Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
poc_exploits/CVE-2022-29776/
poc_exploits/CVE-2022-29776/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

CVE-2022-29776

Suggested description

Stack buffer overflow vulnerability was discovered in ONLYOFFICE DocumentServer 6.0.0 and earlier versions.

An attacker using a specially crafted request and file to the server can overflow the contents of a fixed size buffer on the stack. This results in a denial of service and/or remote code execution.


Vulnerability Type

Buffer Overflow


Vendor of the product

ONLYOFFICE - https://www.onlyoffice.com/


Affected products

Affected versions: 4.0.0-9 - 6.0.0

Fixed version: 6.0.1

Affected versions: 4.2.0.236 - 6.1.0.26

Fixed version: 6.1.0.27


Affected components

Affected module: https://github.com/ONLYOFFICE/core/tree/v6.1.0.26

Affected function: https://github.com/ONLYOFFICE/core/blob/3e7628741616716cce009017fc990c13399fc3bb/DesktopEditor/cximage/CxImage/ximaico.cpp#L15


Attack type

  • Remote

Impact

  • Code execution
  • Denial of Service

Attack vector

To exploit the vulnerability, an attacker must use a specially crafted request and file to the server, which will overflow the content of the buffer with fixed size on the stack. This affects the execution of the program: it can cause a program crash, a denial of service, or remote code execution.

bool CxImageICO::Decode(CxFile *hFile)
{
    /* ... */

    BITMAPINFOHEADER bih;

    /* ... */

    hFile->Read(&bih, sizeof(BITMAPINFOHEADER), 1);

    /* ... */

    // read the palette
    RGBQUAD pal[256];
    if (bih.biClrUsed)
        hFile->Read(pal, bih.biClrUsed*sizeof(RGBQUAD), 1);
    else
        hFile->Read(pal, head.biClrUsed*sizeof(RGBQUAD), 1);

    SetPalette(pal, head.biClrUsed);	//palette assign

    /* ... */
}

The BITMAPINFOHEADER structure is read from the file into the BITMAPINFOHEADER bih variable, which contains the uint32_t biClrUsed field containing the number of structures to read from the file into the RGBQUAD pal[256] array. In this case, the value may exceed the number 256, which leads to an overflow of the array of structures RGBQUAD pal[256] on the stack.


References