Vulnerabilities > CVE-2016-4332 - Improper Input Validation vulnerability in Hdfgroup Hdf5 1.8.16
Attack vector
LOCAL Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
The library's failure to check if certain message types support a particular flag, the HDF5 1.8.16 library will cast the structure to an alternative structure and then assign to fields that aren't supported by the message type and the library will write outside the bounds of the heap buffer. This can lead to code execution under the context of the library.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Server Side Include (SSI) Injection An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
- Cross Zone Scripting An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
- Cross Site Scripting through Log Files An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
- Command Line Execution through SQL Injection An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201701-13.NASL description The remote host is affected by the vulnerability described in GLSA-201701-13 (HDF5: Multiple vulnerabilities) Multiple arbitrary code execution vulnerabilities have been discovered in HDF5. Please review the CVE identifiers referenced below for details. Impact : An attacker could execute arbitrary code with the privileges of the process via a maliciously crafted database file. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 96244 published 2017-01-03 reporter This script is Copyright (C) 2017 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/96244 title GLSA-201701-13 : HDF5: Multiple vulnerabilities code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 201701-13. # # The advisory text is Copyright (C) 2001-2017 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(96244); script_version("$Revision: 3.1 $"); script_cvs_date("$Date: 2017/01/03 14:55:09 $"); script_cve_id("CVE-2016-4330", "CVE-2016-4331", "CVE-2016-4332", "CVE-2016-4333"); script_xref(name:"GLSA", value:"201701-13"); script_name(english:"GLSA-201701-13 : HDF5: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-201701-13 (HDF5: Multiple vulnerabilities) Multiple arbitrary code execution vulnerabilities have been discovered in HDF5. Please review the CVE identifiers referenced below for details. Impact : An attacker could execute arbitrary code with the privileges of the process via a maliciously crafted database file. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/201701-13" ); script_set_attribute( attribute:"solution", value: "All HDF5 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=sci-libs/hdf5-1.8.18'" ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:hdf5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2017/01/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/03"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"sci-libs/hdf5", unaffected:make_list("ge 1.8.18"), vulnerable:make_list("lt 1.8.18"))) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get()); else security_warning(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "HDF5"); }NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-392.NASL description This update for hdf5 fixes the following issues : - fix security issues (arbitary code execution): CVE-2016-4330: H5T_ARRAY Code Execution (boo#1011201) CVE-2016-4331: H5Z_NBIT Code Execution (boo#1011204) CVE-2016-4332: Shareable Message Type Code Execution (boo#1011205) CVE-2016-4333: Array index bounds issue (boo#1011198) last seen 2020-06-05 modified 2018-04-24 plugin id 109296 published 2018-04-24 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109296 title openSUSE Security Update : hdf5 (openSUSE-2018-392) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2018-392. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(109296); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2016-4330", "CVE-2016-4331", "CVE-2016-4332", "CVE-2016-4333"); script_name(english:"openSUSE Security Update : hdf5 (openSUSE-2018-392)"); script_summary(english:"Check for the openSUSE-2018-392 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for hdf5 fixes the following issues : - fix security issues (arbitary code execution): CVE-2016-4330: H5T_ARRAY Code Execution (boo#1011201) CVE-2016-4331: H5Z_NBIT Code Execution (boo#1011204) CVE-2016-4332: Shareable Message Type Code Execution (boo#1011205) CVE-2016-4333: Array index bounds issue (boo#1011198)" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1011198" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1011201" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1011204" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1011205" ); script_set_attribute(attribute:"solution", value:"Update the affected hdf5 packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5-devel-data"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5-devel-static"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5-examples"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5-openmpi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5-openmpi-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5-openmpi-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5-openmpi-devel-static"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libhdf5-10"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libhdf5-10-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libhdf5-10-openmpi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libhdf5-10-openmpi-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libhdf5_hl10"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libhdf5_hl10-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libhdf5_hl10-openmpi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libhdf5_hl10-openmpi-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3"); script_set_attribute(attribute:"patch_publication_date", value:"2018/04/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.3", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE42.3", reference:"hdf5-1.8.15-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"hdf5-debuginfo-1.8.15-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"hdf5-debugsource-1.8.15-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"hdf5-devel-1.8.15-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"hdf5-devel-data-1.8.15-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"hdf5-devel-static-1.8.15-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"hdf5-examples-1.8.15-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"hdf5-openmpi-1.8.15-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"hdf5-openmpi-debuginfo-1.8.15-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"hdf5-openmpi-devel-1.8.15-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"hdf5-openmpi-devel-static-1.8.15-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libhdf5-10-1.8.15-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libhdf5-10-debuginfo-1.8.15-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libhdf5-10-openmpi-1.8.15-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libhdf5-10-openmpi-debuginfo-1.8.15-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libhdf5_hl10-1.8.15-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libhdf5_hl10-debuginfo-1.8.15-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libhdf5_hl10-openmpi-1.8.15-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libhdf5_hl10-openmpi-debuginfo-1.8.15-7.3.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "hdf5 / hdf5-debuginfo / hdf5-debugsource / hdf5-devel / etc"); }NASL family Debian Local Security Checks NASL id DEBIAN_DLA-771.NASL description Cisco Talos discovered that hdf5, a file format and library for storing scientific data, contained several vulnerabilities that could lead to arbitrary code execution when handling untrusted data. For Debian 7 last seen 2020-03-17 modified 2017-01-03 plugin id 96187 published 2017-01-03 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/96187 title Debian DLA-771-1 : hdf5 security update code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-771-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(96187); script_version("3.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2016-4330", "CVE-2016-4331", "CVE-2016-4332", "CVE-2016-4333"); script_name(english:"Debian DLA-771-1 : hdf5 security update"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "Cisco Talos discovered that hdf5, a file format and library for storing scientific data, contained several vulnerabilities that could lead to arbitrary code execution when handling untrusted data. For Debian 7 'Wheezy', these problems have been fixed in version 1.8.8-9+deb7u1. We recommend that you upgrade your hdf5 packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2016/12/msg00048.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/wheezy/hdf5" ); script_set_attribute(attribute:"solution", value:"Upgrade the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:hdf5-helpers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:hdf5-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-7"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-7-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-mpi-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-mpich2-7"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-mpich2-7-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-mpich2-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-openmpi-7"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-openmpi-7-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-openmpi-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-serial-dev"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0"); script_set_attribute(attribute:"patch_publication_date", value:"2016/12/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/03"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"7.0", prefix:"hdf5-helpers", reference:"1.8.8-9+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"hdf5-tools", reference:"1.8.8-9+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"libhdf5-7", reference:"1.8.8-9+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"libhdf5-7-dbg", reference:"1.8.8-9+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"libhdf5-dev", reference:"1.8.8-9+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"libhdf5-doc", reference:"1.8.8-9+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"libhdf5-mpi-dev", reference:"1.8.8-9+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"libhdf5-mpich2-7", reference:"1.8.8-9+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"libhdf5-mpich2-7-dbg", reference:"1.8.8-9+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"libhdf5-mpich2-dev", reference:"1.8.8-9+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"libhdf5-openmpi-7", reference:"1.8.8-9+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"libhdf5-openmpi-7-dbg", reference:"1.8.8-9+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"libhdf5-openmpi-dev", reference:"1.8.8-9+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"libhdf5-serial-dev", reference:"1.8.8-9+deb7u1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_91E039EDD68911E6917114DAE9D210B8.NASL description Talos Security reports : - CVE-2016-4330 (TALOS-2016-0176) - HDF5 Group libhdf5 H5T_ARRAY Code Execution Vulnerability - CVE-2016-4331 (TALOS-2016-0177) - HDF5 Group libhdf5 H5Z_NBIT Code Execution Vulnerability - CVE-2016-4332 (TALOS-2016-0178) - HDF5 Group libhdf5 Shareable Message Type Code Execution Vulnerability - CVE-2016-4333 (TALOS-2016-0179) - HDF5 Group libhdf5 H5T_COMPOUND Code Execution Vulnerability last seen 2020-06-01 modified 2020-06-02 plugin id 96369 published 2017-01-10 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96369 title FreeBSD : hdf5 -- multiple vulnerabilities (91e039ed-d689-11e6-9171-14dae9d210b8) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(96369); script_version("3.3"); script_cvs_date("Date: 2018/12/19 13:21:18"); script_cve_id("CVE-2016-4330", "CVE-2016-4331", "CVE-2016-4332", "CVE-2016-4333"); script_name(english:"FreeBSD : hdf5 -- multiple vulnerabilities (91e039ed-d689-11e6-9171-14dae9d210b8)"); script_summary(english:"Checks for updated packages in pkg_info output"); script_set_attribute( attribute:"synopsis", value: "The remote FreeBSD host is missing one or more security-related updates." ); script_set_attribute( attribute:"description", value: "Talos Security reports : - CVE-2016-4330 (TALOS-2016-0176) - HDF5 Group libhdf5 H5T_ARRAY Code Execution Vulnerability - CVE-2016-4331 (TALOS-2016-0177) - HDF5 Group libhdf5 H5Z_NBIT Code Execution Vulnerability - CVE-2016-4332 (TALOS-2016-0178) - HDF5 Group libhdf5 Shareable Message Type Code Execution Vulnerability - CVE-2016-4333 (TALOS-2016-0179) - HDF5 Group libhdf5 H5T_COMPOUND Code Execution Vulnerability" ); # http://blog.talosintel.com/2016/11/hdf5-vulns.html script_set_attribute( attribute:"see_also", value:"http://blog.talosintelligence.com/2016/11/hdf5-vulns.html" ); # https://vuxml.freebsd.org/freebsd/91e039ed-d689-11e6-9171-14dae9d210b8.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?3c2d67c1" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:hdf5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:hdf5-18"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/11/17"); script_set_attribute(attribute:"patch_publication_date", value:"2017/01/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/10"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"hdf5<1.10.0")) flag++; if (pkg_test(save_report:TRUE, pkg:"hdf5-18<1.8.18")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3727.NASL description Cisco Talos discovered that hdf5, a file format and library for storing scientific data, contained several vulnerabilities that could lead to arbitrary code execution when handling untrusted data. last seen 2020-06-01 modified 2020-06-02 plugin id 95414 published 2016-12-01 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95414 title Debian DSA-3727-1 : hdf5 - security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-3727. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(95414); script_version("3.4"); script_cvs_date("Date: 2018/11/10 11:49:38"); script_cve_id("CVE-2016-4330", "CVE-2016-4331", "CVE-2016-4332", "CVE-2016-4333"); script_xref(name:"DSA", value:"3727"); script_name(english:"Debian DSA-3727-1 : hdf5 - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Cisco Talos discovered that hdf5, a file format and library for storing scientific data, contained several vulnerabilities that could lead to arbitrary code execution when handling untrusted data." ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845301" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/hdf5" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2016/dsa-3727" ); script_set_attribute( attribute:"solution", value: "Upgrade the hdf5 packages. For the stable distribution (jessie), these problems have been fixed in version 1.8.13+docs-15+deb8u1." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:hdf5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"patch_publication_date", value:"2016/11/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/01"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"8.0", prefix:"hdf5-helpers", reference:"1.8.13+docs-15+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"hdf5-tools", reference:"1.8.13+docs-15+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libhdf5-8", reference:"1.8.13+docs-15+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libhdf5-8-dbg", reference:"1.8.13+docs-15+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libhdf5-cpp-8", reference:"1.8.13+docs-15+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libhdf5-cpp-8-dbg", reference:"1.8.13+docs-15+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libhdf5-dev", reference:"1.8.13+docs-15+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libhdf5-doc", reference:"1.8.13+docs-15+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libhdf5-mpi-dev", reference:"1.8.13+docs-15+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libhdf5-mpich-8", reference:"1.8.13+docs-15+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libhdf5-mpich-8-dbg", reference:"1.8.13+docs-15+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libhdf5-mpich-dev", reference:"1.8.13+docs-15+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libhdf5-mpich2-dev", reference:"1.8.13+docs-15+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libhdf5-openmpi-8", reference:"1.8.13+docs-15+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libhdf5-openmpi-8-dbg", reference:"1.8.13+docs-15+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libhdf5-openmpi-dev", reference:"1.8.13+docs-15+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libhdf5-serial-dev", reference:"1.8.13+docs-15+deb8u1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Fedora Local Security Checks NASL id FEDORA_2016-3477B592E3.NASL description Security fix for CVE-2016-4330, CVE-2016-4331, CVE-2016-4332, CVE-2016-4333 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-12-28 plugin id 96157 published 2016-12-28 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96157 title Fedora 25 : hdf5 (2016-3477b592e3) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2016-3477b592e3. # include("compat.inc"); if (description) { script_id(96157); script_version("3.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2016-4330", "CVE-2016-4331", "CVE-2016-4332", "CVE-2016-4333"); script_xref(name:"FEDORA", value:"2016-3477b592e3"); script_name(english:"Fedora 25 : hdf5 (2016-3477b592e3)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Security fix for CVE-2016-4330, CVE-2016-4331, CVE-2016-4332, CVE-2016-4333 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2016-3477b592e3" ); script_set_attribute(attribute:"solution", value:"Update the affected hdf5 package."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:hdf5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:25"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/11/18"); script_set_attribute(attribute:"patch_publication_date", value:"2016/12/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/28"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^25([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 25", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC25", reference:"hdf5-1.8.17-2.fc25")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "hdf5"); }
Seebug
| bulletinFamily | exploit |
| description | ### Description HDF5 is a file format that is maintained by a non-profit organization, The HDF Group. HDF5 is designed to be used for storage and organization of large amounts of scientific data and is used to exchange data structures between applications in industries such as the GIS industry via libraries such as GDAL, OGR, or as part of software like ArcGIS. The vulnerability exists due to the library's failure to check if certain message types support a particular flag. When this flag is set, the library will cast the structure to an alternative structure and then assign to fields that aren't supported by the message type. Due to the message type not being able to support this flag, the library will write outside the bounds of the heap buffer. This can lead to code execution under the context of the library. ### Tested Versions * hdf5-1.8.16.tar.bz2 * tools/h5ls: Version 1.8.16<br> * tools/h5stat: Version 1.8.16<br> * tools/h5dump: Version 1.8.16<br> ### Product Urls http://www.hdfgroup.org/HDF5/ http://www.hdfgroup.org/HDF5/release/obtainsrc.html http://www.hdfgroup.org/ftp/HDF5/current/src/hdf5-1.8.16.tar.bz2 ### CVSSv3 Score 8.6 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H ### Details The HDF file format is intended to be a general file format that is self-describing for various types of data structures used in the scientific community [1]. These data structures are intended to be stored in two types of objects, Datasets and Groups. Paralleling the file-format to a file system, a Dataset can be interpreted as a file, and a Group can be interpreted as a directory that's able to contain other Datasets or Groups. Associated with each entry, is metadata containing user-defined named attributes that can be used to describe the dataset. Within the HDF file format, paths can be specified as the '/'-separated posix format. When iterating through the contents of a group, for each object the library will first populate an H5Gloct structure with information about the object's location. Immediately afterwards, the library will fetch the metadata for the object using H5Ogetinfo. This is done by the following code located within src/H5O.c ``` src/H5O.c:3280 /* Find the object's location */ if(H5G_loc_find(&loc, obj_name, &obj_loc/*out*/, lapl_id, dxpl_id) < 0) // XXX: assign location info about the object HGOTO_ERROR(H5E_OHDR, H5E_NOTFOUND, FAIL, "object not found") loc_found = TRUE; /* Get the object's info */ if(H5O_get_info(&obj_oloc, dxpl_id, TRUE, &oinfo) < 0) // XXX: get metadata information about the object HGOTO_ERROR(H5E_OHDR, H5E_CANTGET, FAIL, "unable to get object info") ``` After reading the header of the object's information into the "oh" variable, the library will use this information to store the object class. A little bit later, the library will use the version to determine how to process some of the attributes associated with the object. If the object's version is H5OVERSION1, the library will then call H5Omsgreadoh. This function will iterate through each of the message types in order to determine how to process them. The type that's specified is H5OMTIMEID which gets passed to H5Omsgreadoh. ``` src/H5O.c:2776 herr_t H5O_get_info(const H5O_loc_t *loc, hid_t dxpl_id, hbool_t want_ih_info, H5O_info_t *oinfo) { ... /* Get the object header */ if(NULL == (oh = H5O_protect(loc, dxpl_id, H5AC_READ))) // XXX: read object header from file HGOTO_ERROR(H5E_OHDR, H5E_CANTPROTECT, FAIL, "unable to load object header") ... if(NULL == (obj_class = H5O_obj_class_real(oh))) HGOTO_ERROR(H5E_OHDR, H5E_CANTGET, FAIL, "unable to determine object class") ... if(oh->version > H5O_VERSION_1) { ... } /* end if */ else { ... if((exists = H5O_msg_exists_oh(oh, H5O_MTIME_ID)) < 0) HGOTO_ERROR(H5E_OHDR, H5E_NOTFOUND, FAIL, "unable to check for MTIME message") if(exists > 0) { /* Get "old style" modification time info */ if(NULL == H5O_msg_read_oh(loc->file, dxpl_id, oh, H5O_MTIME_ID, &oinfo->ctime)) // XXX: call message decode HGOTO_ERROR(H5E_OHDR, H5E_CANTGET, FAIL, "can't read MTIME message") ``` Inside H5Omsgreadoh, the application will use the typeid argument to determine which message type is being used for a message. This message type is used to determine which callback to use in order to handle the message. This process occurs within the macro H5OLOADNATIVE at H5Omessage.c:545 ``` src/H5Omessage.c:517 void * H5O_msg_read_oh(H5F_t *f, hid_t dxpl_id, H5O_t *oh, unsigned type_id, void *mesg) { const H5O_msg_class_t *type; /* Actual H5O class type for the ID */ unsigned idx; /* Message's index in object header */ void *ret_value = NULL; ... for(idx = 0; idx < oh->nmesgs; idx++) if(type == oh->mesg[idx].type) break; ... H5O_LOAD_NATIVE(f, dxpl_id, 0, oh, &(oh->mesg[idx]), NULL) ``` Inside the H5OLOADNATIVE macro, the application will select a structure containing function pointers out of the msg->type field. This structure contains various functions that are used to decode the message. After calling the decode method, the library will check to see if the H5OMSGFLAGSHAREABLE flag is set. If this flag is set then the macro H5OUPDATE_SHARED is used to write into the pointer returned by the decode function. ``` src/H5Opkg.h:184 /* Load native information for a message, if it's not already present */ /* (Only works for messages with decode callback) */ #define H5O_LOAD_NATIVE(F, DXPL, IOF, OH, MSG, ERR) \ if(NULL == (MSG)->native) { \ const H5O_msg_class_t *msg_type = (MSG)->type; \ unsigned ioflags = (IOF); \ \ /* Decode the message */ \ HDassert(msg_type->decode); \ if(NULL == ((MSG)->native = (msg_type->decode)((F), (DXPL), (OH), (MSG)- >flags, &ioflags, (MSG)->raw))) \ HGOTO_ERROR(H5E_OHDR, H5E_CANTDECODE, ERR, "unable to decode message") \ \ ... \ if((MSG)->flags & H5O_MSG_FLAG_SHAREABLE) { \ H5O_UPDATE_SHARED((H5O_shared_t *)(MSG)->native, H5O_SHARE_TYPE_HERE, (F), msg_type->id, (MSG)->crt_idx, (OH)->chunk[0].addr) \ } /* end if */ \ ``` Inside the decode function for the H5OMTIMEID structure, the application will make an allocation that is the size of a time_t field. This is located within src/H5Omtime.c:174. ``` src/H5Omtime.c:174 static void * H5O_mtime_decode(H5F_t H5_ATTR_UNUSED *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, const uint8_t *p) { time_t *mesg, the_time; int i; struct tm tm; void *ret_value = NULL; /* Return value */ ... if(NULL == (mesg = H5FL_MALLOC(time_t))) HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed") *mesg = the_time; /* Set return value */ ret_value = mesg; done: FUNC_LEAVE_NOAPI(ret_value) } /* end H5O_mtime_decode() */ ``` After allocating space for the timet structure, the application will return back to the H5OLOADNATIVE macro. Once this is returned, the application will check to see if the flags have the H5OMSGFLAGSHAREABLE bit set. If so, the application will mis-cast the pointer to the timet structure to an H5Osharedt, and then try to write to it using the H5OUPDATE_SHARED macro. ``` src/H5Opkg.h:203 if((MSG)->flags & H5O_MSG_FLAG_SHAREABLE) { \ H5O_UPDATE_SHARED((H5O_shared_t *)(MSG)->native, H5O_SHARE_TYPE_HERE, (F), msg_type->id, (MSG)->crt_idx, (OH)->chunk[0].addr) \ } /* end if */ \ \ src/H5Oprivate.h:114 #define H5O_UPDATE_SHARED(SH_MESG, SH_TYPE, F, MSG_TYPE, CRT_IDX, OH_ADDR) \ { \ (SH_MESG)->type = (SH_TYPE); \ (SH_MESG)->file = (F); \ (SH_MESG)->msg_type_id = (MSG_TYPE); \ (SH_MESG)->u.loc.index = (CRT_IDX); \ (SH_MESG)->u.loc.oh_addr = (OH_ADDR); \ } /* end block */ ``` Due to the H5Osharedt being larger than the size of a timet, the H5OUPDATESHARED macro will write outside the bounds of the timet structure that was allocated by H5Omtimedecode. This will corrupt adjacent metadata in the heap, and can be used to corrupt more of the state of the application which can lead to code execution under the context of the application using the library. This H5Osharedt structure is listed below. ``` src/H5Oprivate.h:230 typedef struct H5O_shared_t { unsigned type; /* Type describing how message is shared */ H5F_t *file; /* File that message is located within */ unsigned msg_type_id; /* Message's type ID */ union { H5O_mesg_loc_t loc; /* Object location info */ H5O_fheap_id_t heap_id; /* ID within the SOHM heap */ } u; } H5O_shared_t; ``` This vulnerable pattern also occurs while decoding two other messages. These two messages are the H5OMTIMENEWID which calls H5Omtimenewdecode, and H5OSTABID which calls H5Ostabdecode. H5Omtimenewdecode, in the following snippet, is also used to allocate a timet structure that is smaller than an H5Osharedt which can be used to trigger a similar style of overwrite. ``` src/H5Omtime.c:121 static void * H5O_mtime_new_decode(H5F_t H5_ATTR_UNUSED *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, const uint8_t *p) { ... /* The return value */ if (NULL==(mesg = H5FL_MALLOC(time_t))) HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed"); *mesg = (time_t)tmp_time; /* Set return value */ ret_value=mesg; done: FUNC_LEAVE_NOAPI(ret_value) } /* end H5O_mtime_new_decode() */ ``` The other message, H5OSTABID, which uses H5Ostabdecode uses the following H5Ostabt structure. Due to the library mis-casting this structure to an H5Osharedt, the library will write outside the bounds of the allocation of the H5Ostabt. ``` src/H5Oprivate.h:531 typedef struct H5O_stab_t { haddr_t btree_addr; /*address of B-tree */ haddr_t heap_addr; /*address of name heap */ } H5O_stab_t; ``` Similarly, the library will use H5FLCALLOC(H5Ostab_t) to allocate space for the structure that gets overwritten. ``` src/H5Ostab.c:99 static void * H5O_stab_decode(H5F_t *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, unsigned H5_ATTR_UNUSED *ioflags, const uint8_t *p) { ... /* decode */ if(NULL == (stab = H5FL_CALLOC(H5O_stab_t))) HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed") H5F_addr_decode(f, &p, &(stab->btree_addr)); H5F_addr_decode(f, &p, &(stab->heap_addr)); /* Set return value */ ret_value = stab; ``` These message IDs are located within src/H5Oprivate.h. H5OMSGFLAG_SHAREABLE is located ``` src/H5Oprivate.h:185 #define H5O_MTIME_ID 0x000e /* Modification time message. (Old) */ ... #define H5O_STAB_ID 0x0011 /* Symbol table message. */ #define H5O_MTIME_NEW_ID 0x0012 /* Modification time message. (New) */ src/H5Oprivate.h:70 /* Flags needed when encoding messages */ #define H5O_MSG_FLAG_CONSTANT 0x01u #define H5O_MSG_FLAG_SHARED 0x02u #define H5O_MSG_FLAG_DONTSHARE 0x04u #define H5O_MSG_FLAG_FAIL_IF_UNKNOWN_AND_OPEN_FOR_WRITE 0x08u #define H5O_MSG_FLAG_MARK_IF_UNKNOWN 0x10u #define H5O_MSG_FLAG_WAS_UNKNOWN 0x20u #define H5O_MSG_FLAG_SHAREABLE 0x40u ``` ### Crash Analysis ``` $ gdb -q --args bin/h5ls poc.hdf (gdb) r Starting program: bin/h5ls poc.hdf Breakpoint 3, main (argc=0x2, argv=0x192f5376) at ../../../tools/h5ls/h5ls.c:2568 2568 { (gdb) bp H5O_mtime_decode Breakpoint 4 at 0x8175ebf: file ../../src/H5Omtime.c, line 177. (gdb) c Continuing. cmpnd Type *ERROR* Breakpoint 4, H5O_mtime_decode (f=0x8478498, dxpl_id=0xa000008, open_oh=0x847adb8, mesg_flags=0x40, ioflags=0xbfffe168, p=0x847aeb0 "20110414214255") at ../../src/H5Omtime.c:177 177 { (gdb) bp :246 Breakpoint 5 at 0x817615b: file ../../src/H5Omtime.c, line 246. (gdb) c Continuing. Breakpoint 5, H5O_mtime_decode (f=0x8478498, dxpl_id=0xa000008, open_oh=0x847adb8, mesg_flags=0x40, ioflags=0xbfffe168, p=0x847aeb0 "20110414214255") at ../../src/H5Omtime.c:246 246 if(NULL == (mesg = H5FL_MALLOC(time_t))) (gdb) p sizeof(time_t) $1 = 0x4 (gdb) n 248 *mesg = the_time; (gdb) p mesg $10 = (time_t *) 0x847bf88 (gdb) ba 0x847bf88+sizeof(time_t) Hardware watchpoint 11: *(0x847bf88+sizeof(time_t)) (gdb) c Continuing. Hardware watchpoint 11: *(0x847bf88+sizeof(time_t)) Old value = 0x844ebf0 New value = 0x8478498 0x08172df0 in H5O_msg_read_oh (f=0x8478498, dxpl_id=0xa000008, oh=0x847adb8, type_id=0xe, mesg=0xbfffe9a0) at ../../src/H5Omessage.c:545 545 H5O_LOAD_NATIVE(f, dxpl_id, 0, oh, &(oh->mesg[idx]), NULL) (gdb) ub $pc L4 0x8172de7 <H5O_msg_read_oh+659>: mov 0x18(%eax),%eax 0x8172dea <H5O_msg_read_oh+662>: mov 0x8(%ebp),%edx 0x8172ded <H5O_msg_read_oh+665>: mov %edx,0x4(%eax) # XXX: writes past the size of a time_t => 0x8172df0 <H5O_msg_read_oh+668>: mov 0x10(%ebp),%eax (gdb) i r eax ebp eax 0x847bf88 0x847bf88 ebp 0xbfffe198 0xbfffe198 (gdb) c Continuing. *** Error in `/home/vrt/build/hdf5-1.8.16-release/release/bin/h5ls': malloc(): memory corruption: 0x0847bf98 *** Catchpoint 2 (signal SIGABRT), 0xb7ffecb0 in ?? () $ bin/h5ls poc.hdf ================================================================= ==30927==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb3d08b14 at pc 0xb6361e5b bp 0xbfda4258 sp 0xbfda4250 WRITE of size 4 at 0xb3d08b14 thread T0 #0 0xb6361e5a in H5O_msg_read_oh /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Omessage.c:545 #1 0xb60e96ee in H5O_get_info /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5O.c:2837 #2 0xb5cb2252 in H5G_loc_info_cb /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gloc.c:701 #3 0xb5d79bc4 in H5G_traverse_real /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gtraverse.c:640 #4 0xb5d74f1a in H5G_traverse /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gtraverse.c:860 #5 0xb5cb10de in H5G_loc_info /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gloc.c:746 #6 0xb60e336a in H5Oget_info_by_name /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5O.c:656 #7 0x81ec049 in traverse_cb /home/vrt/build/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5trav.c:222 #8 0xb5c8e87a in H5G_iterate_cb /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gint.c:782 #9 0xb5ce9cd2 in H5G__node_iterate /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gnode.c:1026 #10 0xb54dcfe5 in H5B_iterate_helper /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5B.c:1175 #11 0xb54daa3b in H5B_iterate /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5B.c:1220 #12 0xb5d42a23 in H5G__stab_iterate /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gstab.c:565 #13 0xb5d0dd52 in H5G__obj_iterate /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gobj.c:707 #14 0xb5c8cd89 in H5G_iterate /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gint.c:843 #15 0xb60491f8 in H5Literate_by_name /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5L.c:1254 #16 0x81d87fc in traverse /home/vrt/build/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5trav.c:315 #17 0x81e3735 in h5trav_visit /home/vrt/build/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5trav.c:1164 #18 0x80de12b in visit_obj /home/vrt/build/hdf5-1.8.16/asan/tools/h5ls/../../../tools/h5ls/h5ls.c:2390 #19 0x80d4e1f in main /home/vrt/build/hdf5-1.8.16/asan/tools/h5ls/../../../tools/h5ls/h5ls.c:2880 #20 0xb5096a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82) #21 0x80ce814 in _start (/home/vrt/build/hdf5-1.8.16/asan/tools/h5ls/.libs/lt-h5ls+0x80ce814) 0xb3d08b14 is located 0 bytes to the right of 4-byte region [0xb3d08b10,0xb3d08b14) allocated by thread T0 here: #0 0x80b7441 in malloc (/home/vrt/build/hdf5-1.8.16/asan/tools/h5ls/.libs/lt-h5ls+0x80b7441) #1 0xb60beeca in H5MM_malloc /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5MM.c:66 #2 0xb5b3744c in H5FL_malloc /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5FL.c:199 #3 0xb5b361c2 in H5FL_reg_malloc /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5FL.c:399 #4 0xb638d7c2 in H5O_mtime_decode /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Omtime.c:246 #5 0xb63610ec in H5O_msg_read_oh /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Omessage.c:545 #6 0xb60e96ee in H5O_get_info /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5O.c:2837 #7 0xb5cb2252 in H5G_loc_info_cb /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gloc.c:701 #8 0xb5d79bc4 in H5G_traverse_real /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gtraverse.c:640 #9 0xb5d74f1a in H5G_traverse /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gtraverse.c:860 #10 0xb5cb10de in H5G_loc_info /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gloc.c:746 #11 0xb60e336a in H5Oget_info_by_name /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5O.c:656 #12 0x81ec049 in traverse_cb /home/vrt/build/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5trav.c:222 #13 0xb5c8e87a in H5G_iterate_cb /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gint.c:782 #14 0xb5ce9cd2 in H5G__node_iterate /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gnode.c:1026 #15 0xb54dcfe5 in H5B_iterate_helper /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5B.c:1175 #16 0xb54daa3b in H5B_iterate /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5B.c:1220 #17 0xb5d42a23 in H5G__stab_iterate /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gstab.c:565 #18 0xb5d0dd52 in H5G__obj_iterate /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gobj.c:707 #19 0xb5c8cd89 in H5G_iterate /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Gint.c:843 #20 0xb60491f8 in H5Literate_by_name /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5L.c:1254 #21 0x81d87fc in traverse /home/vrt/build/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5trav.c:315 #22 0x81e3735 in h5trav_visit /home/vrt/build/hdf5-1.8.16/asan/tools/lib/../../../tools/lib/h5trav.c:1164 #23 0x80de12b in visit_obj /home/vrt/build/hdf5-1.8.16/asan/tools/h5ls/../../../tools/h5ls/h5ls.c:2390 #24 0x80d4e1f in main /home/vrt/build/hdf5-1.8.16/asan/tools/h5ls/../../../tools/h5ls/h5ls.c:2880 #25 0xb5096a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/vrt/build/hdf5-1.8.16/asan/src/../../src/H5Omessage.c:545 H5O_msg_read_oh Shadow bytes around the buggy address: 0x367a1110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x367a1120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x367a1130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x367a1140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x367a1150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x367a1160: fa fa[04]fa fa fa 00 fa fa fa 00 07 fa fa 00 04 0x367a1170: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04 0x367a1180: fa fa fd fd fa fa 00 00 fa fa 00 00 fa fa 00 fa 0x367a1190: fa fa 00 01 fa fa 00 fa fa fa fd fd fa fa fd fa 0x367a11a0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x367a11b0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==30927==ABORTING ``` ### Timeline * 2016-05-08 - Discovery * 2016-05-17 - Vendor Notification * 2016-11-15 - Public Disclosure ### References * [1] https://en.wikipedia.org/wiki/HierarchicalDataFormat * [2] http://www.hdfgroup.org/HDF5/ |
| id | SSV:96652 |
| last seen | 2017-11-19 |
| modified | 2017-10-11 |
| published | 2017-10-11 |
| reporter | Root |
| title | HDF5 Group libhdf5 Shareable Message Type Code Execution Vulnerability(CVE-2016-4332) |
Talos
| id | TALOS-2016-0178 |
| last seen | 2019-05-29 |
| published | 2016-11-17 |
| reporter | Talos Intelligence |
| source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0178 |
| title | HDF5 Group libhdf5 Shareable Message Type Code Execution Vulnerability |