Skip to content

Remote Code Execution vulnerability in LibreCAD 2.2.0-rc3 (JWW CDataList) #1464

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
eldstal opened this issue Dec 18, 2021 · 2 comments
Closed

Remote Code Execution vulnerability in LibreCAD 2.2.0-rc3 (JWW CDataList) #1464

eldstal opened this issue Dec 18, 2021 · 2 comments
Labels
bug An error which causes unexpected or unintended results

Comments

@eldstal
Copy link
Contributor

eldstal commented Dec 18, 2021

Vulnerable Products

  • LibreCAD 2.2.0-rc3 and older

Steps to reproduce or sample file

  1. Start LibreCAD 2.2.0 in a debugger

  2. File/Open...

  3. Unzip and open the attached proof-of-concept file

  4. Observe ACCESS_VIOLATION crash, with eip=0x41414141 (AAAA)

Screenshot:

jww_cdatalist

Cause

The CDataList entity deserialization in LibreCAD/libraries/jwwlib/src/jwwdoc.h is vulnerable to a stack buffer overflow. char buf[512] declared in CDataList::Serialize() on line 784 is of fixed size 512. One variety of CDataList provides its own size field, as seen on line 795 and no bounds checking is performed. This allows an attacker to overflow buf and overwrite other stack variables, including the return address.

The attached PoC file is tuned to trigger this behavior in the latest windows release of LibreCAD, but the same bug is also present
in older versions and on other platforms.

Note: This is similar to, but distinct from issue #1462

Impact

An attacker can craft a JW-CAD input file and thereby gain control over execution flow (EIP controlled directly).

This allows an attacker to run arbitrary code on the system running LibreCAD, with the privileges of the current user.

Proposed Mitigation

  1. Perform bounds checking in CDataList::Serialize(), and refuse to load more data to buf than actually supported.
  2. Enable stack smashing protection in the windows build of LibreCAD.

Operating System and LibreCAD version info

Version: 2.2.0-rc3
Compiler: GNU GCC 7.3.0
Compiled on: Nov 29 2021
Qt Version: 5.12.4
Boost Version: 1.65.1
System: Windows 10 (10.0)
eldstal added a commit to eldstal/LibreCAD that referenced this issue Dec 18, 2021
@eldstal
Added bounds check to CDataList in JWW parser
4edcbe7 
This fixes issue LibreCAD#1464
@lordofbikes lordofbikes added the bug An error which causes unexpected or unintended results label Dec 19, 2021
lordofbikes added a commit that referenced this issue Jan 4, 2022
@lordofbikes
Merge pull request #1465 from eldstal/cdatalist [ci skip]
e6a8fff 
Added bounds check to CDataList in JWW parser (Issue #1464)
@lordofbikes
Copy link
Member

fixed with #1465

@eldstal eldstal mentioned this issue Jan 5, 2022
Open
@eldstal
Copy link
Contributor Author

eldstal commented Jan 25, 2022

This vulnerability has been assigned CVE-2021-45342.

LeSuisse added a commit to LeSuisse/nixpkgs that referenced this issue Jan 30, 2022
@LeSuisse
librecad: apply patch for CVE-2021-45342
6896348 
LibreCAD/LibreCAD#1464
@LeSuisse LeSuisse mentioned this issue Jan 30, 2022
Merged
13 tasks
github-actions bot pushed a commit to NixOS/nixpkgs that referenced this issue Feb 1, 2022
@LeSuisse @github-actions
librecad: apply patch for CVE-2021-45342
424aab5 
LibreCAD/LibreCAD#1464
(cherry picked from commit 6896348)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug An error which causes unexpected or unintended results
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@eldstal @lordofbikes