what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

HylaFAX 6.0.6 / 5.6.0 Uninitialized Pointer / Out Of Bounds Write

HylaFAX 6.0.6 / 5.6.0 Uninitialized Pointer / Out Of Bounds Write
Posted Sep 20, 2018
Authored by Markus Vervier, Eric Sesterhenn, Luis Merino

Multiple bugs were found in the code handling fax page reception in JPEG format that allow arbitrary writes to an uninitialized pointer by remote parties dialing in. When processing an specially crafted input, the issue could lead to remote code execution. HylaFAX versions 6.0.6 and 5.6.0 are affected.

tags | advisory, remote, arbitrary, code execution
advisories | CVE-2018-17141
SHA-256 | a6ae5d3d4dedcc85875a8b486ef5cb3f062250e0ddef95b52ca59a9b77f9c066

HylaFAX 6.0.6 / 5.6.0 Uninitialized Pointer / Out Of Bounds Write

Change Mirror Download
X41 D-SEC GmbH Security Advisory: X41-2018-008

Multiple Vulnerabilities in HylaFAX
===================================


Overview
--------
Confirmed Affected Versions: HylaFAX 6.0.6, HylaFAX+ 5.6.0
Confirmed Patched Versions: HylaFAX 6.0.7, HylaFAX+ 5.6.1
Vendor: Hylafax, Hylafax+
Vendor URL: https://www.hylafax.org/, http://hylafax.sourceforge.net/
Credit: X41 D-SEC GmbH, Luis Merino, Eric Sesterhenn, Markus Vervier
Status: Public
Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2018-008-Hylafax/


Summary and Impact
------------------
Severity Rating: Critical
Vector: Incoming fax call
CVE: CVE-2018-17141
CWE: 122, 457
CVSS Score: 9.0
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Multiple bugs were found in the code handling fax page reception in JPEG
format that allow arbitrary writes to an uninitialized pointer by remote
parties dialing in. When processing an specially crafted input, the issue
could lead to remote code execution.
Although JPEG reception is not announced as an available capability
by HylaFAX and is explicitly disabled during capabilities announcement,
there is code for JPEG support in HylaFAX that can be reached by a remote
party when setting certain flags during session negotiation.
X41 did not perform a full test or audit on the software.


Product Description
-------------------
HylaFAX is an open-source system for sending and receiving faxes using
one or multiple fax modems.

Analysis
========
X41 discovered several vulnerabilities in HylaFAX that are exploitable
by local or remote attackers.


Uninitialized pointer write in FaxModem::writeECMData()
-------------------------------------------------------
In CopyQuality.c++:990 recvRow is initialized only when params.jp is
exactly JP_GREY or JP_COLOR and also params.df is exactly zero.

{% highlight c %}
uint dataform = params.df + (params.jp ? params.jp + 4 : 0);
//...
switch (dataform) {
//...
case JPGREY+4:
case JPCOLOR+4:
recvEOLCount = 0;
recvRow = (uchar) malloc(10241000); // 1M should do it?
{% endhighlight %}
However, later in the same function recvRow is used as a target for
memcpy() when params.jp is JP_GREY or JP_COLOR, irrespective of
params.df. Consequently, if a sender crafts a DCS signal that leads to
params.df being non-zero while params.jp is JP_GREY or JP_COLOR, then
recvRow will be uninitialized when it is used as a target for memcpy().
{% highlight c %}
if (params.jp != JPGREY && params.jp != JPCOLOR) {
flushRawData(tif, 0, (const u_char) buf, cc);
} else {
memcpy(recvRow, (const char) buf, cc);
recvRow += cc;
}
{% endhighlight %}


Out of bounds write in FaxModem::writeECMData()
-----------------------------------------------
The same piece of code for memcpy at CopyQuality.c++:1045 can be
abused to perform an out of bounds write to recvRow, as there is no
bounds check before writing to and incrementing recvRow. This can
lead to remote code execution when an attacker sends an specially
crafted input.


Out of bounds write in FaxModem::recvPageDLEData()
--------------------------------------------------
CopyQuality:c++:446 presents another unbounded memcpy that can be
abused to perform an out of bounds write to recvRow.

{% highlight c %}
if (n >= RCVBUFSIZ)
flushRawData(tif, 0, (const u_char) raw, n);
else {
memcpy(recvRow, (const char) raw, n);
recvRow += n;
}
{% endhighlight %}

The code doesn't seem to be reachable, as JPEG flag forces ECM
reception.


Workaround
----------
None.

Timeline
========
2018-06-07 Issues found
2018-08-24 Issue reported to vendor
2018-09-02 Vendor sends patches
2018-09-17 CVE ID assigned
2018-09-18 Patches released
2018-09-19 Advisory released

External links
==============
See https://www.x41-dsec.de/lab/blog/fax/ for a blog post related to this
advisory.

About X41 D-SEC GmbH
====================
X41 is an expert provider for application security services.
Having extensive industry experience and expertise in the area of
information security, a strong core security team of world class
security experts enables X41 to perform premium security services.
Fields of expertise in the area of application security are security
centered code reviews, binary reverse engineering and vulnerability
discovery.
Custom research and a IT security consulting and support services are
core competencies of X41.

- --
X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen
T: +49 241 9809418-0, Fax: -9
Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989
GeschA$?ftsfA1/4hrer: Markus Vervier


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close