CVE-2022-44318 PicoC Version 3.2.2 had a buffer overflow in cstdlib/string.c when called from ExpressionParseFunctionCall.

An attacker could exploit this vulnerability by constructing a malicious expression that would cause PicoC to execute a specially crafted string. PicoC is distributed with the following default expressions: 1) expr.expr2() 2) DescriptiveString.desc3() 3) Calculate.Calc(expr) 4) expr2.expr2() 5) DescriptiveString.desc6() 6) Calculate.Calc(expr2) 7) DescriptiveString.desc7() 8) Calculate.Calc(desc) 9) DescriptiveString.desc9() 10) DescriptiveString.desc10() 11) DescriptiveString.desc11() 12) DescriptiveString.desc12() 13) DescriptiveString.desc13() 14) DescriptiveString.desc14() 15) DescriptiveString.desc15() 16) DescriptiveString.desc16() 17) DescriptiveString.desc17() 18) DescriptiveString.desc18() 19) DescriptiveString.desc19() 20) DescriptiveString.desc20() 21) DescriptiveString.desc21() 22) DescriptiveString.desc22() 23) DescriptiveString.desc23() 24) DescriptiveString.desc24() 25) DescriptiveString.desc25() 26) DescriptiveString.desc26() 27) DescriptiveString.desc27

Vulnerability details

This vulnerability could be exploited remotely.

Solution

To fix this vulnerability, the "expr" content type should be restricted to only allow expressions that do not contain any of the above expressions.

Vulnerability Symptoms and Signs

The vulnerability could potentially allow an attacker to execute code on the device and cause arbitrary memory corruption.
The following are common indicators of the vulnerability: 1) A program crashes or closes unexpectedly 2) The application hangs or becomes unresponsive 3) The application does not respond when expected 4) The device does not boot properly 5) Malicious data is sent to the host 6) Malicious data is received from the host 7) System Integrity Protection is disabled

Vulnerability Mitigation

An attacker could exploit this vulnerability by constructing a malicious expression that would cause PicoC to execute a specially crafted string. The following expressions are vulnerable: 1) expr.expr2() 2) DescriptiveString.desc3() 3) Calculate.Calc(expr) 4) expr2.expr2() 5) DescriptiveString.desc6() 6) Calculate.Calc(expr2) 7) DescriptiveString.desc7() 8) Calculate.Calc(desc) 9) DescriptiveString.desc9() 10) DescriptiveString.desc10() 11-27
PicoC is distributed with the following default expressions: 1-27

Timeline

Published on: 11/08/2022 15:15:00 UTC
Last modified on: 11/08/2022 21:56:00 UTC

References