CVE-2021-29457 - Heap-based Buffer Overflow

Severity

78%

Complexity

18%

Confidentiality

98%

Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. A heap buffer overflow was found in Exiv2 versions v0.27.3 and earlier. The heap overflow is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to gain code execution, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when _writing_ the metadata, which is a less frequently used Exiv2 operation than _reading_ the metadata. For example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line argument such as `insert`. The bug is fixed in version v0.27.4.

CVSS 3.1 Base Score 7.8. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

CVSS 2.0 Base Score 6.8. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P).

Demo Examples

Heap-based Buffer Overflow

CWE-122

While buffer overflow examples can be rather complex, it is possible to have very simple, yet still exploitable, heap-based buffer overflows:


               
}
strcpy(buf, argv[1]);

The buffer is allocated heap memory with a fixed size, but there is no guarantee the string in argv[1] will not exceed this size and cause an overflow.

Heap-based Buffer Overflow

CWE-122

This example applies an encoding procedure to an input string and stores it into a buffer.


               
}

                     
return dst_buf;
die("user string too long, die evil hacker!");

                           
else dst_buf[dst_index++] = user_supplied_string[i];
dst_buf[dst_index++] = ';';

                                 

                                       /* encode to < */

The programmer attempts to encode the ampersand character in the user-controlled string, however the length of the string is validated before the encoding procedure is applied. Furthermore, the programmer assumes encoding expansion will only expand a given character by a factor of 4, while the encoding of the ampersand expands by 5. As a result, when the encoding procedure expands the string it is possible to overflow the destination buffer if the attacker provides a string of many ampersands.

Overview

First reported 3 years ago

2021-04-19 19:15:00

Last updated 3 years ago

2021-09-21 18:13:00

Affected Software

Debian Linux 9.0

9.0

References

https://github.com/Exiv2/exiv2/issues/1529

https://github.com/Exiv2/exiv2/pull/1534

https://github.com/Exiv2/exiv2/security/advisories/GHSA-v74w-h496-cgqm

https://github.com/Exiv2/exiv2/issues/1529

Exploit, Patch, Third Party Advisory

https://github.com/Exiv2/exiv2/pull/1534

Patch, Third Party Advisory

https://github.com/Exiv2/exiv2/security/advisories/GHSA-v74w-h496-cgqm

Third Party Advisory

FEDORA-2021-10d7331a31

FEDORA-2021-be94728b95

FEDORA-2021-10d7331a31

Mailing List, Third Party Advisory

FEDORA-2021-be94728b95

Mailing List, Third Party Advisory

DSA-4958

[debian-lts-announce] 20210830 [SECURITY] [DLA 2750-1] exiv2 security update

DSA-4958

Third Party Advisory

[debian-lts-announce] 20210830 [SECURITY] [DLA 2750-1] exiv2 security update

Mailing List, Third Party Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.