Headline
CVE-2021-45960: [CVE-2021-45960] A large number of prefixed XML attributes on a single tag can crash libexpat (troublesome left shifts by >=29 bits in function storeAtts) · Issue #531 · libexpat/libexpat
In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).
Back in 2015, Tyson Smith (@tysmith) reported invalid left shifts at 5 places in libexpat to Mozilla. 3 of these bad shifts had also been reported by Dingbao Xie (@xiedingbao), and been fixed in commit 2106ee4 and release 2.2.0 in 2016; this ticket is meant to explain my evaluation of those 2 remaining bad shifts, as a reference, for anyone interested, and to allow review and correction as needed.
For short, there is security issue in libexpat that affects even the oldest releases, >=1.95.7 at least (commit b288698). Probably not one to panic about.
The related code in function storeAtts in lib/xmlparse.c is this:
int nsAttsSize = (int)1 << parser->m_nsAttsPower; […] nsAttsSize = (int)1 << parser->m_nsAttsPower; […] temp = (NS_ATT *)REALLOC(parser, parser->m_nsAtts, nsAttsSize * sizeof(NS_ATT));
It should be noted that:
- The related code is triggered by XML documents that contain tags with prefixed attributes (e.g. <r xmlns:a="[…]" a:a123="[…]" […] />.
- The (int) cast doesn’t do anything, 1 is int by default.
- A left shift on signed int by >=31 bits is undefined behavior for sizeof(int)==4.
- For the multiplication in nsAttsSize * sizeof(NS_ATT):
- sizeof returns a size_t, unsigned and larger or equal to int in size, depending on machine architecture.
- signed nsAttsSize is promoted to unsigned(!) size_t in context of that multiplication.
- The value of m_nsAttsPower is derived from the number of prefixed attributes in the tag. If we include the namespace declaration attribute in that number, the math is atts_power := int(math.log2(atts_count - 1)) + 2 (thinking Python). So to see m_nsAttsPower value 29 in memory, we need 2^(29-2)+1 prefixed XML attributes.
From here on, behavior of the code depends on the machine architecture, in particular the sizes of types int and size_t; so we get different behavior on e.g. 32bit x86 than on 64bit amd64. In detail:
| x86 (32bit int and size_t) | amd64 (32bit int, 64bit size_t)
------------------+------------------------------------+---------------------------------
m_nsAttsPower 29 | (size_t)(1 << 29) * (4+4+4) | (size_t)(1 << 29) * (8+8+8)
| => 2_147_483_648, mult overflow | >= 12_884_901_888
| => allocating too few bytes | => mallocs okay or returns NULL
| |
m_nsAttsPower 30 | (size_t)(1 << 30) * (4+4+4) | (size_t)(1 << 30) * (8+8+8)
| => 0, mult overflow | => 25_769_803_776
| => realloc acts as free | => mallocs okay or returns NULL
| |
m_nsAttsPower 31 | (size_t)(1 << 31) * (4+4+4) | (size_t)(1 << 31) * (8+8+8)
| => undefined behavior | => undefined behavior
| |
To summarize the problem,
- m_nsAttsPower<=28 is fine on both platforms.
- m_nsAttsPower==29 will allocate too few bytes on 32bit, fine on 64bit.
- m_nsAttsPower==30 makes realloc act like free on 32bit, fine on 64bit.
- m_nsAttsPower>=31 is undefined behavior is denial of service (or more) on both platforms.
The fix will have these parts:
- First, detect and prevent left shifts by sizeof(int) * 8 - 1 or more bits.
- Second, detect and prevent integer overflow on nsAttsSize * sizeof(NS_ATT).
- (Third, turn int into unsigned int to make the code more clear, close the door to undefined behavior, and allow even 1u << 31.)
A pull request and likely a CVE are upcoming, and there will be a soon release 2.4.3.
Because thy payload to trigger the vulnerability is in the gigabytes, remote exploitability will hopefully be stopped by upload limits in most setups, before even getting to libexpat. Even when generating attribute names using the base58 scheme for short non-overlapping names, an XML file with e.g. 2^29+1 attributes on a single tag is ~6.5 GiB in size.
I have a Python >=3.6 script to create XML files like that online at https://gist.github.com/hartwork/ccad94d00c4193e05ab57de70021e6ee.
Best, Sebastian
Related news
Progress Chef Infra Server before 15.7 allows a local attacker to exploit a /var/opt/opscode/local-mode-cache/backup world-readable temporary backup path to access sensitive information, resulting in the disclosure of all indexed node data, because OpenSearch credentials are exposed. (The data typically includes credentials for additional systems.) The attacker must wait for an admin to run the "chef-server-ctl reconfigure" command.
Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]
Red Hat Security Advisory 2022-7143-01 - Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.51 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.37 Service Pack 10, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include code execution, integer overflow, null pointer, out of bounds read, out of bounds write, and server-side request forgery vulnerabilities.
Red Hat Security Advisory 2022-7144-01 - Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.51 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.37 Service Pack 10, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include code execution, integer overflow, null pointer, out of bounds read, out of bounds write, and server-side request forgery vulnerabilities.
An update is now available for Red Hat JBoss Core Services. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-33193: httpd: Request splitting via HTTP/2 method injection and mod_proxy * CVE-2021-36160: httpd: mod_proxy_uwsgi: out-of-bounds read via a crafted request uri-path * CVE-2021-39275: httpd: Out-of-bounds write in ap_escape_quotes() via malicious input * CVE-2021-41524: httpd: NULL pointer dereference via crafted request during HTTP/2 request processing * CVE-202...
An update is now available for Red Hat JBoss Core Services. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-33193: httpd: Request splitting via HTTP/2 method injection and mod_proxy * CVE-2021-36160: httpd: mod_proxy_uwsgi: out-of-bounds read via a crafted request uri-path * CVE-2021-39275: httpd: Out-of-bounds write in ap_escape_quotes() via malicious input * CVE-2021-41524: httpd: NULL pointer dereference via crafted request during HTTP/2 request processing * CVE-202...
Gentoo Linux Security Advisory 202209-24 - Multiple vulnerabilities have been discovered in Expat, the worst of which could result in arbitrary code execution. Versions less than 2.4.9 are affected.
Dell PowerScale OneFS, versions 9.0.0 up to and including 9.1.0.19, 9.2.1.12, 9.3.0.6, and 9.4.0.2, contain a process invoked with sensitive information vulnerability. A CLI user may potentially exploit this vulnerability, leading to information disclosure.
Dell PowerScale OneFS, versions 9.0.0 up to and including 9.1.0.19, 9.2.1.12, 9.3.0.6, and 9.4.0.2, contain an unprotected primary channel vulnerability. An unauthenticated network malicious attacker may potentially exploit this vulnerability, leading to a denial of filesystem services.
Pexip Infinity 27 before 28.0 allows remote attackers to trigger excessive resource consumption and termination because of registrar resource mishandling.
Pexip Infinity before 28.1 allows remote attackers to trigger a software abort via G.719.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort, and possibly enumerate usernames, via One Touch Join.
Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via HTTP.
Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via the Session Initiation Protocol.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join.
Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via single-sign-on if a random Universally Unique Identifier is guessed.
Pexip Infinity 27.x before 27.3 has Improper Input Validation. The client API allows remote attackers to trigger a software abort via a gateway call into Teams.
Pexip Infinity before 27.3 allows remote attackers to force a software abort via HTTP.
Pexip Infinity 27.x before 27.2 has Improper Access Control. An attacker can sometimes join a conference (call join) if it has a lock but not a PIN.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via the Session Initiation Protocol.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via HTTP.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via Epic Telehealth.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via H.323.
Pexip Infinity before 27.3 allows remote attackers to trigger excessive resource consumption via H.264.
Dell PowerScale OneFS, 8.2.x through 9.3.0.x, contain an error message with sensitive information. An administrator could potentially exploit this vulnerability, leading to disclosure of sensitive information. This sensitive information can be used to access sensitive resources.
Dell PowerScale OneFS, versions 8.2.x-9.2.x, contain broken or risky cryptographic algorithm. A remote unprivileged malicious attacker could potentially exploit this vulnerability, leading to full system access.
Dell Unity, Dell UnityVSA, and Dell Unity XT versions prior to 5.2.0.0.5.173 contain a plain-text password storage vulnerability when certain off-array tools are run on the system. The credentials of a user with high privileges are stored in plain text. A local malicious user with high privileges may use the exposed password to gain access with the privileges of the compromised user.
Red Hat Security Advisory 2022-1747-01 - OpenShift Serverless version 1.22.0 contains a moderate security impact. The References section contains CVE links providing detailed severity ratings for each vulnerability.