CVE-2018-17436: Invalid write memory access vulnerability in HDF5 1.10.3

Invalid write memory access vulnerability in HDF5 1.10.3

Loginsoft-2018-17436

September 24, 2018

CVE Number

CVE-2018-17436

CWE

CWE-787: Out-of-bounds Write

Product Details

HDF5 is a data model, library, and file format for storing and managing data. It supports an unlimited variety of data types and is designed for flexible and efficient I/O and for high volume and complex data. HDF5 is portable and is extensible, allowing applications to evolve in their use of HDF5. The HDF5 Technology suite includes tools and applications for managing, manipulating, viewing, and analyzing data in the HDF5 format.

URL: https://www.hdfgroup.org/downloads

Vulnerable Versions

HDF5 1.10.3

Vulnerability Details

ReadCode() in decompress.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service (invalid write access) via a crafted HDF5 file. This issue was triggered while converting a GIF file to an HDF file.

SYNOPSIS
``` 
/* Decompress the Image */ 
gifImageDesc[ImageCount-1]->Image = Decompress(gifImageDesc[ImageCount-1], [1] 
gifHead); 
free(gifImageDesc[ImageCount-1]->GIFImage); 
``` 

``` 
BYTE * 
Decompress(GIFIMAGEDESC *GifImageDesc, GIFHEAD *GifHead) 
{ 
. 
. 
. 
Code = ReadCode(); [2] 
``` 

``` 
static int 
ReadCode(void) 
{ 
int RawCode, ByteOffset; 

ByteOffset = BitOffset / 8; 
RawCode = Raster[ByteOffset] + (0x100 * Raster[ByteOffset + 1]); [3] 

``` 

Like H52gif binary, we have gif2h5, which is responsible for producing a gif file out of an hdf5 file type. A function Gif2mem() is called which displays the GIF header information, by going through different blocks such as reading the GIF image file header information etc. It decompresses & converts the GIF image to an HDF image, for which it calls Decompress() [1] function.

Internal to decompressing, it goes through the image separator that is by reading values from the image descriptor & allocates a chunk memory to the image & then attempts to decompress the file, continuing until a GIF EOF code is seen, for which it calls ReadCode() [2] function. ReadCode fetches the next code from the raster data stream. While computing the value of RawCode, a computation is being done for which it receives few incorrect values, [3]creating an invalid write memory access issue.

 

Analysis
Source of 1.8.20

84 ByteOffset = BitOffset / 8;
// RawCode=0x0, ByteOffset=0x37e9
→ 85 RawCode = Raster[ByteOffset] + (0x100 * Raster[ByteOffset + 1]);
86 
87 if (CodeSize >= 8)
88 RawCode += (0x10000 * Raster[ByteOffset + 2]);
89 
90 RawCode >>= (BitOffset % 8);

Backtrace of 1.8.20
#0  0x000055555555a04e in ReadCode () at decompress.c:85
#1  0x000055555555a6e4 in Decompress (GifImageDesc=0x5555557c4090, GifHead=0x5555557c3d20) at decompress.c:309
#2  0x0000555555559969 in Gif2Mem (MemGif=0x5555557c3d17 ";1\003", GifMemoryStruct=0x7fffffffdd10) at gif2mem.c:184
#3  0x0000555555559386 in main (argv=0x3, argc=0x7fffffffe178) at gif2hdf.c:100

ASAN Output
./gif2h5 ~/output_gif2h5/crashes/POC011 ~/output/ex_image2.h5 
ASAN:DEADLYSIGNAL
=================================================================
==2954==ERROR: AddressSanitizer: SEGV on unknown address 0x56405fe8e000 (pc 0x56405fc3172a bp 0x7ffc7e937070 sp 0x7ffc7e937050 T0)
==2954==The signal is caused by a WRITE memory access.
#0 0x56405fc31729 in Decompress /home/ethan/hdf5-develop/hl/tools/gif2h5/decompress.c:290
#1 0x56405fc2fded in Gif2Mem /home/ethan/hdf5-develop/hl/tools/gif2h5/gif2mem.c:184
#2 0x56405fc2eda1 in main /home/ethan/hdf5-develop/hl/tools/gif2h5/gif2hdf.c:100
#3 0x7f7124c571c0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x211c0)
#4 0x56405fc2e7b9 in _start (/home/ethan/hdf5-develop/hdf5/bin/gif2h5+0x127b9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ethan/hdf5-develop/hl/tools/gif2h5/decompress.c:290 in Decompress
==2954==ABORTING

Proof of concept

./gif2h5 $POC ~/output/ex_image2.h5

It takes in the gif file followed by the output HDF5 file.

  

Timeline

Vendor Disclosure: 2018-09-24

Public Disclosure: 2018-09-26

 

Credit

Discovered by ACE Team – Loginsoft