Vulnerabilities > CVE-2016-4331 - Out-of-bounds Write vulnerability in Hdfgroup Hdf5 1.8.16

047910
CVSS 8.6 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
hdfgroup
CWE-787
nessus

Summary

When decoding data out of a dataset encoded with the H5Z_NBIT decoding, the HDF5 1.8.16 library will fail to ensure that the precision is within the bounds of the size leading to arbitrary code execution.

Vulnerable Configurations

Part Description Count
Application
Hdfgroup
1

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201701-13.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201701-13 (HDF5: Multiple vulnerabilities) Multiple arbitrary code execution vulnerabilities have been discovered in HDF5. Please review the CVE identifiers referenced below for details. Impact : An attacker could execute arbitrary code with the privileges of the process via a maliciously crafted database file. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id96244
    published2017-01-03
    reporterThis script is Copyright (C) 2017 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/96244
    titleGLSA-201701-13 : HDF5: Multiple vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 201701-13.
    #
    # The advisory text is Copyright (C) 2001-2017 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(96244);
      script_version("$Revision: 3.1 $");
      script_cvs_date("$Date: 2017/01/03 14:55:09 $");
    
      script_cve_id("CVE-2016-4330", "CVE-2016-4331", "CVE-2016-4332", "CVE-2016-4333");
      script_xref(name:"GLSA", value:"201701-13");
    
      script_name(english:"GLSA-201701-13 : HDF5: Multiple vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-201701-13
    (HDF5: Multiple vulnerabilities)
    
        Multiple arbitrary code execution vulnerabilities have been discovered
          in HDF5. Please review the CVE identifiers referenced below for details.
      
    Impact :
    
        An attacker could execute arbitrary code with the privileges of the
          process via a maliciously crafted database file.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/201701-13"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All HDF5 users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose '>=sci-libs/hdf5-1.8.18'"
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:hdf5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/01/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/03");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"sci-libs/hdf5", unaffected:make_list("ge 1.8.18"), vulnerable:make_list("lt 1.8.18"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "HDF5");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-392.NASL
    descriptionThis update for hdf5 fixes the following issues : - fix security issues (arbitary code execution): CVE-2016-4330: H5T_ARRAY Code Execution (boo#1011201) CVE-2016-4331: H5Z_NBIT Code Execution (boo#1011204) CVE-2016-4332: Shareable Message Type Code Execution (boo#1011205) CVE-2016-4333: Array index bounds issue (boo#1011198)
    last seen2020-06-05
    modified2018-04-24
    plugin id109296
    published2018-04-24
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109296
    titleopenSUSE Security Update : hdf5 (openSUSE-2018-392)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2018-392.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(109296);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2016-4330", "CVE-2016-4331", "CVE-2016-4332", "CVE-2016-4333");
    
      script_name(english:"openSUSE Security Update : hdf5 (openSUSE-2018-392)");
      script_summary(english:"Check for the openSUSE-2018-392 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for hdf5 fixes the following issues :
    
      - fix security issues (arbitary code execution):
        CVE-2016-4330: H5T_ARRAY Code Execution (boo#1011201)
        CVE-2016-4331: H5Z_NBIT Code Execution (boo#1011204)
        CVE-2016-4332: Shareable Message Type Code Execution
        (boo#1011205) CVE-2016-4333: Array index bounds issue
        (boo#1011198)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1011198"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1011201"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1011204"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1011205"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected hdf5 packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5-devel-data");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5-devel-static");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5-examples");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5-openmpi");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5-openmpi-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5-openmpi-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5-openmpi-devel-static");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libhdf5-10");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libhdf5-10-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libhdf5-10-openmpi");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libhdf5-10-openmpi-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libhdf5_hl10");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libhdf5_hl10-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libhdf5_hl10-openmpi");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libhdf5_hl10-openmpi-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/04/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/24");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.3", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE42.3", reference:"hdf5-1.8.15-7.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"hdf5-debuginfo-1.8.15-7.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"hdf5-debugsource-1.8.15-7.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"hdf5-devel-1.8.15-7.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"hdf5-devel-data-1.8.15-7.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"hdf5-devel-static-1.8.15-7.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"hdf5-examples-1.8.15-7.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"hdf5-openmpi-1.8.15-7.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"hdf5-openmpi-debuginfo-1.8.15-7.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"hdf5-openmpi-devel-1.8.15-7.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"hdf5-openmpi-devel-static-1.8.15-7.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"libhdf5-10-1.8.15-7.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"libhdf5-10-debuginfo-1.8.15-7.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"libhdf5-10-openmpi-1.8.15-7.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"libhdf5-10-openmpi-debuginfo-1.8.15-7.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"libhdf5_hl10-1.8.15-7.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"libhdf5_hl10-debuginfo-1.8.15-7.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"libhdf5_hl10-openmpi-1.8.15-7.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"libhdf5_hl10-openmpi-debuginfo-1.8.15-7.3.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "hdf5 / hdf5-debuginfo / hdf5-debugsource / hdf5-devel / etc");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-771.NASL
    descriptionCisco Talos discovered that hdf5, a file format and library for storing scientific data, contained several vulnerabilities that could lead to arbitrary code execution when handling untrusted data. For Debian 7
    last seen2020-03-17
    modified2017-01-03
    plugin id96187
    published2017-01-03
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/96187
    titleDebian DLA-771-1 : hdf5 security update
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-771-1. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(96187);
      script_version("3.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2016-4330", "CVE-2016-4331", "CVE-2016-4332", "CVE-2016-4333");
    
      script_name(english:"Debian DLA-771-1 : hdf5 security update");
      script_summary(english:"Checks dpkg output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Cisco Talos discovered that hdf5, a file format and library for
    storing scientific data, contained several vulnerabilities that could
    lead to arbitrary code execution when handling untrusted data.
    
    For Debian 7 'Wheezy', these problems have been fixed in version
    1.8.8-9+deb7u1.
    
    We recommend that you upgrade your hdf5 packages.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2016/12/msg00048.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/wheezy/hdf5"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:hdf5-helpers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:hdf5-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-7");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-7-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-mpi-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-mpich2-7");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-mpich2-7-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-mpich2-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-openmpi-7");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-openmpi-7-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-openmpi-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-serial-dev");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2016/12/31");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/03");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"7.0", prefix:"hdf5-helpers", reference:"1.8.8-9+deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"hdf5-tools", reference:"1.8.8-9+deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"libhdf5-7", reference:"1.8.8-9+deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"libhdf5-7-dbg", reference:"1.8.8-9+deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"libhdf5-dev", reference:"1.8.8-9+deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"libhdf5-doc", reference:"1.8.8-9+deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"libhdf5-mpi-dev", reference:"1.8.8-9+deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"libhdf5-mpich2-7", reference:"1.8.8-9+deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"libhdf5-mpich2-7-dbg", reference:"1.8.8-9+deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"libhdf5-mpich2-dev", reference:"1.8.8-9+deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"libhdf5-openmpi-7", reference:"1.8.8-9+deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"libhdf5-openmpi-7-dbg", reference:"1.8.8-9+deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"libhdf5-openmpi-dev", reference:"1.8.8-9+deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"libhdf5-serial-dev", reference:"1.8.8-9+deb7u1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_91E039EDD68911E6917114DAE9D210B8.NASL
    descriptionTalos Security reports : - CVE-2016-4330 (TALOS-2016-0176) - HDF5 Group libhdf5 H5T_ARRAY Code Execution Vulnerability - CVE-2016-4331 (TALOS-2016-0177) - HDF5 Group libhdf5 H5Z_NBIT Code Execution Vulnerability - CVE-2016-4332 (TALOS-2016-0178) - HDF5 Group libhdf5 Shareable Message Type Code Execution Vulnerability - CVE-2016-4333 (TALOS-2016-0179) - HDF5 Group libhdf5 H5T_COMPOUND Code Execution Vulnerability
    last seen2020-06-01
    modified2020-06-02
    plugin id96369
    published2017-01-10
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96369
    titleFreeBSD : hdf5 -- multiple vulnerabilities (91e039ed-d689-11e6-9171-14dae9d210b8)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2018 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(96369);
      script_version("3.3");
      script_cvs_date("Date: 2018/12/19 13:21:18");
    
      script_cve_id("CVE-2016-4330", "CVE-2016-4331", "CVE-2016-4332", "CVE-2016-4333");
    
      script_name(english:"FreeBSD : hdf5 -- multiple vulnerabilities (91e039ed-d689-11e6-9171-14dae9d210b8)");
      script_summary(english:"Checks for updated packages in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote FreeBSD host is missing one or more security-related
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Talos Security reports :
    
    - CVE-2016-4330 (TALOS-2016-0176) - HDF5 Group libhdf5 H5T_ARRAY Code
    Execution Vulnerability
    
    - CVE-2016-4331 (TALOS-2016-0177) - HDF5 Group libhdf5 H5Z_NBIT Code
    Execution Vulnerability
    
    - CVE-2016-4332 (TALOS-2016-0178) - HDF5 Group libhdf5 Shareable
    Message Type Code Execution Vulnerability
    
    - CVE-2016-4333 (TALOS-2016-0179) - HDF5 Group libhdf5 H5T_COMPOUND
    Code Execution Vulnerability"
      );
      # http://blog.talosintel.com/2016/11/hdf5-vulns.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://blog.talosintelligence.com/2016/11/hdf5-vulns.html"
      );
      # https://vuxml.freebsd.org/freebsd/91e039ed-d689-11e6-9171-14dae9d210b8.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?3c2d67c1"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:hdf5");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:hdf5-18");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/11/17");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/01/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/10");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"hdf5<1.10.0")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"hdf5-18<1.8.18")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3727.NASL
    descriptionCisco Talos discovered that hdf5, a file format and library for storing scientific data, contained several vulnerabilities that could lead to arbitrary code execution when handling untrusted data.
    last seen2020-06-01
    modified2020-06-02
    plugin id95414
    published2016-12-01
    reporterThis script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95414
    titleDebian DSA-3727-1 : hdf5 - security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-3727. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(95414);
      script_version("3.4");
      script_cvs_date("Date: 2018/11/10 11:49:38");
    
      script_cve_id("CVE-2016-4330", "CVE-2016-4331", "CVE-2016-4332", "CVE-2016-4333");
      script_xref(name:"DSA", value:"3727");
    
      script_name(english:"Debian DSA-3727-1 : hdf5 - security update");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Cisco Talos discovered that hdf5, a file format and library for
    storing scientific data, contained several vulnerabilities that could
    lead to arbitrary code execution when handling untrusted data."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845301"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/jessie/hdf5"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2016/dsa-3727"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the hdf5 packages.
    
    For the stable distribution (jessie), these problems have been fixed
    in version 1.8.13+docs-15+deb8u1."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:hdf5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2016/11/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/01");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"8.0", prefix:"hdf5-helpers", reference:"1.8.13+docs-15+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"hdf5-tools", reference:"1.8.13+docs-15+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"libhdf5-8", reference:"1.8.13+docs-15+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"libhdf5-8-dbg", reference:"1.8.13+docs-15+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"libhdf5-cpp-8", reference:"1.8.13+docs-15+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"libhdf5-cpp-8-dbg", reference:"1.8.13+docs-15+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"libhdf5-dev", reference:"1.8.13+docs-15+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"libhdf5-doc", reference:"1.8.13+docs-15+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"libhdf5-mpi-dev", reference:"1.8.13+docs-15+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"libhdf5-mpich-8", reference:"1.8.13+docs-15+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"libhdf5-mpich-8-dbg", reference:"1.8.13+docs-15+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"libhdf5-mpich-dev", reference:"1.8.13+docs-15+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"libhdf5-mpich2-dev", reference:"1.8.13+docs-15+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"libhdf5-openmpi-8", reference:"1.8.13+docs-15+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"libhdf5-openmpi-8-dbg", reference:"1.8.13+docs-15+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"libhdf5-openmpi-dev", reference:"1.8.13+docs-15+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"libhdf5-serial-dev", reference:"1.8.13+docs-15+deb8u1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-3477B592E3.NASL
    descriptionSecurity fix for CVE-2016-4330, CVE-2016-4331, CVE-2016-4332, CVE-2016-4333 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-12-28
    plugin id96157
    published2016-12-28
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96157
    titleFedora 25 : hdf5 (2016-3477b592e3)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2016-3477b592e3.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(96157);
      script_version("3.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2016-4330", "CVE-2016-4331", "CVE-2016-4332", "CVE-2016-4333");
      script_xref(name:"FEDORA", value:"2016-3477b592e3");
    
      script_name(english:"Fedora 25 : hdf5 (2016-3477b592e3)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Security fix for CVE-2016-4330, CVE-2016-4331, CVE-2016-4332,
    CVE-2016-4333
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2016-3477b592e3"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected hdf5 package.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:hdf5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:25");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/11/18");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/12/27");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/28");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^25([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 25", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC25", reference:"hdf5-1.8.17-2.fc25")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "hdf5");
    }
    

Seebug

bulletinFamilyexploit
description### Description HDF5 is a file format that is maintained by a non-profit organization, The HDF Group. HDF5 is designed to be used for storage and organization of large amounts of scientific data and is used to exchange data structures between applications in industries such as the GIS industry via libraries such as GDAL, OGR, or as part of software like ArcGIS. The vulnerability exists when the library is decoding data out of a dataset encoded with the H5Z_NBIT decoding. When calculating the precision that a BCD number is encoded as, the library will fail to ensure that the precision is within the bounds of the size. Due to this, the library will calculate an index outside the bounds of the space allocated for the BCD number. Whilst decoding this data, the library will then write outside the bounds of the buffer leading to a heap-based buffer overflow. This can lead to code execution under the context of the application using the library. ### Tested Versions * hdf5-1.8.16.tar.bz2 * tools/h5ls: Version 1.8.16 * tools/h5stat: Version 1.8.16 * tools/h5dump: Version 1.8.16 ### Product Urls * http://www.hdfgroup.org/HDF5/ * http://www.hdfgroup.org/HDF5/release/obtainsrc.html * http://www.hdfgroup.org/ftp/HDF5/current/src/hdf5-1.8.16.tar.bz2 ### CVSSv3 Score 8.6 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H ### Details The HDF file format is intended to be a general file format that is self-describing for various types of data structures used in the scientific community [1]. These data structures are intended to be stored in two types of objects, Datasets and Groups. Paralleling the file-format to a file system, a Dataset can be interpreted as a file, and a Group can be interpreted as a directory that's able to contain other Datasets or Groups. Associated with each entry, is metadata containing user-defined named attributes that can be used to describe the dataset. When reading a dataset out of the file, the HDF5 library will call the following function, H5Dread. After allocating space for the buffer, the library will call an internal function H5Dread which will eventually call into H5Dchunk_lock. This function is responsible for reading the contents of the dataset into a cache that the application will later be able to access. ``` src/H5Dio.c:125 herr_t H5Dread(hid_t dset_id, hid_t mem_type_id, hid_t mem_space_id, hid_t file_space_id, hid_t plist_id, void *buf/*out*/) { ... /* read raw data */ if(H5D__read(dset, mem_type_id, mem_space, file_space, plist_id, buf/*out*/) < 0) HGOTO_ERROR(H5E_DATASET, H5E_READERROR, FAIL, "can't read data") src/H5Dio.c:373 herr_t H5D__read(H5D_t *dataset, hid_t mem_type_id, const H5S_t *mem_space, const H5S_t *file_space, hid_t dxpl_id, void *buf/*out*/) { ... /* Invoke correct "high level" I/O routine */ if((*io_info.io_ops.multi_read)(&io_info, &type_info, nelmts, file_space, mem_space, &fm) < 0) // XXX: \ HGOTO_ERROR(H5E_DATASET, H5E_READERROR, FAIL, "can't read data") \ ... src/H5Dchunk.c:1873 /* Lock the chunk into the cache */ if(NULL == (chunk = H5D__chunk_lock(io_info, &udata, FALSE))) HGOTO_ERROR(H5E_IO, H5E_READERROR, FAIL, "unable to read raw data chunk") ``` Once chunklock is read, the library will call into it's pipeline to determine how it can decode the data. This happens by calling H5Zpipeline. Inside H5Z_pipeline, the library will determine what kind of filter to choose and then call the "filter" method from a data structure that contains methods or handlers that deal with the specific encoding type. ``` src/H5Dchunk.c:2808 void * H5D__chunk_lock(const H5D_io_info_t *io_info, H5D_chunk_ud_t *udata, hbool_t relax) { if(H5Z_pipeline(pline, H5Z_FLAG_REVERSE, &(udata->filter_mask), io_info->dxpl_cache- >err_detect, // XXX: \ io_info->dxpl_cache->filter_cb, &chunk_alloc, &chunk_alloc, &chunk) < 0) HGOTO_ERROR(H5E_PLINE, H5E_CANTFILTER, NULL, "data pipeline read failed") H5_CHECKED_ASSIGN(udata->nbytes, uint32_t, chunk_alloc, size_t); \ src/H5Z.c:1285 herr_t H5Z_pipeline(const H5O_pline_t *pline, unsigned flags, unsigned *filter_mask/*in,out*/, H5Z_EDC_t edc_read, H5Z_cb_t cb_struct, size_t *nbytes/*in,out*/, size_t *buf_size/*in,out*/, void **buf/*in,out*/) { tmp_flags=flags|(pline->filter[idx].flags); tmp_flags|=(edc_read== H5Z_DISABLE_EDC) ? H5Z_FLAG_SKIP_EDC : 0; new_nbytes = (fclass->filter)(tmp_flags, pline->filter[idx].cd_nelmts, // XXX: calls H5Z_filter_nbit pline->filter[idx].cd_values, *nbytes, buf_size, buf); ``` When handling data encoded with the nbit encoding type, the library will call H5Zfilternbit. This function will take inputs from the file and use it to calculate the amount of space required to decode the encoded data. This is done by taking the number of elements and multiplying it by the size of elements. With the provided proof of concept, the size is 4 and the number of elements is 12. This results in a buffer size of 48 bytes. ``` src/H5Znbit.c:865 static size_t H5Z_filter_nbit(unsigned flags, size_t cd_nelmts, const unsigned cd_values[], size_t nbytes, size_t *buf_size, void **buf) { /* copy a filter parameter to d_nelmts */ d_nelmts = cd_values[2]; // XXX: number of elements /* input; decompress */ if(flags & H5Z_FLAG_REVERSE) { size_out = d_nelmts * cd_values[4]; /* cd_values[4] stores datatype size */ // XXX: size of elements /* allocate memory space for decompressed buffer */ if(NULL == (outbuf = (unsigned char *)H5MM_malloc(size_out))) // XXX: seems to be 0x30 HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, 0, "memory allocation failed for nbit decompression") /* decompress the buffer */ H5Z_nbit_decompress(outbuf, d_nelmts, (unsigned char *)*buf, cd_values); // XXX: decompress data into outbuf ``` When entering the H5ZNBITATOMIC case, the library copy input from the file into a structure that gets passed to H5Znbitdecompressoneatomic. This loop will iterate for the number of elements that were stored in the dataset. The field that is used later to write outside the buffer allocated in the prior snippet is used to determine the precision of a binary-coded-decimal number. ``` src/H5Znbit.c:1140 static void H5Z_nbit_decompress(unsigned char *data, unsigned d_nelmts, unsigned char *buffer, const unsigned parms[]) { switch(parms[3]) { case H5Z_NBIT_ATOMIC: /* set the index before goto function call */ p.size = parms[4]; p.order = parms[5]; p.precision = parms[6]; // XXX: used later p.offset = parms[7]; for(i = 0; i < d_nelmts; i++) { H5Z_nbit_decompress_one_atomic(data, i*p.size, buffer, &j, &buf_len, p); } break; ``` Once inside H5Znbitdecompressoneatomic, the library will use the value of p.precision to calculate the index into the buffer that was allocated. Due to a lack of bounds-checking, this index will allow for a loop that is executed later to write outside the bounds of the buffer. If precision is larger than datatype_len, then the index can be made to overflow. ``` src/H5Znbit.c:1012 static void H5Z_nbit_decompress_one_atomic(unsigned char *data, size_t data_offset, unsigned char *buffer, size_t *j, int *buf_len, parms_atomic p) { /* begin_i: the index of byte having first significant bit end_i: the index of byte having last significant bit */ int k, begin_i, end_i, datatype_len; datatype_len = p.size * 8; if(p.order == H5Z_NBIT_ORDER_BE) { /* big endian */ /* calculate begin_i and end_i */ begin_i = (datatype_len - p.precision - p.offset) / 8; // XXX: p.precision is used here to calculate begin_i if(p.offset % 8 != 0) end_i = (datatype_len - p.offset) / 8; else end_i = (datatype_len - p.offset) / 8 - 1; for(k = begin_i; k <= end_i; k++) H5Z_nbit_decompress_one_byte(data, data_offset, k, begin_i, end_i, // XXX: k == begin_i buffer, j, buf_len, p, datatype_len); It is within H5Z_nbit_decompress_one_byte that the library will write outside it's bounds. Due to the value of begin_i pointing outside the buffer, this can be used to trigger a buffer overflow and overwrite adjacent data. This is a heap-based buffer overflow and can lead to code execution within the context of the library. src/H5Znbit.c:943 static void H5Z_nbit_decompress_one_byte(unsigned char *data, size_t data_offset, int k, int begin_i, int end_i, unsigned char *buffer, size_t *j, int *buf_len, parms_atomic p, int datatype_len) { data[data_offset + k] = // XXX: data_offset + k points outside of data ((val & ~(~0 << *buf_len)) << (dat_len - *buf_len)) << uchar_offset; ``` ### Crash Analysis ``` $ gdb --directory ~/build/hdf5-1.8.16/release/bin -q --args ~/build/hdf5-1.8.16/release/bin/h5dump 00015 8.hdf Reading symbols from /home/vrt/build/hdf5-1.8.16/release/bin/h5dump...done. (gdb) bp H5Znbit.c:896 Breakpoint 3 at 0x8269e94: file ../../src/H5Znbit.c, line 896. (gdb) bp H5Znbit.c:1162 Breakpoint 4 at 0x8269f09: file ../../src/H5Znbit.c, line 1162. (gdb) bp H5Znbit.c:1030 Breakpoint 5 at 0x8269549: file ../../src/H5Znbit.c, line 1030. (gdb) r Breakpoint 3, H5Z_filter_nbit (flags=0x101, cd_nelmts=0x8, cd_values=0x848db88, nbytes=0x1f, buf_size=0xbfffbc7c, buf=0xbfffbc38) at ../../src/H5Znbit.c:896 896 if(NULL == (outbuf = (unsigned char *)H5MM_malloc(size_out))) (gdb) p size_out $6 = 0x0 (gdb) c Continuing. Breakpoint 4, H5Z_nbit_decompress (parms=0x848db88, buffer=0x8498530 ":\252\263Ê«>", d_nelmts=0xc, data=0x8498558 "") at ../../src/H5Znbit.c:1162 1162 p.precision = parms[6]; (gdb) c Continuing. Breakpoint 5, H5Z_nbit_decompress_one_atomic (data=data@entry=0x8498558 "", data_offset=0x0, buffer=buffer@entry=0x8498530 ":\252\263Ê«>", j=j@entry=0xbfffbb08, buf_len=buf_len@entry=0xbfffbb0c, p=...) at ../../src/H5Znbit.c:1030 1030 for(k = begin_i; k >= end_i; k--) (gdb) p k $7 = 0x2003 (gdb) c Continuing. Catchpoint 2 (signal SIGSEGV), 0x082695ff in H5Z_nbit_decompress_one_byte (datatype_len=0x20, buf_len=0xbfffbb0c, j=0xbfffbb08, buffer=0x8498530 ":\252\263Ê«>", end_i=0x0, begin_i=0x2003, k=0x557, data_offset=<optimized out>, data=<optimized out>, p=...) at ../../src/H5Znbit.c:983 983 ((val >> (*buf_len - dat_len)) & ~(~0 << dat_len)) << uchar_offset; ###Crash Analysis (Address Sanitizer) ================================================================= ==2374==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb3519a53 at pc 0xb74003af bp 0xbfcd6c38 sp 0xbfcd6c30 WRITE of size 1 at 0xb3519a53 thread T0 #0 0xb74003ae in H5Z_nbit_decompress_one_byte /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Znbit.c:975 #1 0xb73f7a71 in H5Z_nbit_decompress_one_atomic /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Znbit.c:1031 #2 0xb73e96ac in H5Z_nbit_decompress /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Znbit.c:1165 #3 0xb73e783f in H5Z_filter_nbit /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Znbit.c:900 #4 0xb73ccfd6 in H5Z_pipeline /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Z.c:1360 #5 0xb568fc12 in H5D__chunk_lock /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Dchunk.c:2903 #6 0xb5673334 in H5D__chunk_read /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Dchunk.c:1874 #7 0xb57bb68d in H5D__read /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Dio.c:550 #8 0xb57b5813 in H5Dread /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Dio.c:172 #9 0x81e9cf3 in h5tools_dump_simple_dset /home/vrt/build/hdf5-1.8.16/memcheck/tools/lib/../../../tools/lib/h5tools_dump.c:1619 #10 0x81e543d in h5tools_dump_dset /home/vrt/build/hdf5-1.8.16/memcheck/tools/lib/../../../tools/lib/h5tools_dump.c:1790 #11 0x821316a in h5tools_dump_data /home/vrt/build/hdf5-1.8.16/memcheck/tools/lib/../../../tools/lib/h5tools_dump.c:3859 #12 0x81045ca in dump_dataset /home/vrt/build/hdf5-1.8.16/memcheck/tools/h5dump/../../../tools/h5dump/h5dump_ddl.c:1053 #13 0x80f5da3 in dump_all_cb /home/vrt/build/hdf5-1.8.16/memcheck/tools/h5dump/../../../tools/h5dump/h5dump_ddl.c:358 #14 0xb5c1669a in H5G_iterate_cb /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Gint.c:782 #15 0xb5c71a72 in H5G__node_iterate /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Gnode.c:1026 #16 0xb5465c85 in H5B_iterate_helper /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5B.c:1175 #17 0xb54636db in H5B_iterate /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5B.c:1220 #18 0xb5cca773 in H5G__stab_iterate /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Gstab.c:565 #19 0xb5c95af2 in H5G__obj_iterate /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Gobj.c:707 #20 0xb5c14ba9 in H5G_iterate /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Gint.c:843 #21 0xb5fcdb47 in H5Literate /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5L.c:1182 #22 0x80f1609 in link_iteration /home/vrt/build/hdf5-1.8.16/memcheck/tools/h5dump/../../../tools/h5dump/h5dump_ddl.c:608 #23 0x8100596 in dump_group /home/vrt/build/hdf5-1.8.16/memcheck/tools/h5dump/../../../tools/h5dump/h5dump_ddl.c:890 #24 0x80d3345 in main /home/vrt/build/hdf5-1.8.16/memcheck/tools/h5dump/../../../tools/h5dump/h5dump.c:1542 #25 0xb5021a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82) #26 0x80cec04 in _start (/home/vrt/build/hdf5-1.8.16/memcheck/bin/h5dump+0x80cec04) AddressSanitizer can not describe address in more detail (wild memory access suspected). SUMMARY: AddressSanitizer: heap-buffer-overflow /home/vrt/build/hdf5-1.8.16/memcheck/src/../../src/H5Znbit.c:975 H5Z_nbit_decompress_one_byte ``` ### Timeline * 2016-05-17 - Vendor Notification * 2016-11-15 - Public Disclosure ### References * [1] https://en.wikipedia.org/wiki/HierarchicalDataFormat * [2] http://www.hdfgroup.org/HDF5/
idSSV:96653
last seen2017-11-19
modified2017-10-11
published2017-10-11
reporterRoot
titleHDF5 Group libhdf5 H5Z_NBIT Code Execution Vulnerability(CVE-2016-4331)

Talos

idTALOS-2016-0177
last seen2019-05-29
published2016-11-17
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0177
titleHDF5 Group libhdf5 H5Z_NBIT Code Execution Vulnerability