TECHNICAL BULLETIN
TECHNICAL BULLETIN
| PROBLEM: | The NASA common data format (CDF) library contains a buffer overflow vulnerability that may be used to execute arbitrary code. |
| PLATFORM: | NASA CDF Library < 3.3.0 |
| ABSTRACT: | The CDF ReadAEDRList64() function contains an overflow vulnerability that may be used to overwrite arbitrary heap memory areas with malicious code, via a specially crafted CDF data file. |
| LINKS: | |
| DOE-CIRC BULLETIN: | http://www.doecirc.energy.gov/bulletins/t-190.shtml |
| OTHER LINKS: |
NASA CDF Website http://cdf.gsfc.nasa.gov/ Infigo Website http://www.infigo.hr/en/in_focus/advisories/INFIGO-2009-07-09 Security Focus Website http://www.securityfocus.com/archive/1/505123/30/0/threaded |
| IMPACT ASSESSMENT: | This risk is high. If a publically exposed application, such as a webapp, is utilizing a vulnerable version of the CDF library it may represent a risk of remote system compromise. Additionally, crafted CDF files could be utilized in social engineering attacks against users expected to process CDF datafiles. CDF format data is reportedly used in many government research organizations, particularly those handling astronomical and meterological data. |
Discussion:
CDF is the Common Data Format. It is a conceptual data abstraction for storing, manipulating, and accessing multidimensional data sets.
The basic component of CDF is a software programming interface that is a device-independent view of the CDF data model.
The CDF software package is used by hundreds of government agencies, universities, and private and commercial organizations as well as independent researchers on both national and international levels.
CDF has been adopted by the International Solar-Terrestrial Physics
(ISTP) project as well as the Central Data Handling Facilities (CDHF) as their format of choice for storing and distributing key parameter data. A list of some applications that use the CDF library can be found at http://cdf.gsfc.nasa.gov/html/examples.html.
Various memory corruption vulnerabilities have been identified during a security audit of the CDF library. The vulnerabilities exist in the code processing CDF files. This advisory contains technical information about one of the identified vulnerabilities, that can be exploited when a malformed CDF file is parsed by a CDF reading program.
The vulnerability exists in the ReadAEDRList64() function. This function is used to read a list of attribute entries from a CDF file.
The attribute entries are stored in a list indexed by the entry number.
The relevant source code is shown below:
./cdf32_1-dist/src/lib/cdfread64.c:
------------------------------------------------
STATICforIDL CDFstatus ReadAEDRList64 (vFILE *fp, struct AEDRstructExt64 ***AEDRList, OFF_T AEDRHead,
Int32 MaxEntry)
{
...
struct AEDRstructExt64 *TempAEDR;
Int32 LastAEDRNum = -1;
Int32 i;
OFF_T temp;
...
[1] *AEDRList = cdf_AllocateMemory((MaxEntry + 1) * sizeof(struct AEDRstructExt64**), NULL); ....
while (NxtAEDR != 0 && LastAEDRNum != MaxEntry) { [2] TempAEDR = cdf_AllocateMemory(sizeof(struct AEDRstructExt64), NULL); ...
[3] if (!Read32_64(fp,&(TempAEDR->AEDR.Num))) return CRE; ...
[4] (*AEDRList)[TempAEDR->AEDR.Num] = TempAEDR; } return pStatus; }
------------------------------------------------------------------------
The code marked as [1] creates an array of AEDRstructExt64 structures, allocated on the heap and assigned to the AEDRList variable. The TempAEDR structure [2] is also allocated on the heap. It is further used in the
while() loop to read the attributes from the CDF file that is being parsed.
The Read32_64() function [3] is used to read an integer from the CDF file stream and store it in the TempAEDR->AEDR.Num. At [4] this value is used as the index that specifies where in the AEDRList the address of the TempAEDR structure is stored.
This is where the vulnerability exists as the code performs no sanity checks on the TempAEDR->AEDR.Num value.
In other words, if the CDF file contains a value that is higher than the number of allocated AEDRList entries, a malicious CDF file can overwrite arbitrary heap data after the AEDRList array. The value that will be written is the address of the TempAEDR structure. This can be further exploited as the attacker can control the content of the TempAEDR structure, in which malicious code can be embedded.
As the TempAEDR->AEDR.Num is used as the index, the attacker can write 4 bytes to an address higher than the AEDRList's address. Since this index is added to the AEDRList address, an attacker can also specify a large value which allows him to overflow the integer in the adding calculation, effectively writing to any address mapped by the process.
Other protection mechanisms, such as ASLR, could make this exploitation method less reliable.
Various other memory corruption vulnerabilities have been identified in SearchForRecord_r_64(), LastRecord64(), CDFsel64() and other functions.
In cooperation with the vendor all identified vulnerable function have been fixed, and a proper validation module was developed to verify CDF files before processing them.
Affected Versions:
The vulnerabilities has been identified in the latest available CDF version 3.2.4. Previous versions are believed to be vulnerable as well.
Solution:
The vendor has addressed vulnerabilities on 20.7.2009. with CDF library version 3.3. New CDF library 3.3 has 'cdfvalidate' module that will validate CDF files for potential malformed values.
New version is available at http://cdf.gsfc.nasa.gov/.
Voice: 866-941-2472
E-mail: doecirc@doecirc.energy.gov
World Wide Web: http://www.doecirc.energy.gov