CVE CyberSecurity Database News

CVE-2024-45490: Negative Length Vulnerability in libexpat before 2.6.3 Affecting XML_ParseBuffer

Poster -

A critical vulnerability (CVE-2024-45490) has been discovered in the widely used XML parsing library, libexpat, affecting versions prior to 2.6.3. This vulnerability, present in the xmlparse.c file, allows an attacker to potentially execute arbitrary code or cause a denial of service (DoS) by providing a malicious XML input with a negative length value to the function XML_ParseBuffer. In this post, we will dive deeper into the technical details of the vulnerability, discuss potential attack scenarios, and provide you with necessary links to the original references and patches.

Vulnerability Details

The issue lies in the way xmlparse.c file handles length values passed to the XML_ParseBuffer function. The library does not properly validate the input, allowing negative length values to pass unchecked. When processing an XML input with a negative length, it may lead to memory corruption or out-of-bounds read, eventually enabling an attacker to execute arbitrary code or cause a denial of service (DoS).

Here's a code snippet highlighting the vulnerable part in libexpat's xmlparse.c

// In xmlparse.c
int XML_Parse(XML_Parser parser, const char *s, int len, int isFinal) {
  ...
  if (len < ) {
    errorCode = XML_ERROR_BAD_ARGUMENTS;
    return ;
  }
  ...
}

As you can see, the function does not properly handle the case where len is a negative value. When a negative value is encountered, the function should return an error or handle the case appropriately. However, the absence of such checks within the library allows the vulnerability to be exploited.

Exploit Scenarios

An attacker can craft a malicious XML file that leverages this vulnerability. When passed to a vulnerable application using libexpat, the attacker may gain control of the execution flow, leading to arbitrary code execution or a denial of service (DoS). Exploiting this vulnerability may lead to the compromise of the affected system or application.

Mitigation and Patches

The libexpat developers have acknowledged this vulnerability and released a security patch in version 2.6.3 that effectively addresses the issue. It is highly recommended that users of the affected versions upgrade to the latest release as soon as possible. You can find the patched version here:

- Official libexpat GitHub repository: <https://github.com/libexpat/libexpat>
- libexpat 2.6.3 Release Notes: <https://github.com/libexpat/libexpat/releases/tag/R_2_6_3>

The patch adds a check for negative length values before parsing the XML input

// In xmlparse.c (patched)
int XML_Parse(XML_Parser parser, const char *s, int len, int isFinal) {
  ...
  /* Add proper check for negative len */
  if (len < ) {
    errorCode = XML_ERROR_INVALID_ARGUMENT;
    return ;
  }
  ...
}

Conclusion

In conclusion, the vulnerability CVE-2024-45490 present in libexpat before 2.6.3 is a critical issue that should be addressed immediately. Users and developers using this library must upgrade to the latest version to protect their systems and applications from potential attacks. Always keep your libraries up to date to minimize the risk of vulnerabilities and ensure optimal security.

Timeline

Published on: 08/30/2024 03:15:03 UTC
Last modified on: 09/04/2024 14:28:19 UTC