CVE-2021-45341: Remote Code Execution vulnerability in LibreCAD 2.2.0-rc3 (JWW CDataMoji) · Issue #1462 · LibreCAD/LibreCAD

Vulnerable Products

• LibreCAD 2.2.0-rc3 and older
• Jw_cad 8.24a and older

Steps to reproduce or sample file

1. Start LibreCAD 2.2.0-rc3 in a debugger
2. File/Open…
3. Unzip and open the attached proof of concept file
4. Observe ACCESS_VIOLATION crash, with eip=0x41414141 (AAAA)

Screenshot:

Cause

The CDataMoji entity deserialization at LibreCAD/libraries/jwwlib/src/jwwdoc.h is vulnerable to
a stack buffer overflow.
char buf[512] declared in CDataMoji::Serialize() on line 512
is of fixed size 512. Some varieties of CDataMoji provide their own size, e.g. MojiData2 on line 523
and no bounds checking is performed. This allows an attacker to overflow buf and overwrite other stack variables,
including the return address.

The attached PoC file is tuned to trigger this behavior in the latest windows release of LibreCAD, but the same bug is also present
in older versions and on other platforms.

Impact

An attacker can craft a JW-CAD input file and thereby gain control over execution flow (EIP controlled directly).

This allows an attacker to run arbitrary code on the system running LibreCAD, with the privileges of the current user.

Proposed Mitigation

1. Perform bounds checking in CDataMoji::Serialize(), and refuse to load the file if it would overflow buf.
2. Enable stack smashing protection in the windows build of LibreCAD.

Operating System and LibreCAD version info

Version: 2.2.0-rc3
Compiler: GNU GCC 7.3.0
Compiled on: Nov 29 2021
Qt Version: 5.12.4
Boost Version: 1.65.1
System: Windows 10 (10.0)