Cap'n Proto, a popular data interchange format and remote procedure call (RPC) system, has been found to contain a serious security issue in versions prior to .7.1, .8.1, .9.2, and .10.3, along with its Rust implementation in versions prior to .13.7, .14.11, and .15.2.

The vulnerability stems from an out-of-bounds read caused by a logic error when handling a list-of-list. This issue poses a risk to users because it might allow an attacker to remotely trigger a segmentation fault (segfault) in the target computer by sending a malicious message. Additionally, if the victim interacts with a list-of-pointer type in a specific manner, memory exfiltration could occur.

This issue was identified and discussed in the following GitHub Security Advisory: GHSA-97vv-75vj-q6h9. It is crucial for developers and users of Cap'n Proto to update their applications to patch this vulnerability promptly.

Exploit Details

In order for an application to be vulnerable, it must perform a specific sequence of actions, which is described in great detail in the GitHub Security Advisory. The bug itself is present in inlined code, meaning that fixing the problem requires rebuilding any applications that depend on it.

Here is a code snippet demonstrating the issue

// Malicious Cap'n Proto message received by the victim
ListType maliciousList; // Contains a list-of-list
Pointer maliciousPointer = maliciousList[]; // Trigger out-of-bounds read

Fixes and Recommendations

Cap'n Proto has addressed this issue and released security updates to mitigate the vulnerability. The C++ fixes are available in versions .7.1, .8.1, .9.2, and .10.3. The capnp Rust crate has also been updated, and fixes are available in versions .13.7, .14.11, and .15.2.

If you are using Cap'n Proto, it is highly recommended that you update to one of these fixed versions as soon as possible to avoid potential security risks associated with this issue.

For C++ users, follow these steps to update Cap'n Proto

1. Download the latest release from the official Cap'n Proto GitHub repository: Releases
2. Install the updated version according to the installation guide

For Rust users, edit the Cargo.toml file of your project to update the capnp dependency to a secure version:

[dependencies]
capnp = ".15.2"

Again, rebuilding the applications that depend on Cap'n Proto is necessary to ensure that the inlined code is updated and the vulnerability is fully mitigated.

Conclusion

This recently discovered vulnerability in Cap'n Proto has serious implications for users and developers. By sending a malicious message, an attacker could remotely segfault a target's device or even exfiltrate memory content. It is essential to update your applications to use the latest, secure versions of Cap'n Proto (C++) or capnp Rust crate to protect against potential attacks exploiting this issue.

Timeline

Published on: 11/30/2022 17:15:00 UTC
Last modified on: 02/10/2023 18:49:00 UTC