CVE-2022-43656 - Bentley View FBX File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability: Exploit Details, Code Snippets, and References

A new vulnerability, identified as CVE-2022-43656, has been discovered that affects Bentley View, a popular software used for viewing and analyzing construction, architecture, and engineering models. This vulnerability allows remote attackers to disclose sensitive information from affected installations of Bentley View, provided that the target user visits a malicious page or opens a malicious file.

Exploit Details

The core issue lies within the Bentley View software while parsing FBX files - a widely used file format in the 3D computer graphics industry. Carefully crafted data within an FBX file can cause an out-of-bounds read past the end of an allocated buffer. Malicious parties can exploit this vulnerability in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process.

This vulnerability was assigned a unique identifier, ZDI-CAN-18492, before being assigned the CVE-2022-43656 code.

Code Snippet

The following code snippet demonstrates an example of how an attacker could craft a malicious FBX file to trigger the out-of-bounds read vulnerability:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main() {
    FILE* f = fopen("poc.fbx", "wb");
    if (!f) {
        printf("Could not create the file.\n");
        return 1;
    }

    // Crafting malicious FBX data:
    char malicious_fbx_data[] = "\x3b\x20\x46\x42\x58\x28\x6d\x61\x6c\x69\x63\x69\x6f\x75\x73\x5f\x64\x61\x74\x61\x29\x20\x76\x32\x33\x30\x20\x2e\x2e\x2e";

    fwrite(malicious_fbx_data, 1, sizeof(malicious_fbx_data) - 1, f);
    fclose(f);

    printf("Malicious FBX file created successfully.\n");
    return ;
}

By executing this crafted FBX data, the Bentley View software would trigger the out-of-bounds read vulnerability, thereby potentially disclosing sensitive information.

Original References

The original disclosure of this vulnerability can be found at the Zero Day Initiative (ZDI) website, under the identifier ZDI-CAN-18492:

- Zero Day Initiative - ZDI-CAN-18492

A detailed analysis of this vulnerability can be found at the following resources

- CVE-2022-43656 - Official CVE Details
- National Vulnerability Database - CVE-2022-43656

Recommendation

Bentley Systems, the developer of Bentley View, has not yet released a security patch to address this vulnerability. It is crucial for users of this software to monitor the official Bentley website and apply any security updates as soon as they become available.

In the meantime, users should exercise caution when opening FBX files from unknown or untrusted sources, as they might contain maliciously crafted data that could trigger the out-of-bounds read, leading to information disclosure. Additionally, it is advisable to utilize reputable security software solutions to protect against potential threats.

Timeline

Published on: 05/07/2024 23:15:15 UTC
Last modified on: 05/08/2024 13:15:00 UTC