CVE-2022-29777
Suggested description
Heap buffer overflow (underflow) vulnerability was discovered in ONLYOFFICE DocumentServer 6.0.0 and earlier versions.
An attacker using a specially crafted request and file to the server can write a pointer with controlled data into the heap chunk located at a lower address. This results in Remote Code Execution, and can also lead to program crash and/or Denial of Service.
Vulnerability Type
Buffer Overflow
Vendor of the product
ONLYOFFICE - https://www.onlyoffice.com/
Affected products
- DocumentServer - https://github.com/ONLYOFFICE/DocumentServer/
Affected versions: 4.0.0-9 - 6.0.0
Fixed version: 6.0.1
Affected versions: 4.2.0.236 - 6.0.1.15
Fixed version: 6.0.1.21
Affected components
Affected module: https://github.com/ONLYOFFICE/core/tree/v6.0.1.15
Affected function: https://github.com/ONLYOFFICE/core/blob/9a9d60031ecea59ffad3d80cdb141e1bf29d25e7/DesktopEditor/fontengine/fontconverter/FontFileType1.cpp#L310
Attack type
- Remote
Impact
- Code execution
- Denial of Service
Attack vector
To exploit the vulnerability, an attacker must use a specially crafted request and a file to the server, which allows going beyond the lower bound of the heap buffer and writing a pointer to controlled data there.
This is a strong primitive when writing exploits that lead to Remote Code Execution, and can also lead to program crash and/or Denial of Service.
void CFontFileType1::Parse()
{
/* ... */
m_arrEncoding = (char **)MemUtilsMallocArray(256, sizeof(char *));
/* ... */
int nCode = atoi( pCur );
/* ... */
if ( nCode < 256 )
{
for ( pCur = pTemp; *pCur == ' ' || *pCur == '\t'; ++pCur ) ;
if ( *pCur == '/')
{
++pCur;
for ( pTemp = pCur; *pTemp && *pTemp != ' ' && *pTemp != '\t'; ++pTemp ) ;
*pTemp = '\0';
m_arrEncoding[ nCode ] = CopyString( pCur );
}
}
/* ... */
}The atoi function can return a negative value, which will be written to the sign integer variable nCode. This value is less than the upper buffer limit (256) because it is negative, causing the following condition to pass. After that, the value is applied as an offset of the array m_arrEncoding, which means referring to previous, smaller addresses relative to the m_arrEncoding pointer.
The vulnerability allows writing the pointer of a heap-chunk with a specific string from a file controlled by the attacker, into a neighboring (located at a lower address) heap-chunk.