Headline
CVE-2020-13495: TALOS-2020-1104 || Cisco Talos Intelligence Group
An exploitable vulnerability exists in the way Pixar OpenUSD 20.05 handles file offsets in binary USD files. A specially crafted malformed file can trigger an arbitrary out-of-bounds memory access that could lead to the disclosure of sensitive information. This vulnerability could be used to bypass mitigations and aid additional exploitation. To trigger this vulnerability, the victim needs to access an attacker-provided file.
Summary
An exploitable vulnerability exists in the way Pixar OpenUSD 20.05 handles file offsets in binary USD files. A specially crafted malformed file can trigger an arbitrary out-of-bounds memory access that could lead to the disclosure of sensitive information. This vulnerability could be used to bypass mitigations and aid additional exploitation. To trigger this vulnerability, the victim needs to access an attacker-provided file.
Tested Versions
Pixar OpenUSD 20.05
Apple macOS Catalina 10.15.3
Product URLs
https://openusd.org
CVSSv3 Score
4.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CWE
CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
Details
OpenUSD stands for “Open Universal Scene Descriptor” and is a software suite by Pixar that facilitates, among other things, interchange of arbitrary 3-D scenes that may be composed of many elemental assets.
Most notably, USD and its backing file format usd are used on Apple iOS and macOS as part of ModelIO framework in support of SceneKit and ARKit for sharing and displaying 3D scenes in, for example, augmented reality applications. On macOS, these files are automatically rendered to generate thumbnails, while on iOS they can be shared via iMessage and opened with user interaction.
USD binary file format consists of a header pointing to a table of contents that in turn points to individual sections that comprise the whole file. Pointer to a table of contents, as well as back to individual sections from the table of contents, is represented as a 64 bit integer specifying a file offset where the table of contents, or specific section, can be found.
For example, table of contents is read using the following code:
template <class Reader>
CrateFile::_TableOfContents
CrateFile::_ReadTOC(Reader reader, _BootStrap const &b) const
{
reader.Seek(b.tocOffset); [1]
return reader.template Read<_TableOfContents>(); [2]
}
At [1] , table of contents offset read from the file header is used to seek into the file and then the parser proceeds to parse the table of contents at [2]. When dealing with regular files, seek operations usually just shift the current file pointer to the specified offset, however in most practical uses of OpenUSD (including macOS and iOS utilities and applications) USD file will first be memory mapped. When seek is executed, no check is performed to ensure the offset still falls inside the currently memory mapped file. Since the b.tocOffset is a 64 bit integer that is read directly from the mapped file, this can be used to access and read any address in process’ address space.
Similarly to above example, same issue can be triggered when trying to parse individual sections of the file. Following code that parses FIELDS section illustrates this:
template <class Reader>
void
CrateFile::_ReadFieldSets(Reader reader)
{
TfAutoMallocTag tag("_ReadFieldSets");
if (auto fieldSetsSection = _toc.GetSection(_FieldSetsSectionName)) { [3]
reader.Seek(fieldSetsSection->start); [4]
if (Version(_boot) < Version(0,4,0)) { [5]
_fieldSets = reader.template Read<decltype(_fieldSets)>();
} else {
// Compressed fieldSets in 0.4.0.
auto numFieldSets = reader.template Read<uint64_t>();
_fieldSets.resize(numFieldSets);
When parsing the FIELDS section, an offset from table of contents is retrieved at [3] and used in a call to Seek at 4. Then at [5] the parsing continues. Again, no check is performed to ensure that the offset falls inside the file, enabling arbitrary memory read. While only FIELDS section example is given here, other section offsets are vulnerable, too.
USD files are usually distributed as usdz archives which can contains multiple distinct usd files each referencing each other, with careful file layout , this sort of vulnerability could be abused to probe the memory layout and influence which files are successfully loaded. This could be abused to achieve information leak and defeat exploitation mitigations such as ASLR.
Crash Information
This vulnerability has been tested on latest version of macOS Catalina 10.15.3.
Current executable set to 'qlmanage' (x86_64).
(lldbinit) settings set -- target.run-args "-t" "poc_toc_offset.usdc" "-o" "./"
(lldbinit) r
Process 59980 launched: '/usr/bin/qlmanage' (x86_64)
Testing Quick Look thumbnails with files:
poc_toc_offset.usdc
2020-06-23 18:59:28.405728-0500 qlmanage[59980:11301935] [General] Disabling connection to window server
2020-06-23 18:59:28.406581-0500 qlmanage[59980:11301935] [General] Number of mach ports: 42
2020-06-23 18:59:28.408263-0500 qlmanage[59980:11301959] [General] Cache is disabled (real server: NO - cache enabled: NO)
2020-06-23 18:59:28.832447-0500 qlmanage[59980:11301959] MessageTracer: Falling back to default whitelist
-----------------------------------------------------------------------------------------------------------------------[regs]
RAX: 0xF041414241603141 RBX: 0x00007000060A1350 RBP: 0x00007000060A1250 RSP: 0x00007000060A1210 o d I t s Z a P c
RDI: 0x00007000060A1290 RSI: 0x00007000060A12B8 RDX: 0x0000000000000000 RCX: 0x0000000000000000 RIP: 0x00007FFF379A6F00
R8: 0x0000000000000000 R9: 0x0000000000000000 R10: 0x0000000100000000 R11: 0x00006FFF05EB22B8 R12: 0x0000000105822A00
R13: 0x00007000060A12B8 R14: 0x00007000060A1290 R15: 0x00007FFF8DFD9890
CS: 002B FS: 0000 GS: 0000
-----------------------------------------------------------------------------------------------------------------------[code]
@ /System/Library/Frameworks/ModelIO.framework/Versions/A/ModelIO:
-> 0x7fff379a6f00 (0x8d5f00): 4c 8b 38 mov r15, qword ptr [rax]
0x7fff379a6f03 (0x8d5f03): 48 83 c0 08 add rax, 0x8
0x7fff379a6f07 (0x8d5f07): 49 89 45 08 mov qword ptr [r13 + 0x8], rax
0x7fff379a6f0b (0x8d5f0b): 4c 89 f7 mov rdi, r14
0x7fff379a6f0e (0x8d5f0e): 4c 89 fe mov rsi, r15
0x7fff379a6f11 (0x8d5f11): e8 72 01 00 00 call 0x7fff379a7088 ; ___lldb_unnamed_symbol87486$$ModelIO
0x7fff379a6f16 (0x8d5f16): 4d 8b 26 mov r12, qword ptr [r14]
0x7fff379a6f19 (0x8d5f19): 49 c1 e7 05 shl r15, 0x5
-----------------------------------------------------------------------------------------------------------------------------
Process 59980 stopped
* thread #7, queue = 'quicklookd.serialgenerator', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
frame #0: 0x00007fff379a6f00 ModelIO`___lldb_unnamed_symbol87485$$ModelIO + 122
Target 0: (qlmanage) stopped.
(lldbinit) bt
* thread #7, queue = 'quicklookd.serialgenerator', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
* frame #0: 0x00007fff379a6f00 ModelIO`___lldb_unnamed_symbol87485$$ModelIO + 122
frame #1: 0x00007fff379944ed ModelIO`___lldb_unnamed_symbol87000$$ModelIO + 273
frame #2: 0x00007fff379941c3 ModelIO`___lldb_unnamed_symbol86998$$ModelIO + 555
frame #3: 0x00007fff37993e06 ModelIO`___lldb_unnamed_symbol86997$$ModelIO + 392
frame #4: 0x00007fff37992ec9 ModelIO`___lldb_unnamed_symbol86984$$ModelIO + 447
frame #5: 0x00007fff37a8bbf6 ModelIO`___lldb_unnamed_symbol91742$$ModelIO + 242
frame #6: 0x00007fff37a8bac8 ModelIO`___lldb_unnamed_symbol91741$$ModelIO + 54
frame #7: 0x00007fff37a39d2f ModelIO`___lldb_unnamed_symbol90729$$ModelIO + 287
Timeline
2020-07-01 - Vendor Disclosure (notified Pixar and Apple individually)
2020-07-01 - Vendor (Pixar) acknowledged report
2020-07-02 - Vendor (Apple) acknowledged report
2020-07-14 - Talos tested latest beta of macOS Catalina 10.15.6
2020-08-04 - Talos follow up with Pixar; no response
2020-09-16 - 2nd follow up with Pixar
2020-11-12 - Public Release
Discovered by Aleksandar Nikolic of Cisco Talos.
Related news
An update is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4083: kernel: fget: check that the fd still exists after getting a ref to it * CVE-2022-0492: kernel: cgroups v1 release_agent feature may allow privilege escalation * CVE-2022-25636: kernel: heap out of bounds write in nf_dup_netdev.c
An update for kernel is now available for Red Hat Enterprise Linux 6 Extended Lifecycle Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-0466: kernel: use after free in eventpoll.c may lead to escalation of privilege * CVE-2021-0920: kernel: Use After Free in unix_gc() which could result in a local privilege escalation * CVE-2021-4155: kernel: xfs: raw block device data leak in XFS_IOC_ALLOCSP IOCTL * CVE-2022-0492: kernel: cgroups v1 release_agent feature may ...
An update for the container-tools:2.0 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27649: podman: Default inheritable capabilities for linux container should be empty * CVE-2022-27651: buildah: Default inheritable capabilities for linux container should be empty
An update for the 389-ds:1.4 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4091: 389-ds-base: double free of the virtual attribute context in persistent search
Invicti Acunetix before 14 allows CSV injection via the Description field on the Add Targets page, if the Export CSV feature is used.
An update for kernel-rt is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4083: kernel: fget: check that the fd still exists after getting a ref to it * CVE-2022-0492: kernel: cgroups v1 release_agent feature may allow privilege escalation * CVE-2022-25636: kernel: heap out of bounds write in nf_dup_netdev.c
Red Hat OpenShift Virtualization release 2.6.10 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-33195: golang: net: lookup functions may return invalid host names * CVE-2021-33197: golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty * CVE-2021-33198: golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs...
An Access Control vulnerability exists in Desire2Learn/D2L Learning Management System (LMS) 20.21.7 via the quizzing feature, which allows a remote malicious user to disable the Disable right click control.
A SQL injection vulnerability exists in Microfinance Management System 1.0 when MySQL is being used as the application database. An attacker can issue SQL commands to the MySQL database through the vulnerable course_code and/or customer_number parameter.
An update is now available for Red Hat Ceph Storage 3. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-20288: ceph: Unauthorized global_id reuse in cephx
The Migration Toolkit for Containers (MTC) 1.5.4 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-36221: golang: net/http/httputil: panic due to racy read of persistConn after handler panic
Swimlane’s Asia-Pacific presence grows 173%, highlighting rising demand for low-code security automation.
Certain WSO2 products allow unrestricted file upload with resultant remote code execution. This affects WSO2 API Manager 2.2.0 and above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0; WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0; and WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0.
Google and other firms are adding security configuration to software so cloud applications and services have well-defined security settings — a key component of DevSecOps.
Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps.
IT departments must account for the business impact and security risks such applications introduce.
There is an integer overflow vulnerability in dcraw. When the victim runs dcraw with a maliciously crafted X3F input image, arbitrary code may be executed in the victim's system.
A flaw was found in WildFly Elytron. A variation to the use of a session fixation exploit when using Undertow was found despite Undertow switching the session ID after authentication.
An exploitable code execution vulnerability exists in the file format parsing functionality of Graphisoft BIMx Desktop Viewer 2019.2.2328. A specially crafted file can cause a heap buffer overflow resulting in a code execution. An attacker can provide a malicious file to trigger this vulnerability.
A flaw was found in Ansible Galaxy Collections. When collections are built manually, any files in the repository directory that are not explicitly excluded via the ``build_ignore`` list in "galaxy.yml" include files in the ``.tar.gz`` file. This contains sensitive info, such as the user's Ansible Galaxy API key and any secrets in ``ansible`` or ``ansible-playbook`` verbose output without the``no_log`` redaction. Currently, there is no way to deprecate a Collection Or delete a Collection Version. Once published, anyone who downloads or installs the collection can view the secrets.
A heap double free issue was found in Opensc before version 0.22.0 in sc_pkcs15_free_tokeninfo.
Multiple SQL injection vulnerabilities exist in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability.
Heap buffer overflow issues were found in Opensc before version 0.22.0 in pkcs15-oberthur.c that could potentially crash programs using the library.
The ongoing war in Ukraine means that defenses are only as good and as strong as those with whom we partner.