CVE-2023-44398: Exiv2 v.28. Out-of-Bounds Write Vulnerability in BmffImage::brotliUncompress Function

Exiv2 is a widely used C++ library and command-line utility for managing Exif, IPTC, XMP and ICC image metadata. An out-of-bounds write vulnerability was discovered in Exiv2 version v.28., which could potentially lead to code execution. The vulnerability is located in the BmffImage::brotliUncompress function, introduced in v.28.; therefore, earlier versions of Exiv2 are not affected by this issue. The vulnerability is triggered when the library is used to read the metadata of a maliciously crafted image file. To protect against this vulnerability, users are advised to upgrade to Exiv2 v.28.1 as soon as possible. This post will describe the details of the vulnerability, including code snippets and links to original references.

Vulnerability Details

The BmffImage::brotliUncompress function in Exiv2 v.28. contains an out-of-bounds write vulnerability. The issue occurs when the function attempts to uncompress the metadata of a crafted image file, leading to a buffer overflow. The following is a code snippet from the vulnerable function:

int BmffImage::brotliUncompress(const DataBuf& data, DataBuf& out)
{
    uint32_t uncompSize = getU32(data.pData, bigEndian);
    uint8_t* compressed = data.pData + 4;
    uint32_t compSize = data.size_ - 4;
    out.alloc(uncompSize); // allocate memory for uncompressed data

    // ... (Brotli library calls to uncompress the data)

    return ;
}

An attacker can exploit this vulnerability by crafting an image file with malicious metadata that triggers the out-of-bounds write when processed with Exiv2. This could potentially lead to code execution, if the attacker can trick the user into running Exiv2 on the crafted image file.

The security advisory detailing this vulnerability can be found at the Exiv2 GitHub repository

- Exiv2 Security Advisory

Additionally, the following resources provide further information on this issue

- CVE-2023-44398 NVD Entry
- Exiv2 v.28.1 Release Notes

Exploit Details

While no known exploits are publicly available at the time of this writing, the exploitation of this vulnerability would require the attacker to craft a malicious image file and convince a user to process the file with Exiv2. The attacker could potentially use social engineering techniques, such as disguising the crafted image as a legitimate file from a trusted source, to trick the victim into executing the malicious payload.

Mitigation

Users of Exiv2 version v.28. are strongly encouraged to upgrade to the patched version v.28.1. The latest version addresses the out-of-bounds write vulnerability in the BmffImage::brotliUncompress function. There are no known workarounds for this vulnerability.

In conclusion, CVE-2023-44398 is a critical out-of-bounds write vulnerability affecting Exiv2 v.28.. Users are advised to upgrade to the patched version v.28.1 to mitigate this issue. Keeping software updated and being cautious with the files that are processed using Exiv2 can help minimize the risk of exploitation.

Timeline

Published on: 11/06/2023 18:15:08 UTC
Last modified on: 11/14/2023 17:10:42 UTC