exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

NASA Common Data Format Remote Buffer Overflows

NASA Common Data Format Remote Buffer Overflows
Posted Jul 21, 2009
Authored by Leon Juranic | Site infigo.hr

Memory corruption vulnerabilities have been discovered in NASA's Common Data Format. Versions 3.2.4 and below are affected.

tags | advisory, vulnerability
SHA-256 | d3bfdae0226b04f7084476e78657351396b5f9598a25fc61dc3d13c191fa4f96

NASA Common Data Format Remote Buffer Overflows

Change Mirror Download

===================================================================
'Celebrating 40 years of Apollo and 20 years of buffer overflows'
===================================================================


INFIGO IS Security Advisory #ADV-2009-07-09
http://www.infigo.hr/en/


Title: NASA Common Data Format remote buffer overflow(s)
Advisory ID: INFIGO-2009-07-09
Date: 2009-07-20
Advisory URL: http://www.infigo.hr/en/in_focus/advisories/INFIGO-2009-07-09
Vendor: NASA GODDARD Space Flight Center
Vendor URL: http://cdf.gsfc.nasa.gov/
Impact: Remote code execution
Risk Level: High
Vulnerability Type: Remote



==[ Overview

CDF is the Common Data Format. It is a conceptual data abstraction for
storing, manipulating, and accessing multidimensional data sets.
The basic component of CDF is a software programming interface that is
a device-independent view of the CDF data model.
The CDF software package is used by hundreds of government agencies,
universities, and private and commercial organizations as well as
independent researchers on both national and international levels.
CDF has been adopted by the International Solar-Terrestrial Physics
(ISTP) project as well as the Central Data Handling Facilities (CDHF)
as their format of choice for storing and distributing key parameter
data. A list of some applications that use the CDF library can be found
at http://cdf.gsfc.nasa.gov/html/examples.html.


==[ Vulnerability

Various memory corruption vulnerabilities have been identified during a
security audit of the CDF library. The vulnerabilities exist in the code
processing CDF files. This advisory contains technical information about
one of the identified vulnerabilities, that can be exploited when a
malformed CDF file is parsed by a CDF reading program.
The vulnerability exists in the ReadAEDRList64() function. This function
is used to read a list of attribute entries from a CDF file.
The attribute entries are stored in a list indexed by the entry number.
The relevant source code is shown below:

./cdf32_1-dist/src/lib/cdfread64.c:
------------------------------------------------
STATICforIDL CDFstatus ReadAEDRList64 (vFILE *fp,
struct AEDRstructExt64 ***AEDRList,
OFF_T AEDRHead,
Int32 MaxEntry)
{
...
struct AEDRstructExt64 *TempAEDR;
Int32 LastAEDRNum = -1;
Int32 i;
OFF_T temp;
...
[1] *AEDRList = cdf_AllocateMemory((MaxEntry + 1) *
sizeof(struct AEDRstructExt64**), NULL);
....
while (NxtAEDR != 0 && LastAEDRNum != MaxEntry)
{
[2] TempAEDR = cdf_AllocateMemory(sizeof(struct AEDRstructExt64), NULL);
...
[3] if (!Read32_64(fp,&(TempAEDR->AEDR.Num))) return CRE;
...
[4] (*AEDRList)[TempAEDR->AEDR.Num] = TempAEDR;
}
return pStatus;
}
-------------------------------------------------------------------------

The code marked as [1] creates an array of AEDRstructExt64 structures,
allocated on the heap and assigned to the AEDRList variable. The TempAEDR
structure [2] is also allocated on the heap. It is further used in the
while() loop to read the attributes from the CDF file that is being
parsed.
The Read32_64() function [3] is used to read an integer from the
CDF file stream and store it in the TempAEDR->AEDR.Num. At [4] this value
is used as the index that specifies where in the AEDRList the address of
the TempAEDR structure is stored.
This is where the vulnerability exists as the code performs no sanity
checks on the TempAEDR->AEDR.Num value.
In other words, if the CDF file contains a value that is higher than the
number of allocated AEDRList entries, a malicious CDF file can overwrite
arbitrary heap data after the AEDRList array. The value that will be
written is the address of the TempAEDR structure. This can be further
exploited as the attacker can control the content of the TempAEDR
structure, in which malicious code can be embedded.

As the TempAEDR->AEDR.Num is used as the index, the attacker can write 4
bytes to an address higher than the AEDRList's address. Since this index
is added to the AEDRList address, an attacker can also specify a large
value which allows him to overflow the integer in the adding calculation,
effectively writing to any address mapped by the process.
Other protection mechanisms, such as ASLR, could make this exploitation
method less reliable.

Various other memory corruption vulnerabilities have been identified
in SearchForRecord_r_64(), LastRecord64(), CDFsel64() and other functions.
In cooperation with the vendor all identified vulnerable function have
been fixed, and a proper validation module was developed to verify CDF
files before processing them.


==[ Affected Version

The vulnerabilities has been identified in the latest available CDF
version 3.2.4. Previous versions are believed to be vulnerable as well.


==[ Fix

The vendor has addressed vulnerabilities on 20.7.2009. with CDF
library version 3.3. New CDF library 3.3 has 'cdfvalidate' module
that will validate CDF files for potential malformed values.
New version is available at http://cdf.gsfc.nasa.gov/.


==[ PoC Exploit

PoC will not be released.


==[ Vendor status

20.08.2008 - Initial contact
20.08.2008 - 20.07.2009: Cooperation with vendor
20.07.2009 - Coordinated public disclosure


==[ Credits

Vulnerability discovered by Leon Juranic <leon.juranic@infigo.hr>.
We would like to thank to whole NASA CDF team, and especially Michael Liu
for cooperation, and good work in dealing with reported vulnerabilities.


==[ INFIGO IS Security Contact

INFIGO IS,

WWW : http://www.infigo.hr/en/
E-mail: infocus@infigo.hr

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close