Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remote Code Execution vulnerability in LibreCAD 2.2.0-rc3 (JWW CDataMoji) #1462

Closed
eldstal opened this issue Dec 18, 2021 · 5 comments
Closed
Labels
bug An error which causes unexpected or unintended results

Comments

@eldstal
Copy link
Contributor

eldstal commented Dec 18, 2021

Vulnerable Products

  • LibreCAD 2.2.0-rc3 and older
  • Jw_cad 8.24a and older

Steps to reproduce or sample file

  1. Start LibreCAD 2.2.0-rc3 in a debugger
  2. File/Open...
  3. Unzip and open the attached proof of concept file
  4. Observe ACCESS_VIOLATION crash, with eip=0x41414141 (AAAA)

Screenshot:

x32dbg showing librecad.exe executing at 0x41414141

Cause

The CDataMoji entity deserialization at LibreCAD/libraries/jwwlib/src/jwwdoc.h is vulnerable to
a stack buffer overflow.
char buf[512] declared in CDataMoji::Serialize() on line 512
is of fixed size 512. Some varieties of CDataMoji provide their own size, e.g. MojiData2 on line 523
and no bounds checking is performed. This allows an attacker to overflow buf and overwrite other stack variables,
including the return address.

The attached PoC file is tuned to trigger this behavior in the latest windows release of LibreCAD, but the same bug is also present
in older versions and on other platforms.

Impact

An attacker can craft a JW-CAD input file and thereby gain control over execution flow (EIP controlled directly).

This allows an attacker to run arbitrary code on the system running LibreCAD, with the privileges of the current user.

Proposed Mitigation

  1. Perform bounds checking in CDataMoji::Serialize(), and refuse to load the file if it would overflow buf.
  2. Enable stack smashing protection in the windows build of LibreCAD.

Operating System and LibreCAD version info

Version: 2.2.0-rc3
Compiler: GNU GCC 7.3.0
Compiled on: Nov 29 2021
Qt Version: 5.12.4
Boost Version: 1.65.1
System: Windows 10 (10.0)

eldstal added a commit to eldstal/LibreCAD that referenced this issue Dec 18, 2021
@eldstal
Copy link
Contributor Author

eldstal commented Dec 18, 2021

A pull request has been submitted with a less invasive mitigation. Data up to 511 bytes is read and any additional data in the field is silently ignored.

Any jww file which previously loaded without data corruption should still work with this fix. Files with oversized CDataMoji fields will have their data truncated, but should still parse properly.

I've also filed a CVE request with MITRE, referencing this report.

@lordofbikes
Copy link
Member

Just out of curiosity, do you have any JWW files for reference?
I never ever saw one. We even discussed to remove JWW support at all, because the implementer is not responding and nobody has any kind of reference for JWW format.
We also can't say if there were any format changes over time and the LibreCAD implementation still works for latest JWW files.

@eldstal
Copy link
Contributor Author

eldstal commented Dec 18, 2021

No, I haven't ever used it. The original application appears to be alive and well, but I can't say anything about the need for import/export support in FreeCAD.

@eldstal eldstal changed the title Remote Code Execution vulnerability in LibreCAD 2.2.0-rc3 Remote Code Execution vulnerability in LibreCAD 2.2.0-rc3 (JWW CDataMoji) Dec 18, 2021
@lordofbikes lordofbikes added the bug An error which causes unexpected or unintended results label Dec 19, 2021
lordofbikes added a commit that referenced this issue Jan 4, 2022
@lordofbikes
Copy link
Member

fixed with #1463

@eldstal
Copy link
Contributor Author

eldstal commented Jan 25, 2022

This vulnerability has been assigned CVE-2021-45341.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug An error which causes unexpected or unintended results
Projects
None yet
Development

No branches or pull requests

2 participants