CVE-2020-18652 is a buffer overflow vulnerability discovered in exempi 2.5. and earlier versions, affecting the WEBP_Support.cpp file. This vulnerability allows remote attackers to cause a denial of service (DoS) by opening a specially crafted webp file. This post will discuss the vulnerability in detail, provide a code snippet illustrating the issue, links to original references, and more information about the exploit.

What is exempi?

Exempi is a C++ library that makes it easy for developers to work with metadata in Adobe's Extensible Metadata Platform (XMP) format. It provides an API for reading, modifying, and writing metadata in images, documents, and other file formats. However, a recent version, exempi 2.5. and earlier, was reported to have a security vulnerability that could be exploited by a remote attacker.

Buffer Overflow Vulnerability Details

The vulnerability lies in the file WEBP_Support.cpp which handles metadata of webp files. The issue is due to insufficient boundary checks when parsing metadata from a webp file. This results in an attacker being able to manipulate the metadata, overflow the buffer, and potentially cause a denial of service (DoS) attack or, in certain circumstances, execute arbitrary code on the victim's system.

Here is a code snippet illustrating the buffer overflow vulnerability

void ExempiPrivate::parseWebPChunk(WebPChunk* chunk) {
  ...
  const uint32_t chunk_size = chunk->payload_size;
  const uint8_t* source = chunk->payload;
  uint32_t size = chunk_size;
  ...
  while (parseChunk(chunk, size, &source)) {
    size -= chunk->total_size;
    chunk->free(chunk);
  }
  ...
}

The above code snippet shows how the function parseWebPChunk is processing the webp file's metadata chunk by chunk. When parsing a chunk, the function uses the chunk_size variable to determine the chunk's size. However, there is no explicit boundary check within this function to ensure that the size variable does not exceed the buffer's allocated memory. This results in the possibility of a buffer overflow when processing a specially crafted webp file.

Exploit Details

An attacker could exploit this vulnerability by sending a specifically crafted webp file to a victim. The file would have manipulated metadata with a calculated payload size that would cause a buffer overflow when parsed by the function parseWebPChunk(). Then, the attacker could potentially gain control over the victim's system or cause a denial of service.

References and Patch

1. The official CVE entry for this vulnerability can be found here: CVE-2020-18652
2. The National Vulnerability Database (NVD) entry which also discusses the vulnerability can be found here: NVD - CVE-2020-18652
3. The patch for this vulnerability is available in exempi 2.5.1 and later versions. Details can be found in the official exempi repository.

In conclusion, CVE-2020-18652 is a critical vulnerability that could allow remote attackers to cause a denial of service or potentially arbitrary code execution by manipulating metadata in a webp file. It is essential to ensure that your software is updated to the latest version of exempi to protect against this vulnerability.

Timeline

Published on: 08/22/2023 19:15:00 UTC
Last modified on: 09/26/2023 01:15:00 UTC