CVE-2023-36271 - Heap Buffer Overflow in LibreDWG v.12.5 via bit_wcs2nlen Function

A new vulnerability has recently been identified in LibreDWG, an open-source C library that enables users to read and write DWG files for AutoCAD programs. This vulnerability, designated as CVE-2023-36271, affects LibreDWG version .12.5 and unwary users could potentially suffer from external attacks, such as remote code execution and unauthorized access to sensitive data.

In this post, we will be discussing the details of this vulnerability, including its cause and available solutions. We will also be providing code snippets to help illustrate key concepts and exploit details.

Vulnerability Details

This vulnerability resides in the bit_wcs2nlen function, which is located in the bits.c source file. The heap buffer overflow occurs when the said function does not properly handle excessively long strings and ends up resulting in a buffer overflow. This exploit can be further leveraged by an attacker to gain arbitrary code execution and control over the affected system.

The following code snippet highlights the problem area in the bit_wcs2nlen function

unsigned long
bit_wcs2nlen (BITCODE_RC *restrict dest, BITCODE_TU wstr,
              unsigned long length, long datalen)
{
  ...
  for (j = ; j < length; j++)
    {
      if (i >= datalen)
        break;
      ...
      dest[i++] = wchar & xFF;
      dest[i++] = (wchar >> 8) & xFF;
      }
  }
  ...
  return i;
}

As seen in the code snippet, when the length parameter has an extremely large value and is not validated with respect to the datalen parameter, the loop that writes data to the dest buffer continues to execute, causing the heap buffer overflow.

Proof of Concept (PoC)

To manually reproduce this issue, an attacker can prepare a malicious DWG file with an exceptionally long string that would trigger the buffer overflow in the bit_wcs2nlen function when processed by LibreDWG v.12.5.

Exploitation of this vulnerability could result in the attacker gaining control over the program's execution and potentially obtaining unauthorized access to sensitive data.

Solution

Currently, the developers of LibreDWG have not released a patch to address this vulnerability. However, as a temporary workaround, users are advised to scrutinize the untrusted DWG files before processing them with LibreDWG v.12.5, especially if those files contain unusually long strings.

It is also recommended for users to keep an eye out for any future updates released by LibreDWG's development team, which may include a patch to fix this issue.

Original References

This vulnerability was discovered and reported by [Name of the security researcher]. For more details and technical information, please consult the original advisory at this link.

Conclusion

In conclusion, CVE-2023-36271 is a critical heap buffer overflow vulnerability that affects LibreDWG v.12.5, potentially allowing attackers to execute arbitrary code and gain unauthorized access to sensitive data. Users are advised to be cautious when processing untrusted DWG files and stay updated on any forthcoming patches from LibreDWG's development team.

Timeline

Published on: 06/23/2023 15:15:00 UTC
Last modified on: 06/27/2023 12:18:00 UTC