CVE-2022-29776
Suggested description
Stack buffer overflow vulnerability was discovered in ONLYOFFICE DocumentServer 6.0.0 and earlier versions.
An attacker using a specially crafted request and file to the server can overflow the contents of a fixed size buffer on the stack. This results in a denial of service and/or remote code execution.
Vulnerability Type
Buffer Overflow
Vendor of the product
ONLYOFFICE - https://www.onlyoffice.com/
Affected products
- DocumentServer - https://github.com/ONLYOFFICE/DocumentServer/
Affected versions: 4.0.0-9 - 6.0.0
Fixed version: 6.0.1
Affected versions: 4.2.0.236 - 6.1.0.26
Fixed version: 6.1.0.27
Affected components
Affected module: https://github.com/ONLYOFFICE/core/tree/v6.1.0.26
Affected function: https://github.com/ONLYOFFICE/core/blob/3e7628741616716cce009017fc990c13399fc3bb/DesktopEditor/cximage/CxImage/ximaico.cpp#L15
Attack type
- Remote
Impact
- Code execution
- Denial of Service
Attack vector
To exploit the vulnerability, an attacker must use a specially crafted request and file to the server, which will overflow the content of the buffer with fixed size on the stack. This affects the execution of the program: it can cause a program crash, a denial of service, or remote code execution.
bool CxImageICO::Decode(CxFile *hFile)
{
/* ... */
BITMAPINFOHEADER bih;
/* ... */
hFile->Read(&bih, sizeof(BITMAPINFOHEADER), 1);
/* ... */
// read the palette
RGBQUAD pal[256];
if (bih.biClrUsed)
hFile->Read(pal, bih.biClrUsed*sizeof(RGBQUAD), 1);
else
hFile->Read(pal, head.biClrUsed*sizeof(RGBQUAD), 1);
SetPalette(pal, head.biClrUsed); //palette assign
/* ... */
}The BITMAPINFOHEADER structure is read from the file into the BITMAPINFOHEADER bih variable, which contains the uint32_t biClrUsed field containing the number of structures to read from the file into the RGBQUAD pal[256] array. In this case, the value may exceed the number 256, which leads to an overflow of the array of structures RGBQUAD pal[256] on the stack.