qDecoder 12.1.0 Release

Hello qDecoder users!!!

I'm pleased to announce qDecoder 12.1.0 release.

This is a maintenance release includes important security updates that fixes possible vulnerability in URL decoding (see the report attached below). All the qDecoder users are recommended to upgrade to this version as soon as possible.

Best,
Seungyoung Kim

What's Changed

• Security update: add check on improperly encoded input by @wolkykim in #29
• Fix crash when multipart boundary is missing. by @MelanieRed in #26
• Add unit test framework and tests by @wolkykim in #29
• Other minor updates and improvements
  • Build compatibility updates for Mac
  • Relocate Windows MinGW build codes under src/compat folder
  • Document updates

Full Changelog: v12.0.8...v12.1.0

qDecoder Vulnerability Report Details

Software: qDecoder

Software URL: https://github.com/wolkykim/qdecoder

Version Reviewed: Latest git revision as of 30/05/2022, commit e43f6cc

Bug Type: Heap Overflow

Vector: Protocol, network request parsing

Impact: Remote Code Execution

Discovery Date: 17/05/2022

Discovered By: Giulio De Pasquale and Jesse Hertz of Apple Information Security

Summary:

It is possible to corrupt and control the heap chunks by sending a request ending with the "%" character. QDecoder does not perform a sanity check on the bytes appended after the "%" character, leading to a buffer overflow and possible remote code execution, dependent on the usage of the library.

Technical Details:

QDecoder parses potentially untrusted network requests passed through GET and POST requests or HTML Cookies. HTTP clients tend to send the requests encoded with the standard URL encoding, which QDecoder supports.

As part of the parsing process, QDecoder decodes a request's data from its URL encoded form [1]. URL encoded strings use the character "%" to represent the beginning of special two bytes long character sequences.
When QDecoder encounters the escaping character, it attempts to decode the following two bytes, subsequently advancing the buffer pointer forward by two bytes [2]. When the data buffer is fully traversed, the parser will place a null character at the end of the decoded request [3] to signify the end of the request string.

Unfortunately, the parser does not check the buffer's boundaries, causing a corruption if the request URL ends in a "%" character. When no data is present after the escaping character, the buffer pointer would be advanced by two bytes, effectively jumping over the expected boundary. At this point, the loop would keep reading past the request data until it encounters a null byte, leading to a heap overflow. Additionally, the overflow overwrites the original null byte, creating an overlong string that spans more than one heap chunk. The overflow corrupts the heap chunks when the buffer is reused subsequently by QDecoder [4], which would keep reading until the erroneously placed null byte.

Conclusion and impact:

An attacker can trigger the overflow by sending a request ending with the "%" character. The vulnerability allows controlling the heap chunks' previous size, bk, and fd pointers [5]. By carefully setting the bk and fd pointers, the chunks could be used to write anywhere in the process memory and, finally, lead to remote code execution.

Mitigations/Workarounds:

We propose to add a sanity check for the bytes following the "%" escape character in the _q_urldecode function in internal.c.

References:

[1]: https://github.com/wolkykim/qdecoder/blob/8cef3e8040b73cdaff31469f2e6c1a97d0d7c9c7/src/internal.c#L131
[2]: https://github.com/wolkykim/qdecoder/blob/8cef3e8040b73cdaff31469f2e6c1a97d0d7c9c7/src/internal.c#L146
[3]: https://github.com/wolkykim/qdecoder/blob/8cef3e8040b73cdaff31469f2e6c1a97d0d7c9c7/src/internal.c#L155
[4]: https://github.com/wolkykim/qdecoder/blob/8cef3e8040b73cdaff31469f2e6c1a97d0d7c9c7/src/qcgireq.c#L818
[5]: https://sourceware.org/git/?p=glibc.git;a=blob;f=malloc/malloc.c;h=96149549758dd424f5c08bed3b7ed1259d5d5664;hb=bdc3009b8ff0effdbbfb05eb6b10966753cbf9b8#l1060

qDecoder 12.0.8 Release

This release includes:

• Added support for Windows native MinGW toolchain (see the INSTALL.md)
• Included API document updates

Big thanks to Eric Lequien Esposti for his great contribution to the project.

Thanks
Seungyoung "Steve" Kim

qDecoder 12.0.7 Release

This is a maintenance release. No major code/functionality changes.
Thanks a lot!!!

Steve Kim

qDecoder 12.0.6 Release

This is a maintenance release. No major code/functionality changes.
Thanks a lot!!!

Seungyoung "Steve" Kim

qDecoder 12.0.5 Release

Includes new documentations. No code change.

qDecoder 12.0.4 Release

Release 12.0.4

• Fixes
  • Expire time didn't take action in set cookie function. Reported by Tianyapiaozi.
  • a memory leak in qentry_t→load(). Reported by Tianyapiaozi.
  • Eliminate possible infinite loop in case write call to a local file get failed. Bug reported by Brian Simonian.
  • When multipart/form-data contents comes with no contents, qdecoder get stuck. Bug reported by Yaroslav
  • Adjusted .so symlink to use relative path. Bug reported by Josh.