Headline
CVE-2021-45342: Remote Code Execution vulnerability in LibreCAD 2.2.0-rc3 (JWW CDataList) · Issue #1464 · LibreCAD/LibreCAD
A buffer overflow vulnerability in CDataList of the jwwlib component of LibreCAD 2.2.0-rc3 and older allows an attacker to achieve Remote Code Execution using a crafted JWW document.
Vulnerable Products
- LibreCAD 2.2.0-rc3 and older
Steps to reproduce or sample file
Start LibreCAD 2.2.0 in a debugger
File/Open…
Unzip and open the attached proof-of-concept file
Observe ACCESS_VIOLATION crash, with eip=0x41414141 (AAAA)
Screenshot:
Cause
The CDataList entity deserialization in LibreCAD/libraries/jwwlib/src/jwwdoc.h is vulnerable to a stack buffer overflow. char buf[512] declared in CDataList::Serialize() on line 784 is of fixed size 512. One variety of CDataList provides its own size field, as seen on line 795 and no bounds checking is performed. This allows an attacker to overflow buf and overwrite other stack variables, including the return address.
The attached PoC file is tuned to trigger this behavior in the latest windows release of LibreCAD, but the same bug is also present
in older versions and on other platforms.
Note: This is similar to, but distinct from issue #1462
Impact
An attacker can craft a JW-CAD input file and thereby gain control over execution flow (EIP controlled directly).
This allows an attacker to run arbitrary code on the system running LibreCAD, with the privileges of the current user.
Proposed Mitigation
- Perform bounds checking in CDataList::Serialize(), and refuse to load more data to buf than actually supported.
- Enable stack smashing protection in the windows build of LibreCAD.
Operating System and LibreCAD version info
Version: 2.2.0-rc3
Compiler: GNU GCC 7.3.0
Compiled on: Nov 29 2021
Qt Version: 5.12.4
Boost Version: 1.65.1
System: Windows 10 (10.0)
Related news
Gentoo Linux Security Advisory 202305-26 - Multiple vulnerabilities have been discovered in LibreCAD, the worst of which could result in denial of service. Versions greater than or equal to 2.1.3-r7 are affected.
Ubuntu Security Notice 5957-1 - Cody Sixteen discovered that LibreCAD incorrectly handled memory when parsing DXF files. An attacker could use this issue to cause LibreCAD to crash, leading to a denial of service. This issue only affected Ubuntu 16.04 ESM and Ubuntu 18.04 ESM. Lilith of Cisco Talos discovered that LibreCAD incorrectly handled memory when parsing DWG files. An attacker could use this issue to cause LibreCAD to crash, leading to a denial of service, or possibly execute arbitrary code.