Description
Vulnerable Products
- LibreCAD 2.2.0-rc3 and older
Steps to reproduce or sample file
-
Start LibreCAD 2.2.0 in a debugger
-
File/Open...
-
Unzip and open the attached proof-of-concept file
-
Observe
ACCESS_VIOLATIONcrash, witheip=0x41414141(AAAA)
Screenshot:
Cause
The CDataList entity deserialization in LibreCAD/libraries/jwwlib/src/jwwdoc.h is vulnerable to a stack buffer overflow. char buf[512] declared in CDataList::Serialize() on line 784 is of fixed size 512. One variety of CDataList provides its own size field, as seen on line 795 and no bounds checking is performed. This allows an attacker to overflow buf and overwrite other stack variables, including the return address.
The attached PoC file is tuned to trigger this behavior in the latest windows release of LibreCAD, but the same bug is also present
in older versions and on other platforms.
Note: This is similar to, but distinct from issue #1462
Impact
An attacker can craft a JW-CAD input file and thereby gain control over execution flow (EIP controlled directly).
This allows an attacker to run arbitrary code on the system running LibreCAD, with the privileges of the current user.
Proposed Mitigation
- Perform bounds checking in
CDataList::Serialize(), and refuse to load more data tobufthan actually supported. - Enable stack smashing protection in the windows build of LibreCAD.
Operating System and LibreCAD version info
Version: 2.2.0-rc3
Compiler: GNU GCC 7.3.0
Compiled on: Nov 29 2021
Qt Version: 5.12.4
Boost Version: 1.65.1
System: Windows 10 (10.0)
