CVE-2022-34913: Stack Based Buffer Overflow When Processing Markdown Files · Issue #4 · nereusx/md2roff

Hi!

I’m a big fan of md2roff. It’s been quite useful and has come in handy in so many situations!

Stack Based Buffer Overflow

I wanted to make you aware of a stack based buffer overflow vulnerability in the md2roff tool. A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold or when a program attempts to put data in a memory area past a buffer. At a minimum this will lead to a denial of service (if md2roff is run as a server/service) but can also lead to arbitrary code execution and privilege escalation as a result of the return pointer (on the stack) being overwritten.

Reproduction

To reproduce the vulnerability, execute the following commands in Linux once you have compiled the program (using the default Makefile).

Create a markdown file with a large number of integers:

Verify the markdown file contains our large buffer of '1’s:

Execute md2roff using any preferred flags and confirm the segfault:

Using GDB we can see that we successfully redirected the execution of the program. We can se our '1’s on the stack and the program attempting to return to 0x3131313131313131 (which is 1 repeated in hex).

Remediation

Replace all instances of strcpy with strncpy and ensure the content being read into the buffer is the same size or smaller than the available buffer space:

strcpy(pat, mdic[i].wrong);

strcpy(appname, docname);

Useful References

https://owasp.org/www-community/vulnerabilities/Buffer_Overflow
https://cwe.mitre.org/data/definitions/121.html
https://man7.org/linux/man-pages/man3/strcpy.3.html -> Check the warning in the description
https://linux.die.net/man/3/strncpy -> Safer way to copy a buffer