CVE-2024-50602: Crash in libexpat within XML_ResumeParser function due to XML_StopParser stopping/suspending unstarted parser

In this post, we are going to detail an important vulnerability discovered in libexpat, a popular XML parsing library widely used in various applications. This vulnerability has been assigned the CVE identifier CVE-2024-50602, and has been identified to affect libexpat versions before 2.6.4. The issue arises from a crash within the XML_ResumeParser function since the XML_StopParser function can stop/suspend an unstarted parser.

Background

libexpat is a fast, streaming XML parser library that is written in C and is used by numerous open-source and proprietary applications. It comes with a simple-to-use programming interface and provides event-based parsing, which allows applications to process XML data efficiently and with minimal resource usage.

The vulnerability was discovered by researchers who reported it to the libexpat project. The developers of libexpat acknowledged the issue and released a patch to fix the problem. The patch has been included in libexpat version 2.6.4. You can find the original references to the issue here:

- libexpat changelog
- libexpat commit fixing the issue

Exploit details

The issue originates from the XML_ResumeParser function in libexpat. This function is responsible for resuming an XML parser that has been stopped/suspended using the XML_StopParser function. The crash occurs because the XML_StopParser function can stop/suspend a parser even before it has started processing the XML data.

Here's a code snippet demonstrating the issue

#include <stdio.h>
#include "expat.h"

int main() {
    XML_Parser parser = XML_ParserCreate(NULL);
    
    XML_StopParser(parser, XML_TRUE); // Stop/suspend the unstarted parser.
    XML_ResumeParser(parser); // Crash occurs when resuming the parser.
    
    XML_ParserFree(parser);
    return ;
}

In this example, a new XML parser is created, and the XML_StopParser function is called to stop/suspend the parser before it has started processing any XML data. When the XML_ResumeParser function is called to resume the parser processing, it results in a crash due to the parser being in an invalid state.

This vulnerability can be exploited by a remote attacker who can craft malicious XML data that triggers this behavior when processed using a vulnerable version of libexpat. This can lead to denial-of-service, causing the application using libexpat to crash and become unresponsive.

Mitigation

To mitigate this vulnerability, users are advised to update libexpat to version 2.6.4 or later. The patch included in this release addresses the issue and prevents the crash from occurring.

You can download the latest version of libexpat here: libexpat GitHub Releases

Developers using libexpat should also ensure that they properly validate XML data before processing it, to minimize the risk of exposure to such vulnerabilities.

Conclusion

CVE-2024-50602 is a critical vulnerability in libexpat that can lead to denial-of-service attacks on applications using vulnerable versions of the library. Users and developers should update libexpat to version 2.6.4 or later and adopt proper input validation techniques to prevent potential exploits.

Stay informed about the latest security vulnerabilities and ensure that your applications and systems are kept up-to-date to protect against possible attacks.

Timeline

Published on: 10/27/2024 05:15:04 UTC
Last modified on: 10/30/2024 18:35:16 UTC