A new vulnerability (CVE-2024-42328) has been discovered in a popular Browser's webdriver, which may lead to a crash in the application when it attempts to download an empty document from an HTTP server. This vulnerability arises because of an improper handling of data pointers in the source code, which results in a null pointer dereference and consequently a crash. In this post, we will discuss the details of this vulnerability, examine the code snippet that causes the crash, and explore potential exploit scenarios. We will also provide links to the original references and patches to fix the issue.
Background
The browser's webdriver contains a utility that is responsible for downloading data from HTTP servers. To manage this process effectively, the webdriver uses a data pointer, which is initialized to NULL. The data pointer is only allocated memory and initialized in curl_write_cb when it receives non-zero sized data. However, if the server response is an empty document, then the data pointer remains NULL, and the subsequent attempt to read from it will result in a crash.
The problematic code snippet responsible for the crash is shown below
struct webdriver_data {
char* data;
size_t size;
};
size_t curl_write_cb(char* ptr, size_t count, size_t size, void* userdata) {
size_t realsize = count * size;
struct webdriver_data* wd = (struct webdriver_data*)userdata;
if (wd->data == NULL) {
wd->data = malloc(realsize + 1);
if (wd->data == NULL) {
perror("malloc");
return ;
}
}
memcpy(&(wd->data[wd->size]), ptr, realsize);
wd->size += realsize;
wd->data[wd->size] = ;
return realsize;
}
int main() {
...
struct webdriver_data wd;
wd.data = NULL;
wd.size = ;
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, curl_write_cb);
curl_easy_setopt(curl, CURLOPT_WRITEDATA, &wd);
...
}
Exploit Details
An attacker can exploit this vulnerability by creating a malicious HTTP server that serves empty documents to the vulnerable browser's webdriver. When the webdriver attempts to download data from the server, it will crash due to the NULL pointer dereference, potentially causing a Denial-of-Service (DoS) attack. Additionally, the entire browser process may be affected as a result, causing further disruption for the end user.
Original References
1. CVE-2024-42328 Vulnerability Details
2. Original Bug Report
3. Vendor Patch and Discussion
Fixing the Issue
To fix this vulnerability, the code should be updated to properly handle the case where no data is received from the server, and the data pointer remains NULL. This can be done by adding checks for wd->data just before trying to read from it. Here's an example patch that fixes the problem:
size_t curl_write_cb(char* ptr, size_t count, size_t size, void* userdata) {
size_t realsize = count * size;
struct webdriver_data* wd = (struct webdriver_data*)userdata;
if (wd->data == NULL) {
wd->data = malloc(realsize + 1);
if (wd->data == NULL) {
perror("malloc");
return ;
}
}
if (wd->data) {
memcpy(&(wd->data[wd->size]), ptr, realsize);
wd->size += realsize;
wd->data[wd->size] = ;
}
return realsize;
}
Users are encouraged to apply patches for this vulnerability as soon as possible, and always keep their software up-to-date.
Conclusion
CVE-2024-42328 highlights the importance of proper pointer management and thorough testing of the potential edge cases in code development. By gaining a deeper understanding of the issue and applying the necessary fixes, developers and users can mitigate the risks associated with this vulnerability and ensure a safer browsing experience.
Timeline
Published on: 11/27/2024 12:15:20 UTC