Invalid write memory access vulnerability in HDF5 1.10.3
Loginsoft-2018-17436
September 24, 2018
CVE Number
CVE-2018-17436
CWE
CWE-787: Out-of-bounds Write
Product Details
HDF5 is a data model, library, and file format for storing and managing data. It supports an unlimited variety of data types and is designed for flexible and efficient I/O and for high volume and complex data. HDF5 is portable and is extensible, allowing applications to evolve in their use of HDF5. The HDF5 Technology suite includes tools and applications for managing, manipulating, viewing, and analyzing data in the HDF5 format.
URL:https://www.hdfgroup.org/downloads
Vulnerable Versions
HDF5 1.10.3
Vulnerability Details
ReadCode() in decompress.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service (invalid write access) via a crafted HDF5 file. This issue was triggered while converting a GIF file to an HDF file.
SYNOPSIS
Like H52gif binary, we have gif2h5, which is responsible for producing a gif file out of an hdf5 file type. A function Gif2mem() is called which displays the GIF header information, by going through different blocks such as reading the GIF image file header information etc. It decompresses & converts the GIF image to an HDF image, for which it calls Decompress() [1] function.
Internal to decompressing, it goes through the image separator that is by reading values from the image descriptor & allocates a chunk memory to the image & then attempts to decompress the file, continuing until a GIF EOF code is seen, for which it calls ReadCode() [2] function. ReadCode fetches the next code from the raster data stream. While computing the value of RawCode, a computation is being done for which it receives few incorrect values, [3]creating an invalid write memory access issue.
Analysis
Backtrace of 1.8.20
ASAN Output
Proof of concept
./gif2h5 $POC ~/output/ex_image2.h5
It takes in the gif file followed by the output HDF5file.
Timeline
Vendor Disclosure: 2018-09-24
Public Disclosure: 2018-09-26
Credit
Discovered by ACE Team - Loginsoft