CVE-2019-11023: Null pointer dereference in function agroot() – Graphiz-2.39.20160612.1140

Null pointer dereference in function agroot() : graphviz2.39.20160612.1140

Loginsoft-2019-1111

8 April, 2019

CVE Number

CVE-2019-11023

CWE

CWE-476: NULL Pointer Dereference

Product Details

Graph visualization is a way of representing structural information as diagrams of abstract graphs and networks. It has important applications in networking, bioinformatics, software engineering, database and web design, machine learning, and in visual interfaces for other technical domains.
URL: https://gitlab.com/graphviz/graphviz

Vulnerable Versions

2.39.20160612.1140

Vulnerability Details

During our research we observed a Null pointer dereference in function agroot() of graphml2gv binary.

SYNOPSIS

During our research on graphviz, when bind_node() is called in graphml2gv.c this calls another function agnode() in node.c with argument G (used for current graph ) and received as Agraph_t * g for root node this calls function agroot() with argument Agraph_t * g in obj.c.
In agroot(), when switch statement is executing condition (AGTYPE(obj)) where AGTYPE is #defined as (AGTAG(obj).objtype) and AGTAG is #defined as (((Agobj_t*)(obj))->tag) here obj is pointing to null and it triggers the null pointer dereference.

Analysis

DEBUG:

0:000> kp
# ChildEBP RetAddr  
00 00b8a1f8 6e1ecce7 cgraph!agroot(void * obj = 0x00000000)+0x21 [graphviz\lib\cgraph\obj.c @ 171]
01 00b8a2f8 01151973 cgraph!agnode(struct Agraph_s * g = 0x00000000, char * name = 0x00c31775 "n2", int cflag = 0n1)+0x27 [graphviz\lib\cgraph\node.c @ 148] 
02 00b8a3d8 011542a1 graphml2gv!bind_node(char * name = 0x00c31775 "n2")+0x33 [graphviz\cmd\tools\graphml2gv.c @ 240] 
03 00b8a5b4 6e1b3eeb graphml2gv!startElementHandler(void * userData = 0x00c251a0, char * name = 0x00c31770 "node", char ** atts = 0x00c2fe18)+0x2a1 [graphviz\cmd\tools\graphml2gv.c @ 472] 
04 00b8a5f8 6e1c84af expat!XML_SetXmlDeclHandler+0x2bf3
05 00b8a60c 6e1b340e expat!XML_SetXmlDeclHandler+0x171b7
06 00b8a6a0 6e1b9b2e expat!XML_SetXmlDeclHandler+0x2116
07 00b8a6b8 6e1b2035 expat!XML_SetXmlDeclHandler+0x8836
08 00b8a6d8 6e1b1f4a expat!XML_SetXmlDeclHandler+0xd3d
09 00b8a6fc 01152870 expat!XML_SetXmlDeclHandler+0xc52
0a 00b8a714 0115122b graphml2gv!graphml_to_gv(char * gname = 0x008ca000 "", struct _iobuf * graphmlFile = 0x00000001, int * rv = 0xcccccccc)+0x160 [graphviz\cmd\tools\graphml2gv.c @ 623] 
0:000> u
cgraph!agroot+0x21 [graphviz\lib\cgraph\obj.c @ 171]:
6e1ee5b1 8b08            mov     ecx,dword ptr [eax]
6e1ee5b3 83e103          and     ecx,3
6e1ee5b6 898d3cffffff    mov     dword ptr [ebp-0C4h],ecx
6e1ee5bc 83bd3cffffff03  cmp     dword ptr [ebp-0C4h],3
6e1ee5c3 7728            ja      cgraph!agroot+0x5d (6e1ee5ed)
6e1ee5c5 8b953cffffff    mov     edx,dword ptr [ebp-0C4h]
6e1ee5cb ff249514e61e6e  jmp     dword ptr cgraph!agroot+0x84 (6e1ee614)[edx*4]
6e1ee5d2 8b4508          mov     eax,dword ptr [ebp+8]
0:000> g
(23a8.6cc): Access violation - code c0000005 (!!! second chance !!!)
Registers: 
eax=00000000 ebx=00c2fd01 ecx=00000000 edx=00c31775 esi=00b8a30c edi=00b8a1f8
Proof of Concept

graphml2gv.exe -g cooldude –o test.gv $POC
Vendor Disclosure: 2019-4-2
Public Disclosure: 2019-4-9

Credit

Discovered by ACE Team – Loginsoft