what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ICU Heap / Integer Overflows

ICU Heap / Integer Overflows
Posted May 5, 2015
Authored by Pedro Ribeiro

The ICU library suffers from heap and integer overflows. Confirmed vulnerable are versions 52 through 54.

tags | advisory, overflow
advisories | CVE-2014-8146, CVE-2014-8147
SHA-256 | 7838891b3655e544c63b5e770a89434ff480af212dde30baf5d45c12b9933665

ICU Heap / Integer Overflows

Change Mirror Download
tl;dr heap and integer overflows in ICU, many packages affected,
unknown if these can be exploited or not - everyone names vulns
nowadays, so I name these I-C-U-FAIL.

Hi,

I have found two vulnerabilities in the ICU library while fuzzing
LibreOffice, full details in the advisory below.
Disclosure of these was done initially to LibreOffice and then to
distro-security. I then reported it to Chromium, Android and finally
CERT, so I ended up breaking the rules of distro-security which
requires that any vulnerability reported to the list is made public in
14 days. I apologise for this to oss-security, distro-security and
Solar Designer, and will not do it again.

A full copy of the advisory below can be found in my repo at
https://raw.githubusercontent.com/pedrib/PoC/master/generic/i-c-u-fail.txt.

Regards,
Pedro


>> Heap overflow and integer overflow in ICU library
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
=================================================================================
Disclosure: 04/05/2015 / Last updated: 04/05/2015

>> Background on the affected products:
ICU is a mature, widely used set of C/C++ and Java libraries providing
Unicode and Globalization support for software applications. ICU is
widely portable and gives applications the same results on all
platforms and between C/C++ and Java software.


>> Summary:
While fuzzing LibreOffice an integer overflow and a heap overflow
where found in the ICU library. This library is used by LibreOffice
and hundreds of other software packages.
Proof of concept files can be downloaded from [1]. These files have
been tested with LibreOffice 4.3.3.2 and LibreOffice 4.4.0-beta2 and
ICU 52.
Note that at this point in time it is unknown whether these
vulnerabilities are exploitable.
Thanks to CERT [2] for helping disclose these vulnerabilities.


>> Technical details:
#1
Vulnerability: Heap overflow
CVE-2014-8146

The code to blame is the following (from ubidi.c:2148 in ICU 52):
dirProp=dirProps[limit-1];
if((dirProp==LRI || dirProp==RLI) && limit<pBiDi->length) {
pBiDi->isolateCount++;
pBiDi->isolates[pBiDi->isolateCount].stateImp=stateImp;
pBiDi->isolates[pBiDi->isolateCount].state=levState.state;
pBiDi->isolates[pBiDi->isolateCount].start1=start1;
}
else
processPropertySeq(pBiDi, &levState, eor, limit, limit);

Under certain conditions, isolateCount is incremented too many times,
which results in several out of bounds writes. See [1] for a more
detailed analysis.


#2
Vulnerability: Integer overflow
CVE-2014-8147

The overflow is on the resolveImplicitLevels function (ubidi.c:2248):
pBiDi->isolates[pBiDi->isolateCount].state=levState.state;

pBiDi->isolates[].state is a int16, while levState.state is a int32.
The overflow causes an error when performing a malloc on
pBiDi->insertPoints->points because insertPoints is adjacent in memory
to isolates[].

The Isolate struct is defined in ubidiimp.h:184
typedef struct Isolate {
int32_t startON;
int32_t start1;
int16_t stateImp;
int16_t state;
} Isolate;

LevState is defined in ubidi.c:1748
typedef struct {
const ImpTab * pImpTab; /* level table pointer */
const ImpAct * pImpAct; /* action map array */
int32_t startON; /* start of ON sequence */
int32_t startL2EN; /* start of level 2 sequence */
int32_t lastStrongRTL; /* index of last found R or AL */
int32_t state; /* current state */
int32_t runStart; /* start position of the run */
UBiDiLevel runLevel; /* run level before implicit solving */
} LevState;


>> Fix:
The ICU versions that are confirmed to be affected are 52 to 54, but
earlier versions might also be affected. Upgrade to ICU 55.1 to fix
these vulnerabilities.
Note that there are probably many other software packages that embed
the ICU code and will probably also need to be updated.


>> References:
[1] https://github.com/pedrib/PoC/raw/master/generic/i-c-u-fail.7z
[2] https://www.kb.cert.org/vuls/id/602540
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close