Loginsoft-2018-1006
August 26, 2018
CWE
CWE-125: Out-of-bounds Read
Product Details
Xfig is a free and open-source vector graphics editor which runs under the X Window System on most UNIX-compatible platforms. fig2dev is a library used by Xfig package to translate fig code to other graphical languages (tikz, shape, jpeg, png etc.)
URL: https://sourceforge.net/projects/mcj/
Vulnerable Versions
fig2dev 3.2.7a (Xfig package)
Vulnerability Details
An Out-of-bound read vulnerability was discovered in fig2dev 3.2.7a version.
SYNOPSIS
Another interesting piece of vulnerability discovered in fig2dev was a classic Out-of-bound read.
Ref: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882022
fig2dev binary can be used to convert between various graphical formats. To accomplish the same, it uses different Objects & Object attributes.
Figure file format structure-
- The very first line is a comment line specifying the name and version: #FIG 3.2
- The next few lines speak about few specifications of the fig file document.
(orientation, justification, units, papersize, multiple-page etc.)
- Later blocks defines about various objects & its attributes, which is of our interest as that looked to be a proper point of manipulation.
Example
Ref: https://sourceforge.net/projects/mcj/
Jumping on to the color related attributes; there are two color fields `pen & fill` where pen is only for text (used to draw object) & fill to fill the region inside object. [1] The total capacity for the color table is 544 `color_table[544]`, out of which 32 are standard colors, the rest is for user color[512]. The Object attribute values must be passing through various functions & be used for different purposes too. Hence we went forward & manipulated the value of color to a negative value, which turned out to be a right hit!
The color value was passed forward to a function put_colorname() in gentikz.c, which takes in a color number as an argument and the same being used to access the structure member `std_color[c+1]` having the values color name, its RGB values etc. As we already know from [1], the capacity for standard color (std_color) is 32, hence anything passed more or less than the limit would go out of bounds. Later, the same issue was also detected by the fuzzer.
Suggested mitigation: There was a bound check present to make sure the color values didn't cross the max limit (NUM_STD_COLS) anyhow checking for value less than the limit was missed. Adding a lower limit check looked like a proper fix.
As per the project owner, there were many checks employed to detect any invalid values being passed to the object attributes & replace them with the default value of the attribute or simply rejecting the file, but somehow this went unchecked.
Analysis
Proof of Concept
fig2dev -L tikz $POC
The switch -L specifies the graphical language to which we want to convert our figure file to, followed by our input figure file. The issue is exploitable when supplied a crafted fig file via the above given command.
Timeline
Vendor Disclosure: 2018-08-25
Patch Release: 2018-08-26
Public Disclosure: 2018-08-26
Credit
Discovered by ACE Team - Loginsoft