CVE-2024-52533: Buffer Overflow Vulnerability in GNOME GLib due to Off-By-One Error in gio/gsocks4aproxy.c

The Common Vulnerabilities and Exposures (CVE) project has assigned the identifier CVE-2024-52533 to a critical security vulnerability discovered in the GNOME GLib library. Specifically, an off-by-one error in the gio/gsocks4aproxy.c source file leads to a buffer overflow. This vulnerability affects all GNOME GLib versions prior to 2.82.1. This post aims to provide an in-depth analysis of the issue, the code snippet that causes it, details on potential exploits, and links to original references.

The vulnerability lies in the gio/gsocks4aproxy.c file, a part of the GNOME GLib library responsible for handling the SOCKS4a proxy protocol. GLib is a widely used low-level utility library, providing functionality for GNOME applications, as well as other unrelated software. The use of the affected source code in numerous applications makes this vulnerability particularly concerning.

Code snippet with vulnerability

#define SOCKS4_CONN_MSG_LEN 9

static gboolean
parse_socks4_reply (guchar *data, gint size, gint *statusp, GError **error)
{
  ...
  
  if (size < SOCKS4_CONN_MSG_LEN + domainlen)
  {
    return g_error_result(report_error_by_status (GET_SOCKS4_RESPONSE_STATUS (data), error,
      _("Reply for SOCKS request (from server to client) too short: %i"), (gint) size);
  }
    
  /* Minor issue: SOCKS4_CONN_MSG_LEN is too small by 1 byte, causing a buffer overflow */
  gchar domain[SOCKS4_CONN_MSG_LEN];
  memcpy (domain, data + SOCKS4_CONN_MSG_LEN, domainlen);
  domain[domainlen] = '\';  // Off-by-one error here, causing buffer overflow
  ...
}

The off-by-one error occurs because the constant SOCKS4_CONN_MSG_LEN is set to 9, which is not sufficient to store the trailing '\' character required for proper string termination. As a result, the buffer named "domain" is overflowed by 1 byte, causing potential memory corruption and security threats.

Exploit details

An attacker could exploit this vulnerability by crafting a malicious SOCKS4a reply message that triggers the buffer overflow, potentially causing a denial of service or even executing arbitrary code on the target machine. Due to the widespread use of GNOME GLib, multiple applications could be impacted, allowing attackers to compromise various systems.

To fix this vulnerability, it is necessary to update GNOME GLib to version 2.82.1 or higher, which includes the necessary patch. Additionally, developers using the library should update their applications accordingly.

Original References

1. Patch for GNOME GLib 2.82.1 addressing the buffer overflow issue: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/666
2. Advisory and details from the GNOME project: https://gitlab.gnome.org/GNOME/glib/-/issues/2469
3. MITRE CVE details for CVE-2024-52533: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52533

In conclusion, the discovery and public disclosure of CVE-2024-52533, a buffer overflow vulnerability due to an off-by-one error in gio/gsocks4aproxy.c, is a critical issue with potential widespread impact. It is essential for developers and users alike to address this vulnerability by updating GNOME GLib and applications relying on it to ensure the security of their software and systems.

Timeline

Published on: 11/11/2024 23:15:05 UTC
Last modified on: 12/06/2024 14:15:21 UTC