Skip to content

Latest commit

 

History

History

CVE-2022-29776

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 

CVE-2022-29776

Suggested description

Stack buffer overflow vulnerability was discovered in ONLYOFFICE DocumentServer 6.0.0 and earlier versions.

An attacker using a specially crafted request and file to the server can overflow the contents of a fixed size buffer on the stack. This results in a denial of service and/or remote code execution.


Vulnerability Type

Buffer Overflow


Vendor of the product

ONLYOFFICE - https://www.onlyoffice.com/


Affected products

Affected versions: 4.0.0-9 - 6.0.0

Fixed version: 6.0.1

Affected versions: 4.2.0.236 - 6.1.0.26

Fixed version: 6.1.0.27


Affected components

Affected module: https://github.com/ONLYOFFICE/core/tree/v6.1.0.26

Affected function: https://github.com/ONLYOFFICE/core/blob/3e7628741616716cce009017fc990c13399fc3bb/DesktopEditor/cximage/CxImage/ximaico.cpp#L15


Attack type

  • Remote

Impact

  • Code execution
  • Denial of Service

Attack vector

To exploit the vulnerability, an attacker must use a specially crafted request and file to the server, which will overflow the content of the buffer with fixed size on the stack. This affects the execution of the program: it can cause a program crash, a denial of service, or remote code execution.

bool CxImageICO::Decode(CxFile *hFile)
{
    /* ... */

    BITMAPINFOHEADER bih;

    /* ... */

    hFile->Read(&bih, sizeof(BITMAPINFOHEADER), 1);

    /* ... */

    // read the palette
    RGBQUAD pal[256];
    if (bih.biClrUsed)
        hFile->Read(pal, bih.biClrUsed*sizeof(RGBQUAD), 1);
    else
        hFile->Read(pal, head.biClrUsed*sizeof(RGBQUAD), 1);

    SetPalette(pal, head.biClrUsed);	//palette assign

    /* ... */
}

The BITMAPINFOHEADER structure is read from the file into the BITMAPINFOHEADER bih variable, which contains the uint32_t biClrUsed field containing the number of structures to read from the file into the RGBQUAD pal[256] array. In this case, the value may exceed the number 256, which leads to an overflow of the array of structures RGBQUAD pal[256] on the stack.


References