83 lines
No EOL
3.7 KiB
Text
83 lines
No EOL
3.7 KiB
Text
>> Heap overflow and integer overflow in ICU library (v52 to v54)
|
|
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
|
|
=================================================================================
|
|
Disclosure: 04/05/2015 / Last updated: 07/05/2015
|
|
|
|
>> Background on the affected products:
|
|
ICU is a mature, widely used set of C/C++ and Java libraries providing Unicode and Globalization support for software applications. ICU is widely portable and gives applications the same results on all platforms and between C/C++ and Java software.
|
|
|
|
|
|
>> Summary:
|
|
While fuzzing LibreOffice an integer overflow and a heap overflow were found in the ICU library. This library is used by LibreOffice and hundreds of other software packages.
|
|
Proof of concept files can be downloaded from [1]. These files have been tested with LibreOffice 4.3.3.2 and LibreOffice 4.4.0-beta2 and ICU 52.
|
|
Note that at this point in time it is unknown whether these vulnerabilities are exploitable.
|
|
Thanks to CERT [2] for helping disclose these vulnerabilities.
|
|
|
|
|
|
>> Technical details:
|
|
#1
|
|
Vulnerability: Heap overflow
|
|
CVE-2014-8146
|
|
|
|
The code to blame is the following (from ubidi.c:2148 in ICU 52):
|
|
dirProp=dirProps[limit-1];
|
|
if((dirProp==LRI || dirProp==RLI) && limit<pBiDi->length) {
|
|
pBiDi->isolateCount++;
|
|
pBiDi->isolates[pBiDi->isolateCount].stateImp=stateImp;
|
|
pBiDi->isolates[pBiDi->isolateCount].state=levState.state;
|
|
pBiDi->isolates[pBiDi->isolateCount].start1=start1;
|
|
}
|
|
else
|
|
processPropertySeq(pBiDi, &levState, eor, limit, limit);
|
|
|
|
Under certain conditions isolateCount is incremented too many times, which results in several out of bounds writes. See [1] for a more detailed analysis.
|
|
|
|
|
|
#2
|
|
Vulnerability: Integer overflow
|
|
CVE-2014-8147
|
|
|
|
The overflow is on the resolveImplicitLevels function (ubidi.c:2248):
|
|
pBiDi->isolates[pBiDi->isolateCount].state=levState.state;
|
|
|
|
pBiDi->isolates[].state is a int16, while levState.state is a int32.
|
|
The overflow causes an error when performing a malloc on pBiDi->insertPoints->points because insertPoints is adjacent in memory to isolates[].
|
|
|
|
The Isolate struct is defined in ubidiimp.h:184
|
|
typedef struct Isolate {
|
|
int32_t startON;
|
|
int32_t start1;
|
|
int16_t stateImp;
|
|
int16_t state;
|
|
} Isolate;
|
|
|
|
LevState is defined in ubidi.c:1748
|
|
typedef struct {
|
|
const ImpTab * pImpTab; /* level table pointer */
|
|
const ImpAct * pImpAct; /* action map array */
|
|
int32_t startON; /* start of ON sequence */
|
|
int32_t startL2EN; /* start of level 2 sequence */
|
|
int32_t lastStrongRTL; /* index of last found R or AL */
|
|
int32_t state; /* current state */
|
|
int32_t runStart; /* start position of the run */
|
|
UBiDiLevel runLevel; /* run level before implicit solving */
|
|
} LevState;
|
|
|
|
|
|
>> Fix:
|
|
All ICU releases between 52 and 54 are affected. Upgrade to ICU 55.1 to fix these vulnerabilities.
|
|
There are many other software packages which embed the ICU code and will need to be updated.
|
|
Patches that fix these vulnerabilities can be obtained from the ICU project in [3] and [4].
|
|
|
|
|
|
>> References:
|
|
[1] https://github.com/pedrib/PoC/raw/master/generic/i-c-u-fail.7z (EDB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/43887.zip)
|
|
[2] https://www.kb.cert.org/vuls/id/602540
|
|
[3] http://bugs.icu-project.org/trac/changeset/37080
|
|
[4] http://bugs.icu-project.org/trac/changeset/37162
|
|
|
|
|
|
================
|
|
Agile Information Security Limited
|
|
http://www.agileinfosec.co.uk/
|
|
>> Enabling secure digital business >> |