Invalid memory access in GfxIndexedColorSpace::mapColorToBase( )
16 March, 2019
CVE Number
CVE-2019-9904
CWE
CWE-121: Stack-based Buffer Overflow
Product Details
Graphviz is open source graph visualization software. It has several main layout programs. See the gallery for sample layouts. It also has web and interactive graphical interfaces, and auxiliary tools, libraries, and language bindings. We’re not able to put a lot of work into GUI editors but there are quite a few external projects and even commercial tools that incorporate Graphviz.
URL: https://gitlab.com/graphviz/graphviz
Vulnerability Details
During our research we discovered Stack buffer overflow in agclose() located in graph.c for bcomps binary. The same be triggered by sending a crafted pdf file to the pdftops binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.
SYNOPSIS
we observed that main function calls another function agclose(g) which is defined in graph.c to close a graph or subgraph and freeing its storage
In agclose(), control flow goes to for loop here it calls agclose() function recursively that causes stack Exhaustion.
vulnerable Source code
for (subg = agfstsubg(g); subg; subg = next_subg) {
next_subg = agnxtsubg(subg);
agclose(subg);
}
Analysis
DEBUG:
WinDbg :
0:000> kb # ChildEBP RetAddr Args to Child 00 00c0316c 69e24c98 0125c1e0 00000000 00000080 cdt!dttree+0x9 [graphviz\lib\cdt\dttree.c @ 12] 01 00c0324c 69e19d8d 0125be58 00c034bc 00cffbb8 cgraph!agfstsubg+0x38 [graphviz\lib\cgraph\subg.c @ 74] 02 00c03384 69e19db9 0125be58 00c035f4 00cffbb8 cgraph!agclose+0x9d [graphviz\lib\cgraph\graph.c @ 107] 03 00c034bc 69e19db9 0125b680 00c0372c 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 04 00c035f4 69e19db9 0125aea8 00c03864 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 05 00c0372c 69e19db9 0125a6d0 00c0399c 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 06 00c03864 69e19db9 01259ef8 00c03ad4 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 07 00c0399c 69e19db9 01259720 00c03c0c 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 08 00c03ad4 69e19db9 01258f48 00c03d44 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 09 00c03c0c 69e19db9 01258770 00c03e7c 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 0a 00c03d44 69e19db9 01257f98 00c03fb4 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 0b 00c03e7c 69e19db9 012577c0 00c040ec 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 0c 00c03fb4 69e19db9 01256fe8 00c04224 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 0d 00c040ec 69e19db9 01256810 00c0435c 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 0e 00c04224 69e19db9 01256038 00c04494 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 0f 00c0435c 69e19db9 01255860 00c045cc 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 10 00c04494 69e19db9 01255088 00c04704 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 11 00c045cc 69e19db9 012548b0 00c0483c 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 12 00c04704 69e19db9 012540d8 00c04974 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 13 00c0483c 69e19db9 01253900 00c04aac 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 14 00c04974 69e19db9 01253128 00c04be4 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 15 00c04aac 69e19db9 01252950 00c04d1c 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 16 00c04be4 69e19db9 01252178 00c04e54 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 17 00c04d1c 69e19db9 012519a0 00c04f8c 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 18 00c04e54 69e19db9 012511c8 00c050c4 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 19 00c04f8c 69e19db9 012509e8 00c051fc 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 1a 00c050c4 69e19db9 01250210 00c05334 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 1b 00c051fc 69e19db9 0124fa38 00c0546c 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 1c 00c05334 69e19db9 0124f260 00c055a4 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 1d 00c0546c 69e19db9 0124ea88 00c056dc 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 1e 00c055a4 69e19db9 0124e2b0 00c05814 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 1f 00c056dc 69e19db9 0124dad8 00c0594c 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 20 00c05814 69e19db9 0124d300 00c05a84 00cffbb8 cgraph!agclose+0xc9 [graphviz\lib\cgraph\graph.c @ 109] 0:000> u cdt!dttree+0x9 [graphviz\lib\cdt\dttree.c @ 12]: 69df5589 53 push ebx 69df558a 56 push esi 69df558b 57 push edi 69df558c 8dbde4fdffff lea edi,[ebp-21Ch] 69df5592 b987000000 mov ecx,87h 69df5597 b8cccccccc mov eax,0CCCCCCCCh 69df559c f3ab rep stos dword ptr es:[edi] 69df559e a1a0f0df69 mov eax,dword ptr [cdt!__security_cookie (69dff0a0)] 0:000> .exr -1 ExceptionAddress: 69df5589 (cdt!dttree+0x00000009) ExceptionCode: c00000fd (Stack overflow) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000001 Parameter[1]: 00c02f4c FAULTING_SOURCE_FILE: graphviz\cmd\tools\bcomps.c FAILURE_SYMBOL_NAME: bcomps.exe!main FAILURE_BUCKET_ID: STACK_OVERFLOW_c00000fd_bcomps.exe!main 0:000> g (834.1350): Stack overflow - code c00000fd (!!! second chance !!!) Registers: eax=0125c1e0 ebx=00a69000 ecx=69df5580 edx=0125be58 esi=00c03180 edi=00c0324c eip=69df5589 esp=00c02f50 ebp=00c0316c iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 cdt!dttree+0x9: 69df5589 53 push ebx
Proof of Concept
bcomps.exe -s -t -v -x -o test.ps $POC
Tested Environment : Windows 7/10 (32-bit)
Vendor Disclosure: 2019-3-16
Public Disclosure: 2019-3-21
Credit
Discovered by ACE Team – Loginsoft