff70f8907 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7225dfa "%s\n") at ../sysdeps/posix/libc_fatal.c:181
    #3  0x00007ffff70ff97a in malloc_printerr (str=str@entry=0x7ffff722406e "malloc(): memory corruption") at malloc.c:5350
    #4  0x00007ffff7103a04 in _int_malloc (av=av@entry=0x7ffff745ac40 <main_arena>, bytes=bytes@entry=72) at malloc.c:3738
    #5  0x00007ffff710616c in __GI___libc_malloc (bytes=72) at malloc.c:3057
    #6  0x000055555556ddae in soap_malloc (soap=soap@entry=0x7ffff7fba010, n=56, n@entry=48) at stdsoap2_ssl.c:10428
    #7  0x000055555556de7f in soap_strdup (soap=soap@entry=0x7ffff7fba010, s=s@entry=0x555555589430 "http://www.w3.org/2005/08/addressing/soap/fault") at stdsoap2_ssl.c:2806
    #8  0x000055555557eedd in soap_try_connect_command (soap=soap@entry=0x7ffff7fba010, http_command=http_command@entry=2000,
        endpoint=endpoint@entry=0x55555579db40 "http://%@AAAA:", 'B' <repeats 186 times>..., action=action@entry=0x555555589430 "http://www.w3.org/2005/08/addressing/soap/fault")
        at stdsoap2_ssl.c:21486
    #9  0x0000555555582cdb in soap_connect_command (soap=soap@entry=0x7ffff7fba010, http_command=http_command@entry=2000,
        endpoints=0x55555579db40 "http://%@AAAA:", 'B' <repeats 186 times>..., action=0x555555589430 "http://www.w3.org/2005/08/addressing/soap/fault") at stdsoap2_ssl.c:21455
    #10 0x0000555555582de0 in soap_connect (soap=soap@entry=0x7ffff7fba010, endpoint=<optimized out>, action=<optimized out>) at stdsoap2_ssl.c:21408
    #11 0x0000555555562ebb in soap_wsa_fault_subcode_action (soap=soap@entry=0x7ffff7fba010, flag=flag@entry=1, faultsubcode=faultsubcode@entry=0x555555589856 "wsa5:ActionNotSupported",
        faultstring=faultstring@entry=0x555555589d50 "The [action] cannot be processed at the receiver.", faultdetail=faultdetail@entry=0x0, action=action@entry=0x0)
        at ../../plugin/wsaapi.c:1088
    #12 0x0000555555563145 in soap_wsa_fault_subcode (faultdetail=0x0, faultstring=0x555555589d50 "The [action] cannot be processed at the receiver.",
        faultsubcode=0x555555589856 "wsa5:ActionNotSupported", flag=1, soap=0x7ffff7fba010) at ../../plugin/wsaapi.c:1022
    #13 soap_wsa_sender_fault_subcode (faultdetail=0x0, faultstring=0x555555589d50 "The [action] cannot be processed at the receiver.", faultsubcode=0x555555589856 "wsa5:ActionNotSupported",
        soap=0x7ffff7fba010) at ../../plugin/wsaapi.c:1126
    #14 soap_wsa_error (soap=soap@entry=0x7ffff7fba010, fault=fault@entry=wsa5__ActionNotSupported, info=0x0) at ../../plugin/wsaapi.c:1428
    #15 0x0000555555563a7d in soap_wsa_set_error (soap=0x7ffff7fba010, c=0x55555579bbf0, s=0x55555579bc20) at ../../plugin/wsaapi.c:1623
    #16 0x000055555558535f in soap_set_fault (soap=soap@entry=0x7ffff7fba010) at stdsoap2_ssl.c:22051
    #17 0x00005555555861f3 in soap_send_fault (soap=0x7ffff7fba010) at stdsoap2_ssl.c:22314
    #18 0x00005555555588f3 in main (argc=2, argv=<optimized out>) at wsademo.c:85
    

**Timeline**

2020-11-05 - Vendor Disclosure  
2020-12-16 - Vendor advised patch released on 2020-11-20  
2021-01-05 - Public Release

Discovered by a member of Cisco Talos.

CVE-2020-13576: TALOS-2020-1187 || Cisco Talos Intelligence Group

The daemon in GENIVI diagnostic log and trace (DLT), is vulnerable to a heap-based buffer overflow that could allow an attacker to remotely execute arbitrary code on the DLT-Daemon (versions prior to 2.18.6).

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   For
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

CVE-2020-36244: Comparing v2.18.5...v2.18.6 · COVESA/dlt-daemon

A stack-based buffer overflow in dnsproxy in ConnMan before 1.39 could be used by network adjacent attackers to execute code.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

CVE-2021-26675: security - Remote code execution in connman

Heap buffer overflow in Extensions in Google Chrome prior to 88.0.4324.146 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension.

CVE-2021-21143: Stable Channel Update for Desktop

In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.

Here is some more information to aid with debugging the issue. I have verified these results on two different computers, so I am quite certain this is not in any way related to the RAM issues I have mentioned.

\# \_MAX\_CHUNK\_SIZE = 2 \*\* 31 - 1 (unmodified):
data\_size \= 2\*\*32 \- 1024\*\*2  \# OK
data\_size \= 2\*\*32 \- 1024     \# OK
data\_size \= 2\*\*32 \- 512      \# OK
data\_size \= 2\*\*32 \- 128      \# OK
data\_size \= 2\*\*32 \- 64       \# OK
data\_size \= 2\*\*32 \- 48       \# OK
data\_size \= 2\*\*32 \- 33       \# OK
data\_size \= 2\*\*32 \- 32       \# FAIL (ValueError: The length of the provided data is not a multiple of the block length)
data\_size \= 2\*\*32 \- 31       \# FAIL (ValueError: The length of the provided data is not a multiple of the block length)
data\_size \= 2\*\*32 \- 17       \# FAIL (ValueError: The length of the provided data is not a multiple of the block length)
data\_size \= 2\*\*32 \- 16       \# FAIL (SIGABRT: munmap\_chunk(): invalid pointer)
data\_size \= 2\*\*32 \- 1        \# FAIL (SIGABRT: munmap\_chunk(): invalid pointer)
data\_size \= 2\*\*32            \# FAIL (SIGABRT: munmap\_chunk(): invalid pointer or SIGSEGV)
data\_size \= 3\*2\*\*32          \# FAIL (SIGSEGV)

Traceback from the cases that fail with a ValueError:

    Traceback (most recent call last):
      File "/home/<redacted>/projects/cryptography_bug/venv/lib/python3.9/site-packages/cryptography/fernet.py", line 134, in _decrypt_data
        plaintext_padded += decryptor.finalize()
      File "/home/<redacted>/projects/cryptography_bug/venv/lib/python3.9/site-packages/cryptography/hazmat/primitives/ciphers/base.py", line 164, in finalize
        data = self._ctx.finalize()
      File "/home/<redacted>/projects/cryptography_bug/venv/lib/python3.9/site-packages/cryptography/hazmat/backends/openssl/ciphers.py", line 181, in finalize
        raise ValueError(
    ValueError: The length of the provided data is not a multiple of the block length.
    
    During handling of the above exception, another exception occurred:
    
    Traceback (most recent call last):
      File "/home/<redacted>/projects/cryptography_bug/main.py", line 40, in <module>
        plaintext = fernet.decrypt(ciphertext)
      File "/home/<redacted>/projects/cryptography_bug/venv/lib/python3.9/site-packages/cryptography/fernet.py", line 76, in decrypt
        return self._decrypt_data(data, timestamp, ttl, int(time.time()))
      File "/home/<redacted>/projects/cryptography_bug/venv/lib/python3.9/site-packages/cryptography/fernet.py", line 136, in _decrypt_data
        raise InvalidToken
    cryptography.fernet.InvalidToken
    
    Process finished with exit code 1

CVE-2020-36242: Fernet fails to encrypt/decrypt large data · Issue #5615 · pyca/cryptography

A memory corruption vulnerability exists in the Excel Document SST Record 0x00fc functionality of SoftMaker Software GmbH SoftMaker Office PlanMaker 2021 (Revision 1014). A specially crafted malformed file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

**Summary**

A memory corruption vulnerability exists in the Excel Document SST Record 0x00fc functionality of SoftMaker Software GmbH SoftMaker Office PlanMaker 2021 (Revision 1014). A specially crafted malformed file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

**Tested Versions**

SoftMaker Software GmbH SoftMaker Office PlanMaker 2021 (Revision 1014)

**Product URLs**

https://www.softmaker.com/en/softmaker-office

**CVSSv3 Score**

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-122 - Heap-based Buffer Overflow

**Details**

SoftMaker Software GmbH is a German software company that develops and releases office software. Their flagship product, SoftMaker Office, is supported on a variety of platforms and contains a handful of components that allows the user to write text documents, create spreadsheets, design presentations and more. The SoftMaker Office suite supports a variety of common office file formats, as well as other internal formats that the user may choose to use when performing their necessary work.

The PlanMaker application of SoftMaker’s suite is designed as an all-around spreadsheet tool, and supports a number of features that allow it to remain competitive with similar office suites that are developed by its competitors. This application includes a number of parsers that enable the user to interact with a variety of document types or templates that are common within this type of software. One supported file format, which is relevant to the vulnerability described within this document, is the Microsoft Excel file format. This format is based on Microsoft’s Compound Document file format and is primarily contained within either the “Workbook” stream for later versions of the format, or the “Book” stream for earlier versions.

When opening up a Microsoft Excel Document, the following function will be executed in order to load the document. Before the document is loaded, the application will open up the file temporarily in order to fingerprint the document and determine which handler is used to load the document’s contents. At \[1\], the application will call a function that is responsible for parsing the different streams that may be found within the document.

    0x7ea017:    push   %rbp
    0x7ea018:    mov    %rsp,%rbp
    0x7ea01b:    sub    $0x260,%rsp
    0x7ea022:    mov    %rdi,-0x248(%rbp)
    0x7ea029:    mov    %rsi,-0x250(%rbp)   ; object
    0x7ea030:    mov    %rdx,-0x258(%rbp)   ; document path
    0x7ea037:    mov    %ecx,-0x25c(%rbp)
    ...
    0x7ea24b:    mov    -0x234(%rbp),%ecx
    0x7ea251:    mov    -0x258(%rbp),%rdx   ; document path
    0x7ea258:    mov    -0x250(%rbp),%rsi   ; object
    0x7ea25f:    mov    -0x248(%rbp),%rax
    0x7ea266:    mov    %rax,%rdi
    0x7ea269:    callq  0x695c7c            ; [1]
    0x7ea26e:    test   %eax,%eax
    0x7ea270:    setne  %al
    0x7ea273:    test   %al,%al
    0x7ea275:    je     0x7ea2a3
    

Eventually the following function will be called from an array of functions used to handle the different record types within the workbook stream belonging to the Microsoft Excel document. This function is given a handle to the document stream as one of its parameters in order to read records from the stream. After initializing some of the local variables within the function, the loop at \[2\] will be executed. This loop is directly responsible for reading a record from the stream at \[3\], and then looking at the record type to in order to determine how to actually parse the record.

    0x634eeb:    push   %rbp
    0x634eec:    mov    %rsp,%rbp
    0x634eef:    sub    $0x90,%rsp
    0x634ef6:    mov    %rdi,-0x78(%rbp)    ; object
    0x634efa:    mov    %rsi,-0x80(%rbp)    ; document stream
    0x634efe:    mov    %edx,-0x84(%rbp)    ; flags
    0x634f04:    mov    %fs:0x28,%rax
    ...
    0x634f92:    mov    -0x78(%rbp),%rax    ; [2] beginning of loop
    0x634f96:    mov    0x88(%rax),%eax
    0x634f9c:    and    $0xff000000,%eax
    0x634fa1:    test   %eax,%eax
    0x634fa3:    jne    0x635e02            ; exit loop
    ...
    0x634fa9:    mov    -0x40(%rbp),%r9     ; record data
    0x634fad:    lea    -0x64(%rbp),%r8     ; result code
    0x634fb1:    lea    -0x6e(%rbp),%rcx    ; result record length
    0x634fb5:    lea    -0x6c(%rbp),%rdx    ; result record type
    0x634fb9:    mov    -0x80(%rbp),%rsi    ; stream object
    0x634fbd:    mov    -0x78(%rbp),%rax    ; object
    0x634fc1:    sub    $0x8,%rsp
    0x634fc5:    lea    -0x68(%rbp),%rdi    
    0x634fc9:    push   %rdi
    0x634fca:    mov    %rax,%rdi           ; object
    0x634fcd:    callq  0x61e4a8            ; [3] parse the next record from the stream
    0x634fd2:    add    $0x10,%rsp
    0x634fd6:    mov    %rax,-0x40(%rbp)    ; record data from stream
    0x634fda:    cmpq   $0x0,-0x40(%rbp)
    0x634fdf:    je     0x635e01
    ...
    0x635dfb:    nop
    0x635dfc:    jmpq   0x634f92            ; [2] continue loop
    

Once successfully parsing the record within each iteration of the loop, the loop will use the record type in order to determine which handler to use for parsing the record’s contents at \[4\]. The vulnerability described by this advisory is for record type 0x00fc which represents the SST record which contains the Shared String Table for the document. After reading the current record’s length at \[5\] and resuming the search at \[6\]. The function will branch to directly to the block of code at \[7\] which is responsible for dispatching execution to a function responsible for parsing the contents of the SST record. At \[8\], the data for the entire record and the stream object containing the record are passed as parameters to the function that will parse the Shared String Table.

    0x634ff1:    movzwl -0x6c(%rbp),%eax    ; result record type
    0x634ff5:    movzwl %ax,%eax
    0x634ff8:    cmp    $0x43,%eax
    0x634ffb:    je     0x635017
    0x634ffd:    cmp    $0x43,%eax
    0x635000:    jg     0x635009            ; [4] look for record type
    ...
    0x635009:    cmp    $0x92,%eax
    0x63500e:    je     0x635033
    0x635010:    cmp    $0x231,%eax
    0x635015:    jne    0x63504e            ; [4] look for record type
    ...
    0x63504e:    movzwl -0x6c(%rbp),%eax
    0x635052:    cmp    $0xa,%ax
    0x635056:    jne    0x635064            ; [4] look for record type
    ...
    0x635064:    mov    -0x40(%rbp),%rax    ; record contents
    0x635068:    add    $0x2,%rax
    0x63506c:    movzwl (%rax),%eax         ; [5] read record length
    0x63506f:    movzwl %ax,%eax
    0x635072:    mov    %eax,-0x44(%rbp)    ; [5] store record length
    ...
    0x635075:    movzwl -0x6c(%rbp),%eax    ; result record type
    0x635079:    movzwl %ax,%eax
    0x63507c:    cmp    $0xc1,%eax
    0x635081:    je     0x635588
    0x635087:    cmp    $0xc1,%eax7
    0x63508c:    jg     0x6351e8            ; [6] look for record type
    ...
    0x6351e8:    cmp    $0x161,%eax
    0x6351ed:    je     0x6355ad
    0x6351f3:    cmp    $0x161,%eax
    0x6351f8:    jg     0x6352ab            ; [6] look for record type
    0x6351fe:    cmp    $0xe2,%eax
    0x635203:    jg     0x635258
    ...
    0x635258:    cmp    $0xfc,%eax
    0x63525d:    je     0x635b84            ; [7] found record type 0x00fc
    ...
    0x635b84:    lea    -0x68(%rbp),%rcx
    0x635b88:    mov    -0x40(%rbp),%rdx    ; record data from stream
    0x635b8c:    mov    -0x80(%rbp),%rsi    ; stream object
    0x635b90:    mov    -0x78(%rbp),%rax    ; object
    0x635b94:    mov    %rax,%rdi
    0x635b97:    callq  0x6217cc            ; [8] parse record 0x00fc
    0x635b9c:    mov    %rax,-0x40(%rbp)
    0x635ba0:    jmpq   0x635dfc
    

Once inside the function responsible for parsing the SST record and storing its parameters into the function’s frame on the stack, at \[9\] the function will read a uint32_t from offset +8 of the record as the cstUnique field and store into into a local variable. Immediately afterwards at \[10\], a uint16_t will be read from offset +2 of the record which contains the record’s length. In order to store the string table that will be read from the current record and all of the records that follow it, the application will allocate a constant size of 0x6060 bytes at \[11\]. At \[12\], the application will explicitly trust the uint16_t that was read as the length, and use it to copy the record’s contents into the statically sized heap buffer that was just allocated. Due to the maximum size of a uint16_t being 0xffff, and the size of the heap-buffer being 0x6060, this allows for a heap-based buffer overflow to occur if the record length is larger than 0x6060. This allows for memory corruption which can lead to code execution under the context of the application.

    0x6217cc:    push   %rbp
    0x6217cd:    mov    %rsp,%rbp
    0x6217d0:    push   %rbx
    0x6217d1:    sub    $0x128,%rsp
    0x6217d8:    mov    %rdi,-0x118(%rbp)   ; object
    0x6217df:    mov    %rsi,-0x120(%rbp)   ; stream object
    0x6217e6:    mov    %rdx,-0x128(%rbp)   ; record data from stream
    0x6217ed:    mov    %rcx,-0x130(%rbp)   
    ...
    0x621822:    mov    -0x128(%rbp),%rax   ; record data from stream
    0x621829:    mov    0x8(%rax),%eax      ; [9] read uint32_t from recordData + 8
    0x62182c:    mov    %eax,-0xc0(%rbp)    ; store it
    ...
    0x621832:    mov    -0x128(%rbp),%rax   ; record data from stream
    0x621839:    add    $0x2,%rax           ; shift pointer to recordData + 2
    0x62183d:    movzwl (%rax),%eax         ; [10] read uint16_t from recordData + 2
    0x621840:    movzwl %ax,%eax
    0x621843:    mov    %eax,-0xec(%rbp)    ; store record's uint16_t length
    ...
    0x621884:    mov    -0x118(%rbp),%rax
    0x62188b:    mov    0x48(%rax),%rax
    0x62188f:    mov    $0x6060,%esi        ; static size used for allocation
    0x621894:    mov    %rax,%rdi
    0x621897:    callq  0xab7a01            ; [11] allocate memory using static size
    0x62189c:    mov    %rax,-0xa8(%rbp)
    ...
    0x6218c2:    mov    -0xec(%rbp),%eax    ; uint16_t record length trusted from file
    0x6218c8:    lea    -0x8(%rax),%edx     ; memcpy length
    0x6218cb:    mov    -0x128(%rbp),%rax   ; record data from stream
    0x6218d2:    lea    0xc(%rax),%rcx
    0x6218d6:    mov    -0xa8(%rbp),%rax    ; heap buffer that was allocated
    0x6218dd:    mov    %rcx,%rsi           ; memcpy source
    0x6218e0:    mov    %rax,%rdi           ; memcpy destination
    0x6218e3:    callq  0xab9e39            ; [12] memcpy that triggers buffer overflow due to trusted uint16_t length
    0x6218e8:    subl   $0x8,-0xec(%rbp)
    

**Crash Information**

When running the PlanMaker application within a debugger, set a breakpoint on the address of the allocation at 0x621897 and then the call to memcpy at address 0x6218e3. Once opening the provided proof-of-concept, the breakpoint at the allocation should interrupt execution of the application.

    (gdb) bp 621897
    Breakpoint 4 at 0x621897
    (gdb) bp 6218e3
    Breakpoint 5 at 0x6218e3
    (gdb) r
    Starting program: /usr/share/office2021/planmaker
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    [New Thread 0x7fffefcd3700 (LWP 2679)]
    [New Thread 0x7fffef4d2700 (LWP 2680)]
    ...
    [Detaching after vfork from child process 3111]
    [Detaching after vfork from child process 3113]
    [Detaching after vfork from child process 3115]
    [New Thread 0x7fffc65fd700 (LWP 3117)]
    
    Thread 1 "planmaker" hit Breakpoint 4, 0x0000000000621897 in ?? ()
    (gdb) h
    
    -=[registers]=-
    [rax: 0x0000000002ed23f0] [rbx: 0x0000000002efa9c0] [rcx: 0x0000000002d0e880]
    [rdx: 0x0000000002d0e880] [rsi: 0x0000000000006060] [rdi: 0x0000000002ed23f0]
    [rsp: 0x00007fffffffbb80] [rbp: 0x00007fffffffbcb0] [ pc: 0x0000000000621897]
    [ r8: 0x0000000000000001] [ r9: 0x00000000000001a0] [r10: 0x0000000001b82010]
    [r11: 0x0000000002d0e600] [r12: 0x0000000000000001] [r13: 0x00007fffffffeb10]
    [r14: 0x0000000000000000] [r15: 0x0000000000000000] [efl: 0x00000246]
    [flags: +ZF -SF -OF -CF -DF +PF -AF +IF R1]
    
    -=[stack]=-
    7fffffffbb80 | 00007fffffffbce8 0000000002d06710 | .........g......
    7fffffffbb90 | 0000000002dff650 00007fffffffc080 | P...............
    7fffffffbba0 | 0000000002d0e713 0000000002ef54d0 | .........T......
    7fffffffbbb0 | 00007fff000000c8 0000011300000000 | ................
    
    -=[disassembly]=-
    => 0x621897:    callq  0xab7a01
       0x62189c:    mov    %rax,-0xa8(%rbp)
       0x6218a3:    mov    -0x118(%rbp),%rax
       0x6218aa:    mov    $0x68,%edx
       0x6218af:    mov    $0x0,%esi
       0x6218b4:    mov    %rax,%rdi
    

Once the breakpoint at address 0x621897 is reached, dumping out its parameters shows that the size that will be used for the allocation is 0x6060 and stored within the %esi register. Stepping over the call to the allocator will then result in a pointer to the allocated heap buffer being returned.

    (gdb) i r rdi esi
    rdi            0x2ed23f0           0x2ed23f0
    esi            0x6060              0x6060
    (gdb) n
    0x000000000062189c in ?? ()
    
    (gdb) i r rax
    rax            0x2d33670           0x2d33670
    (gdb)
    

Continuing execution after the allocation has been made will then result in the next breakpoint interrupting the execution of the application before the data from the record’s contents is copied into the heap buffer using the memcpy function. The parameters for the call to memcpy are stored within the %rdi, %rsi, and %edx registers. Printing out the state of these registers shows that %rdi is pointing to the prior result that was returned from the heap allocation, and the length in the %edx register is larger than the size that was used to allocate said heap buffer.

    (gdb) c 
    Continuing.
    
    Thread 1 "planmaker" hit Breakpoint 5, 0x00000000006218e3 in ?? ()
    (gdb) h
    -=[registers]=-
    [rax: 0x0000000002d33670] [rbx: 0x0000000002efa9c0] [rcx: 0x0000000002d0671c]
    [rdx: 0x0000000000007ff7] [rsi: 0x0000000002d0671c] [rdi: 0x0000000002d33670]
    [rsp: 0x00007fffffffbb80] [rbp: 0x00007fffffffbcb0] [ pc: 0x00000000006218e3]
    [ r8: 0x0000000000000000] [ r9: 0x0000000000006060] [r10: 0x0000000001b82010]
    [r11: 0x0000000002d0e600] [r12: 0x0000000000000001] [r13: 0x00007fffffffeb10]
    [r14: 0x0000000000000000] [r15: 0x0000000000000000] [efl: 0x00000246]
    [flags: +ZF -SF -OF -CF -DF +PF -AF +IF R1]
    
    -=[stack]=-
    7fffffffbb80 | 00007fffffffbce8 0000000002d06710 | .........g......
    7fffffffbb90 | 0000000002dff650 00007fffffffc080 | P...............
    7fffffffbba0 | 0000000002d0e713 0000000002ef54d0 | .........T......
    7fffffffbbb0 | 00007fff000000c8 0000011300000000 | ................
    
    -=[disassembly]=-
    => 0x6218e3:    callq  0xab9e39
       0x6218e8:    subl   $0x8,-0xec(%rbp)
       0x6218ef:    movl   $0x0,-0xf4(%rbp)
       0x6218f9:    movl   $0x0,-0xe4(%rbp)
       0x621903:    callq  0x10991a5
       0x621908:    mov    %eax,-0xe8(%rbp)
    
    (gdb) i r rdi rsi edx
    rdi            0x2d33670           0x2d33670
    rsi            0x2d0671c           0x2d0671c
    edx            0x7ff7              0x7ff7
    

If we dump out the memory that is pointed to by the %rsi register, the contents of the record as contained within the file is displayed. This record’s contents will be used to corrupt memory when the call to memcpy is executed.

    (gdb) db $rsi
    2d0671c | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 31 00 | ..............1.
    2d0672c | 16 00 dc 00 00 00 08 00 90 01 00 00 00 02 00 32 | ...............2
    2d0673c | 07 43 61 6c 69 62 72 69 31 00 16 00 dc 00 00 00 | .Calibri1.......
    2d0674c | 08 00 90 01 00 00 00 02 00 32 07 43 61 6c 69 62 | .........2.Calib
    2d0675c | 72 69 31 00 16 00 dc 00 00 00 08 00 90 01 00 00 | ri1.............
    2d0676c | 00 02 00 32 07 43 61 6c 69 62 72 69 31 00 16 00 | ...2.Calibri1...
    

By stepping over the call to memcpy, the memory corruption will be made to occur. Once resuming execution, the application will continue to execute despite the heap memory after the 0x6060-sized allocation that was used for the SST record’s contents was corrupted.

    (gdb) n
    0x00000000006218e8 in ?? ()
    
    -=[registers]=-
    [rax: 0x0000000002d33670] [rbx: 0x0000000002efa9c0] [rcx: 0x0000000000000000]
    [rdx: 0x0000000000007ff7] [rsi: 0x0000000002d0e713] [rdi: 0x0000000002d3b667]
    [rsp: 0x00007fffffffbb80] [rbp: 0x00007fffffffbcb0] [ pc: 0x00000000006218e8]
    [ r8: 0x0000000000000000] [ r9: 0x0000000002d0e713] [r10: 0x0000000001b82010]
    [r11: 0x0000000002d0e600] [r12: 0x0000000000000001] [r13: 0x00007fffffffeb10]
    [r14: 0x0000000000000000] [r15: 0x0000000000000000] [efl: 0x00000212]
    [flags: -ZF -SF -OF -CF -DF -PF +AF +IF R1]
    
    -=[stack]=-
    7fffffffbb80 | 00007fffffffbce8 0000000002d06710 | .........g......
    7fffffffbb90 | 0000000002dff650 00007fffffffc080 | P...............
    7fffffffbba0 | 0000000002d0e713 0000000002ef54d0 | .........T......
    7fffffffbbb0 | 00007fff000000c8 0000011300000000 | ................
    
    -=[disassembly]=-
    => 0x6218e8:    subl   $0x8,-0xec(%rbp)
       0x6218ef:    movl   $0x0,-0xf4(%rbp)
       0x6218f9:    movl   $0x0,-0xe4(%rbp)
       0x621903:    callq  0x10991a5
       0x621908:    mov    %eax,-0xe8(%rbp)
       0x62190e:    movl   $0x1,-0x104(%rbp)
    
    (gdb) c
    Continuing.
    

Due to the heap of the application being in a corrupted state, if the application attempts to use this memory this can result in undefined behaviour. Through proper manipulation of the Excel Document parser’s allocations, the corruption of the data after the 0x6060 memory chunk can allow an attacker to earn code execution within the context of the application.

    Thread 1 "planmaker" received signal SIGSEGV, Segmentation fault.
    0x0000000000ab7aac in ?? ()
    (gdb) x/i $pc
    => 0xab7aac:    mov    0x18(%rax),%rax
    (gdb) i r rax
    rax            0x3f3f3f3f3f3f3f3f  0x3f3f3f3f3f3f3f3f
    (gdb) bt 8
    #0  0x0000000000ab7aac in ?? ()
    #1  0x000000000061eb65 in ?? ()
    #2  0x0000000000634fd2 in ?? ()
    #3  0x0000000000637652 in ?? ()
    #4  0x0000000000638c72 in ?? ()
    #5  0x00000000006962fc in ?? ()
    #6  0x00000000007ea26e in ?? ()
    #7  0x0000000000802753 in ?? ()
    (More stack frames follow...
    (gdb)
    

**Timeline**

2020-11-12 - Vendor Disclosure  
2021-01-19 - Vendor Patched  
2021-02-03 - Public Release

Discovered by a member of Cisco Talos.

Tag

#buffer_overflow