Buffer overflow vulnerability in PS_options() - gnuplot 5.2.5
Loginsoft-2018-17974
November 2, 2018
CWE
CWE-120:Classic Buffer Overflow
Product Details
Gnuplot is a portable command-line driven graphing utility.
URL: https://sourceforge.net/projects/gnuplot/
Vulnerable Versions
5.2.5 branch
Vulnerability Details
During our research on the gnuplot, we found buffer overflow vulnerability. This can be triggered by sending a crafted file to gnuplot. This allows an attacker to cause Denial of Service (Segmentation fault and Memory Corruption) or possibly have unspecified other impacts when a victim opens a specially crafted file.
SYNOPSIS
In our research we found that in function PS_options()
in program post.trm, There exists an condition if (ps_params->oldstyle)
where the value of ps_params->oldstyle
is zero and makes the program enter to the else section, where it calls sprintf()
as we observed the basic syntax of sprintf()
in this program is sprintf(BUFFERSIZE,char,int)
. PS_default_font
consists of a buffer value of 51. When a crafted input file is sent to the binary, we observed that ps_params->font
had a size of 51 and ps_fontsize
with size 14. Which buffer size of both ps_params->fontps_fontsize
together is larger than the allocated buffer in PS_default_font
which triggered a buffer overflow vulnerability.
Analysis
ASAN Output
Proof of Concept
gnuplot -d –c $POC
Timeline
Vendor Disclosure: 2018-11-02
Public Disclosure: 2018-11-03
Credit
Discovered by ACE Team - Loginsoft