Vulnerabilities > CVE-2016-4330 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Hdfgroup Hdf5 1.8.16

047910
CVSS 8.6 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
hdfgroup
CWE-119
nessus

Summary

In the HDF5 1.8.16 library's failure to check if the number of dimensions for an array read from the file is within the bounds of the space allocated for it, a heap-based buffer overflow will occur, potentially leading to arbitrary code execution.

Vulnerable Configurations

Part Description Count
Application
Hdfgroup
1

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201701-13.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201701-13 (HDF5: Multiple vulnerabilities) Multiple arbitrary code execution vulnerabilities have been discovered in HDF5. Please review the CVE identifiers referenced below for details. Impact : An attacker could execute arbitrary code with the privileges of the process via a maliciously crafted database file. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id96244
    published2017-01-03
    reporterThis script is Copyright (C) 2017 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/96244
    titleGLSA-201701-13 : HDF5: Multiple vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 201701-13.
    #
    # The advisory text is Copyright (C) 2001-2017 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(96244);
      script_version("$Revision: 3.1 $");
      script_cvs_date("$Date: 2017/01/03 14:55:09 $");
    
      script_cve_id("CVE-2016-4330", "CVE-2016-4331", "CVE-2016-4332", "CVE-2016-4333");
      script_xref(name:"GLSA", value:"201701-13");
    
      script_name(english:"GLSA-201701-13 : HDF5: Multiple vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-201701-13
    (HDF5: Multiple vulnerabilities)
    
        Multiple arbitrary code execution vulnerabilities have been discovered
          in HDF5. Please review the CVE identifiers referenced below for details.
      
    Impact :
    
        An attacker could execute arbitrary code with the privileges of the
          process via a maliciously crafted database file.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/201701-13"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All HDF5 users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose '>=sci-libs/hdf5-1.8.18'"
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:hdf5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/01/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/03");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"sci-libs/hdf5", unaffected:make_list("ge 1.8.18"), vulnerable:make_list("lt 1.8.18"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "HDF5");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-392.NASL
    descriptionThis update for hdf5 fixes the following issues : - fix security issues (arbitary code execution): CVE-2016-4330: H5T_ARRAY Code Execution (boo#1011201) CVE-2016-4331: H5Z_NBIT Code Execution (boo#1011204) CVE-2016-4332: Shareable Message Type Code Execution (boo#1011205) CVE-2016-4333: Array index bounds issue (boo#1011198)
    last seen2020-06-05
    modified2018-04-24
    plugin id109296
    published2018-04-24
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109296
    titleopenSUSE Security Update : hdf5 (openSUSE-2018-392)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2018-392.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(109296);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2016-4330", "CVE-2016-4331", "CVE-2016-4332", "CVE-2016-4333");
    
      script_name(english:"openSUSE Security Update : hdf5 (openSUSE-2018-392)");
      script_summary(english:"Check for the openSUSE-2018-392 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for hdf5 fixes the following issues :
    
      - fix security issues (arbitary code execution):
        CVE-2016-4330: H5T_ARRAY Code Execution (boo#1011201)
        CVE-2016-4331: H5Z_NBIT Code Execution (boo#1011204)
        CVE-2016-4332: Shareable Message Type Code Execution
        (boo#1011205) CVE-2016-4333: Array index bounds issue
        (boo#1011198)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1011198"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1011201"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1011204"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1011205"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected hdf5 packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5-devel-data");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5-devel-static");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5-examples");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5-openmpi");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5-openmpi-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5-openmpi-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5-openmpi-devel-static");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libhdf5-10");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libhdf5-10-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libhdf5-10-openmpi");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libhdf5-10-openmpi-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libhdf5_hl10");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libhdf5_hl10-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libhdf5_hl10-openmpi");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libhdf5_hl10-openmpi-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/04/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/24");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.3", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE42.3", reference:"hdf5-1.8.15-7.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"hdf5-debuginfo-1.8.15-7.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"hdf5-debugsource-1.8.15-7.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"hdf5-devel-1.8.15-7.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"hdf5-devel-data-1.8.15-7.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"hdf5-devel-static-1.8.15-7.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"hdf5-examples-1.8.15-7.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"hdf5-openmpi-1.8.15-7.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"hdf5-openmpi-debuginfo-1.8.15-7.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"hdf5-openmpi-devel-1.8.15-7.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"hdf5-openmpi-devel-static-1.8.15-7.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"libhdf5-10-1.8.15-7.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"libhdf5-10-debuginfo-1.8.15-7.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"libhdf5-10-openmpi-1.8.15-7.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"libhdf5-10-openmpi-debuginfo-1.8.15-7.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"libhdf5_hl10-1.8.15-7.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"libhdf5_hl10-debuginfo-1.8.15-7.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"libhdf5_hl10-openmpi-1.8.15-7.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"libhdf5_hl10-openmpi-debuginfo-1.8.15-7.3.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "hdf5 / hdf5-debuginfo / hdf5-debugsource / hdf5-devel / etc");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-771.NASL
    descriptionCisco Talos discovered that hdf5, a file format and library for storing scientific data, contained several vulnerabilities that could lead to arbitrary code execution when handling untrusted data. For Debian 7
    last seen2020-03-17
    modified2017-01-03
    plugin id96187
    published2017-01-03
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/96187
    titleDebian DLA-771-1 : hdf5 security update
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-771-1. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(96187);
      script_version("3.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2016-4330", "CVE-2016-4331", "CVE-2016-4332", "CVE-2016-4333");
    
      script_name(english:"Debian DLA-771-1 : hdf5 security update");
      script_summary(english:"Checks dpkg output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Cisco Talos discovered that hdf5, a file format and library for
    storing scientific data, contained several vulnerabilities that could
    lead to arbitrary code execution when handling untrusted data.
    
    For Debian 7 'Wheezy', these problems have been fixed in version
    1.8.8-9+deb7u1.
    
    We recommend that you upgrade your hdf5 packages.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2016/12/msg00048.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/wheezy/hdf5"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:hdf5-helpers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:hdf5-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-7");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-7-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-mpi-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-mpich2-7");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-mpich2-7-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-mpich2-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-openmpi-7");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-openmpi-7-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-openmpi-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-serial-dev");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2016/12/31");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/03");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"7.0", prefix:"hdf5-helpers", reference:"1.8.8-9+deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"hdf5-tools", reference:"1.8.8-9+deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"libhdf5-7", reference:"1.8.8-9+deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"libhdf5-7-dbg", reference:"1.8.8-9+deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"libhdf5-dev", reference:"1.8.8-9+deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"libhdf5-doc", reference:"1.8.8-9+deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"libhdf5-mpi-dev", reference:"1.8.8-9+deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"libhdf5-mpich2-7", reference:"1.8.8-9+deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"libhdf5-mpich2-7-dbg", reference:"1.8.8-9+deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"libhdf5-mpich2-dev", reference:"1.8.8-9+deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"libhdf5-openmpi-7", reference:"1.8.8-9+deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"libhdf5-openmpi-7-dbg", reference:"1.8.8-9+deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"libhdf5-openmpi-dev", reference:"1.8.8-9+deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"libhdf5-serial-dev", reference:"1.8.8-9+deb7u1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_91E039EDD68911E6917114DAE9D210B8.NASL
    descriptionTalos Security reports : - CVE-2016-4330 (TALOS-2016-0176) - HDF5 Group libhdf5 H5T_ARRAY Code Execution Vulnerability - CVE-2016-4331 (TALOS-2016-0177) - HDF5 Group libhdf5 H5Z_NBIT Code Execution Vulnerability - CVE-2016-4332 (TALOS-2016-0178) - HDF5 Group libhdf5 Shareable Message Type Code Execution Vulnerability - CVE-2016-4333 (TALOS-2016-0179) - HDF5 Group libhdf5 H5T_COMPOUND Code Execution Vulnerability
    last seen2020-06-01
    modified2020-06-02
    plugin id96369
    published2017-01-10
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96369
    titleFreeBSD : hdf5 -- multiple vulnerabilities (91e039ed-d689-11e6-9171-14dae9d210b8)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2018 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(96369);
      script_version("3.3");
      script_cvs_date("Date: 2018/12/19 13:21:18");
    
      script_cve_id("CVE-2016-4330", "CVE-2016-4331", "CVE-2016-4332", "CVE-2016-4333");
    
      script_name(english:"FreeBSD : hdf5 -- multiple vulnerabilities (91e039ed-d689-11e6-9171-14dae9d210b8)");
      script_summary(english:"Checks for updated packages in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote FreeBSD host is missing one or more security-related
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Talos Security reports :
    
    - CVE-2016-4330 (TALOS-2016-0176) - HDF5 Group libhdf5 H5T_ARRAY Code
    Execution Vulnerability
    
    - CVE-2016-4331 (TALOS-2016-0177) - HDF5 Group libhdf5 H5Z_NBIT Code
    Execution Vulnerability
    
    - CVE-2016-4332 (TALOS-2016-0178) - HDF5 Group libhdf5 Shareable
    Message Type Code Execution Vulnerability
    
    - CVE-2016-4333 (TALOS-2016-0179) - HDF5 Group libhdf5 H5T_COMPOUND
    Code Execution Vulnerability"
      );
      # http://blog.talosintel.com/2016/11/hdf5-vulns.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://blog.talosintelligence.com/2016/11/hdf5-vulns.html"
      );
      # https://vuxml.freebsd.org/freebsd/91e039ed-d689-11e6-9171-14dae9d210b8.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?3c2d67c1"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:hdf5");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:hdf5-18");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/11/17");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/01/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/10");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"hdf5<1.10.0")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"hdf5-18<1.8.18")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3727.NASL
    descriptionCisco Talos discovered that hdf5, a file format and library for storing scientific data, contained several vulnerabilities that could lead to arbitrary code execution when handling untrusted data.
    last seen2020-06-01
    modified2020-06-02
    plugin id95414
    published2016-12-01
    reporterThis script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95414
    titleDebian DSA-3727-1 : hdf5 - security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-3727. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(95414);
      script_version("3.4");
      script_cvs_date("Date: 2018/11/10 11:49:38");
    
      script_cve_id("CVE-2016-4330", "CVE-2016-4331", "CVE-2016-4332", "CVE-2016-4333");
      script_xref(name:"DSA", value:"3727");
    
      script_name(english:"Debian DSA-3727-1 : hdf5 - security update");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Cisco Talos discovered that hdf5, a file format and library for
    storing scientific data, contained several vulnerabilities that could
    lead to arbitrary code execution when handling untrusted data."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845301"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/jessie/hdf5"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2016/dsa-3727"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the hdf5 packages.
    
    For the stable distribution (jessie), these problems have been fixed
    in version 1.8.13+docs-15+deb8u1."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:hdf5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2016/11/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/01");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"8.0", prefix:"hdf5-helpers", reference:"1.8.13+docs-15+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"hdf5-tools", reference:"1.8.13+docs-15+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"libhdf5-8", reference:"1.8.13+docs-15+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"libhdf5-8-dbg", reference:"1.8.13+docs-15+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"libhdf5-cpp-8", reference:"1.8.13+docs-15+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"libhdf5-cpp-8-dbg", reference:"1.8.13+docs-15+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"libhdf5-dev", reference:"1.8.13+docs-15+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"libhdf5-doc", reference:"1.8.13+docs-15+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"libhdf5-mpi-dev", reference:"1.8.13+docs-15+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"libhdf5-mpich-8", reference:"1.8.13+docs-15+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"libhdf5-mpich-8-dbg", reference:"1.8.13+docs-15+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"libhdf5-mpich-dev", reference:"1.8.13+docs-15+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"libhdf5-mpich2-dev", reference:"1.8.13+docs-15+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"libhdf5-openmpi-8", reference:"1.8.13+docs-15+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"libhdf5-openmpi-8-dbg", reference:"1.8.13+docs-15+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"libhdf5-openmpi-dev", reference:"1.8.13+docs-15+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"libhdf5-serial-dev", reference:"1.8.13+docs-15+deb8u1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-3477B592E3.NASL
    descriptionSecurity fix for CVE-2016-4330, CVE-2016-4331, CVE-2016-4332, CVE-2016-4333 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-12-28
    plugin id96157
    published2016-12-28
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96157
    titleFedora 25 : hdf5 (2016-3477b592e3)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2016-3477b592e3.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(96157);
      script_version("3.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2016-4330", "CVE-2016-4331", "CVE-2016-4332", "CVE-2016-4333");
      script_xref(name:"FEDORA", value:"2016-3477b592e3");
    
      script_name(english:"Fedora 25 : hdf5 (2016-3477b592e3)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Security fix for CVE-2016-4330, CVE-2016-4331, CVE-2016-4332,
    CVE-2016-4333
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2016-3477b592e3"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected hdf5 package.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:hdf5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:25");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/11/18");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/12/27");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/28");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^25([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 25", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC25", reference:"hdf5-1.8.17-2.fc25")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "hdf5");
    }
    

Seebug

bulletinFamilyexploit
description### Description HDF5 is a fileformat that is maintained by a non-profit organization, The HDF Group. HDF5 is designed to be used for storage and organization of large amounts of scientific data and is used to exchange data structures between applications in industries such as the GIS industry via libraries such as GDAL, OGR, or as part of software like ArcGIS. The vulnerability exists due to the library's failure to check if the number of dimensions for an array read from the file is within the bounds of the space allocated for it. When reading elements from the file into this array, a heap-based buffer overflow will occur, potentially leading to arbitrary code execution. ### Tested Versions * hdf5-1.8.16.tar.bz2 * tools/h5ls: Version 1.8.16 * tools/h5stat: Version 1.8.16 * tools/h5dump: Version 1.8.16 ### Product Urls * http://www.hdfgroup.org/HDF5/ * http://www.hdfgroup.org/HDF5/release/obtainsrc.html * http://www.hdfgroup.org/ftp/HDF5/current/src/hdf5-1.8.16.tar.bz2 ### CVSSv3 Score 8.6 -- CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H ### Details The HDF file format is intended to be a general file format that is self-describing for various types of data structures used in the scientific community [1]. These datastructures are intended to be stored in two types of objects, Datasets and Groups. Paralleling the file-format to a filesystem, a Dataset can be interpreted as a file, and a Group can be interpreted as a directory that's able to contain other Datasets or Groups. Associated with each entry, is metadata containing user-defined named attributes that can be used to describe the dataset. Within the HDF file format, paths can be specified as the '/'-separated posix format. When reading a dataset, the library will open the object using H5Dopenoid. Inside this function, the library will read the type and it's location. Once the type and it's location are read, then the library will pass the H5ODTYPEID value onto H5Omsg_read. ``` src/H5Dint.c:1221 static herr_t H5D__open_oid(H5D_t *dataset, hid_t dapl_id, hid_t dxpl_id) { /* Open the dataset object */ if(H5O_open(&(dataset->oloc)) < 0) HGOTO_ERROR(H5E_DATASET, H5E_CANTOPENOBJ, FAIL, "unable to open") /* Get the type and space */ if(NULL == (dataset->shared->type = (H5T_t *)H5O_msg_read(&(dataset->oloc), H5O_DTYPE_ID, NULL, dxpl_id))) // XXX: \ HGOTO_ERROR(H5E_DATASET, H5E_CANTINIT, FAIL, "unable to load type info from dataset header") \ src/H5Omessage.c:463 void * H5O_msg_read(const H5O_loc_t *loc, unsigned type_id, void *mesg, hid_t dxpl_id) { H5O_t *oh = NULL; /* Object header to use */ void *ret_value; /* Return value */ /* Get the object header */ if(NULL == (oh = H5O_protect(loc, dxpl_id, H5AC_READ))) HGOTO_ERROR(H5E_OHDR, H5E_CANTPROTECT, NULL, "unable to protect object header") /* Call the "real" read routine */ if(NULL == (ret_value = H5O_msg_read_oh(loc->file, dxpl_id, oh, type_id, mesg))) // XXX: read the message from the object header HGOTO_ERROR(H5E_OHDR, H5E_READERROR, NULL, "unable to read object header message") ``` Inside H5Omsgreadoh, the application will use the typeid argument to determine which message type is being used for a message. This message type is used to determine which callback to use in order to handle the message. This process occurs within the macro H5OLOADNATIVE at H5Omessage.c:545 ``` src/H5Omessage.c:517 void * H5O_msg_read_oh(H5F_t *f, hid_t dxpl_id, H5O_t *oh, unsigned type_id, void *mesg) { const H5O_msg_class_t *type; /* Actual H5O class type for the ID */ unsigned idx; /* Message's index in object header */ void *ret_value = NULL; for(idx = 0; idx < oh->nmesgs; idx++) if(type == oh->mesg[idx].type) break; H5O_LOAD_NATIVE(f, dxpl_id, 0, oh, &(oh->mesg[idx]), NULL) ``` Inside the H5OLOADNATIVE macro, the application will select a structure containing function pointers out of the msg->type field. This structure contains various functions that are used to decode the message. When decoding a msg of type H5ODTYPEID, the library will dispatch into the H5Odtypeshareddecode function. This function will eventually call H5Odtypedecode. Inside H5Odtypedecode, the library will first allocate space using the call `H5T__alloc`. Afterwards, execution will continue onto H5Odtypedecodehelper which is responsible for decoding the datatypes. ``` src/H5Oshared.h:50 static H5_INLINE void * H5O_SHARED_DECODE(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, unsigned mesg_flags, unsigned *ioflags, const uint8_t *p) { /* Decode native message directly */ if(NULL == (ret_value = H5O_SHARED_DECODE_REAL(f, dxpl_id, open_oh, mesg_flags, ioflags, p))) // XXX: \ HGOTO_ERROR(H5E_OHDR, H5E_CANTDECODE, NULL, "unable to decode native message") } /* end else */ \ src/H5Odtype.c:1091 static void * H5O_dtype_decode(H5F_t *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, unsigned *ioflags/*in,out*/, const uint8_t *p) { /* Allocate datatype message */ if(NULL == (dt = H5T__alloc())) HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed") /* Perform actual decode of message */ if(H5O_dtype_decode_helper(f, ioflags, &p, dt) < 0) HGOTO_ERROR(H5E_DATATYPE, H5E_CANTDECODE, NULL, "can't decode type") Inside H5T__alloc, the library will allocate space for an H5T_shared_t object. This structure is defined within H5Tpkg.h at line 288. The vulnerability is due to the definition of the H5T_array_t field within the union u. The H5T_array_t structure defines an H5S_MAX_RANK element array of size_t fields. Defined in src/H5public.h:31, this length is 32. src/H5T.c:3446 H5T_t * H5T__alloc(void) { /* Allocate & initialize shared datatype structure */ if(NULL == (dt->shared = H5FL_CALLOC(H5T_shared_t))) // XXX: sizeof(H5T_shared_t) HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed") src/H5Spublic.h:31 #define H5S_MAX_RANK 32 src/H5Tpkg.h:288 typedef struct H5T_shared_t { union { H5T_array_t array; /* an array datatype */ } u; } H5T_shared_t; src/H5Tpkg.h:273 typedef struct H5T_array_t { size_t nelem; /* total number of elements in array */ unsigned ndims; /* member dimensionality */ size_t dim[H5S_MAX_RANK]; /* size in each dimension */ // XXX: maximum of 32 } H5T_array_t; ``` After allocating space for the H5Tarrayt, the library will return back to H5Odtypedecode which will then execute the function H5Odtypedecodehelper. When entering the case H5TARRAY, the library will read the number of dimensions from the file and then check that it's valid via an assertion. Due to an assertion being only enabled when the application is compiled in debug-mode, this check will get optimized out by the preprocessor. Immediately following, the library will enter a loop that reads DWORDs from the file into the H5Tarrayt.dim field. If the value of u.array.ndims is larger than 32, then this loop will read data outside the bounds of the H5Tarrayt that was allocated earlier. This will lead to heap corruption and can lead to code execution under the context of the application using the library. ``` src/H5Odtype.c:133 static htri_t H5O_dtype_decode_helper(H5F_t *f, unsigned *ioflags/*in,out*/, const uint8_t **pp, H5T_t *dt) { case H5T_ARRAY: /* Array datatypes */ /* Decode the number of dimensions */ dt->shared->u.array.ndims = *(*pp)++; /* Double-check the number of dimensions */ HDassert(dt->shared->u.array.ndims <= H5S_MAX_RANK); /* Decode array dimension sizes & compute number of elements */ for(i = 0, dt->shared->u.array.nelem = 1; i < (unsigned)dt->shared->u.array.ndims; i++) { UINT32DECODE(*pp, dt->shared->u.array.dim[i]); dt->shared->u.array.nelem *= dt->shared->u.array.dim[i]; } /* end for */ ``` ### Crash Analysis ``` $ gdb -q --args bin/h5stat poc.hdf No symbol table is loaded. Use the "file" command. Reading symbols from $HOME/hdf5-1.8.16/release/bin/h5stat...done. (gdb) bp H5Odtype.c:518 Breakpoint 3 at 0x8147cb0: file ../../src/H5Odtype.c, line 518. (gdb) bp H5Odtype.c:528 i < 0x1f Breakpoint 4 at 0x8147cc9: file ../../src/H5Odtype.c, line 528. (gdb) r Starting program: $HOME/hdf5-1.8.16/release/bin/h5stat poc.hdf Filename: poc.hdf Breakpoint 3, H5O_dtype_decode_helper (f=f@entry=0x83f0e48, ioflags=ioflags@entry=0xbfffed6c, pp=pp@entry=0xbfffed1c, dt=dt@entry=0x83df358) at ../../src/H5Odtype.c:518 518 dt->shared->u.array.ndims = *(*pp)++; (gdb) n 524 if(version < H5O_DTYPE_VERSION_3) (gdb) n 518 dt->shared->u.array.ndims = *(*pp)++; (gdb) n 524 if(version < H5O_DTYPE_VERSION_3) (gdb) p dt->shared->u.array.ndims $1 = 0x69 (gdb) c Continuing. *** Error in `$HOME/hdf5-1.8.16/release/bin/h5stat': free(): invalid pointer: 0x083f21e1 *** Catchpoint 2 (signal SIGABRT), 0xb7ffecb0 in ?? () (gdb) ### Crash Analysis (Address Sanitizer) ================================================================= ==2398==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb2b20938 at pc 0xb626a9fe bp 0xbfb6d5d8 sp 0xbfb6d5d0 WRITE of size 4 at 0xb2b20938 thread T0 #0 0xb626a9fd in H5O_dtype_decode_helper $HOME/hdf5-1.8.16/asan/src/../../src/H5Odtype.c:529 #1 0xb6252881 in H5O_dtype_decode $HOME/hdf5-1.8.16/asan/src/../../src/H5Odtype.c:1108 #2 0xb621efd8 in H5O_dtype_shared_decode $HOME/hdf5-1.8.16/asan/src/../../src/H5Oshared.h:84 #3 0xb62faa5c in H5O_msg_read_oh $HOME/hdf5-1.8.16/asan/src/../../src/H5Omessage.c:554 #4 0xb62f88a6 in H5O_msg_read $HOME/hdf5-1.8.16/asan/src/../../src/H5Omessage.c:483 #5 0xb5798b96 in H5D__open_oid $HOME/hdf5-1.8.16/asan/src/../../src/H5Dint.c:1245 #6 0xb5795df7 in H5D_open $HOME/hdf5-1.8.16/asan/src/../../src/H5Dint.c:1153 #7 0xb563b3f9 in H5Dopen2 $HOME/hdf5-1.8.16/asan/src/../../src/H5D.c:368 #8 0x825351d in find_objs_cb $HOME/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5tools_utils.c:580 #9 0x8270c4d in traverse_cb $HOME/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5trav.c:237 #10 0xb5c2f66a in H5G_visit_cb $HOME/hdf5-1.8.16/asan/src/../../src/H5Gint.c:939 #11 0xb5c83a72 in H5G__node_iterate $HOME/hdf5-1.8.16/asan/src/../../src/H5Gnode.c:1026 #12 0xb5477c85 in H5B_iterate_helper $HOME/hdf5-1.8.16/asan/src/../../src/H5B.c:1175 #13 0xb54756db in H5B_iterate $HOME/hdf5-1.8.16/asan/src/../../src/H5B.c:1220 #14 0xb5cdc773 in H5G__stab_iterate $HOME/hdf5-1.8.16/asan/src/../../src/H5Gstab.c:565 #15 0xb5ca7af2 in H5G__obj_iterate $HOME/hdf5-1.8.16/asan/src/../../src/H5Gobj.c:707 #16 0xb5c2cbe2 in H5G_visit $HOME/hdf5-1.8.16/asan/src/../../src/H5Gint.c:1174 #17 0xb5fe7f7d in H5Lvisit_by_name $HOME/hdf5-1.8.16/asan/src/../../src/H5L.c:1378 #18 0x825c8fe in traverse $HOME/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5trav.c:310 #19 0x82679c5 in h5trav_visit $HOME/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5trav.c:1164 #20 0x82522c4 in init_objs $HOME/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5tools_utils.c:655 #21 0x80cf3b7 in table_list_add $HOME/hdf5-1.8.16/asan/tools/h5dump/../../../tools/h5dump/h5dump.c:408 #22 0x80d12c1 in main $HOME/hdf5-1.8.16/asan/tools/h5dump/../../../tools/h5dump/h5dump.c:1470 #23 0xb5033a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82) #24 0x80cec04 in _start ($HOME/hdf5-1.8.16/asan/bin/h5dump+0x80cec04) 0xb2b20938 is located 0 bytes to the right of 168-byte region [0xb2b20890,0xb2b20938) allocated by thread T0 here: #0 0x80b791e in calloc ($HOME/hdf5-1.8.16/asan/bin/h5dump+0x80b791e) #1 0xb6058d5b in H5MM_calloc $HOME/hdf5-1.8.16/asan/src/../../src/H5MM.c:107 #2 0xb6947712 in H5T__alloc $HOME/hdf5-1.8.16/asan/src/../../src/H5T.c:3462 #3 0xb62523b8 in H5O_dtype_decode $HOME/hdf5-1.8.16/asan/src/../../src/H5Odtype.c:1104 #4 0xb621efd8 in H5O_dtype_shared_decode $HOME/hdf5-1.8.16/asan/src/../../src/H5Oshared.h:84 #5 0xb62faa5c in H5O_msg_read_oh $HOME/hdf5-1.8.16/asan/src/../../src/H5Omessage.c:554 #6 0xb62f88a6 in H5O_msg_read $HOME/hdf5-1.8.16/asan/src/../../src/H5Omessage.c:483 #7 0xb5798b96 in H5D__open_oid $HOME/hdf5-1.8.16/asan/src/../../src/H5Dint.c:1245 #8 0xb5795df7 in H5D_open $HOME/hdf5-1.8.16/asan/src/../../src/H5Dint.c:1153 #9 0xb563b3f9 in H5Dopen2 $HOME/hdf5-1.8.16/asan/src/../../src/H5D.c:368 #10 0x825351d in find_objs_cb $HOME/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5tools_utils.c:580 #11 0x8270c4d in traverse_cb $HOME/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5trav.c:237 #12 0xb5c2f66a in H5G_visit_cb $HOME/hdf5-1.8.16/asan/src/../../src/H5Gint.c:939 #13 0xb5c83a72 in H5G__node_iterate $HOME/hdf5-1.8.16/asan/src/../../src/H5Gnode.c:1026 #14 0xb5477c85 in H5B_iterate_helper $HOME/hdf5-1.8.16/asan/src/../../src/H5B.c:1175 #15 0xb54756db in H5B_iterate $HOME/hdf5-1.8.16/asan/src/../../src/H5B.c:1220 #16 0xb5cdc773 in H5G__stab_iterate $HOME/hdf5-1.8.16/asan/src/../../src/H5Gstab.c:565 #17 0xb5ca7af2 in H5G__obj_iterate $HOME/hdf5-1.8.16/asan/src/../../src/H5Gobj.c:707 #18 0xb5c2cbe2 in H5G_visit $HOME/hdf5-1.8.16/asan/src/../../src/H5Gint.c:1174 #19 0xb5fe7f7d in H5Lvisit_by_name $HOME/hdf5-1.8.16/asan/src/../../src/H5L.c:1378 #20 0x825c8fe in traverse $HOME/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5trav.c:310 #21 0x82679c5 in h5trav_visit $HOME/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5trav.c:1164 #22 0x82522c4 in init_objs $HOME/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5tools_utils.c:655 #23 0x80cf3b7 in table_list_add $HOME/hdf5-1.8.16/asan/tools/h5dump/../../../tools/h5dump/h5dump.c:408 #24 0x80d12c1 in main $HOME/hdf5-1.8.16/asan/tools/h5dump/../../../tools/h5dump/h5dump.c:1470 #25 0xb5033a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82) SUMMARY: AddressSanitizer: heap-buffer-overflow $HOME/hdf5-1.8.16/asan/src/../../src/H5Odtype.c:529 H5O_dtype_decode_helper ``` ### Timeline * 2016-05-08 - Discovery * 2016-05-17 - Vendor Notification * 2016-11-15 - Public Disclosure ### References * [1] https://en.wikipedia.org/wiki/HierarchicalDataFormat * [2] http://www.hdfgroup.org/HDF5/
idSSV:96654
last seen2017-11-19
modified2017-10-11
published2017-10-11
reporterRoot
titleHDF5 Group libhdf5 H5T_ARRAY Code Execution Vulnerability(CVE-2016-4330)

Talos

idTALOS-2016-0176
last seen2019-05-29
published2016-11-17
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0176
titleHDF5 Group libhdf5 H5T_ARRAY Code Execution Vulnerability