New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remote Code Execution vulnerability in LibreCAD 2.2.0-rc3 (JWW CDataMoji) #1462
Comments
This fixes issue LibreCAD#1462
|
A pull request has been submitted with a less invasive mitigation. Data up to 511 bytes is read and any additional data in the field is silently ignored. Any I've also filed a CVE request with MITRE, referencing this report. |
|
Just out of curiosity, do you have any JWW files for reference? |
|
No, I haven't ever used it. The original application appears to be alive and well, but I can't say anything about the need for import/export support in FreeCAD. |
|
fixed with #1463 |
|
This vulnerability has been assigned CVE-2021-45341. |
Vulnerable Products
Steps to reproduce or sample file
ACCESS_VIOLATIONcrash, witheip=0x41414141(AAAA)Screenshot:
Cause
The
CDataMojientity deserialization atLibreCAD/libraries/jwwlib/src/jwwdoc.his vulnerable toa stack buffer overflow.
char buf[512]declared inCDataMoji::Serialize()on line 512is of fixed size 512. Some varieties of
CDataMojiprovide their own size, e.g. MojiData2 on line 523and no bounds checking is performed. This allows an attacker to overflow
bufand overwrite other stack variables,including the return address.
The attached PoC file is tuned to trigger this behavior in the latest windows release of LibreCAD, but the same bug is also present
in older versions and on other platforms.
Impact
An attacker can craft a JW-CAD input file and thereby gain control over execution flow (EIP controlled directly).
This allows an attacker to run arbitrary code on the system running LibreCAD, with the privileges of the current user.
Proposed Mitigation
CDataMoji::Serialize(), and refuse to load the file if it would overflowbuf.Operating System and LibreCAD version info
Version: 2.2.0-rc3
Compiler: GNU GCC 7.3.0
Compiled on: Nov 29 2021
Qt Version: 5.12.4
Boost Version: 1.65.1
System: Windows 10 (10.0)
The text was updated successfully, but these errors were encountered: