Vulnerabilities > CVE-2016-4333 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Hdfgroup Hdf5 1.8.16
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
The HDF5 1.8.16 library allocating space for the array using a value from the file has an impact within the loop for initializing said array allowing a value within the file to modify the loop's terminator. Due to this, an aggressor can cause the loop's index to point outside the bounds of the array when initializing it.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201701-13.NASL description The remote host is affected by the vulnerability described in GLSA-201701-13 (HDF5: Multiple vulnerabilities) Multiple arbitrary code execution vulnerabilities have been discovered in HDF5. Please review the CVE identifiers referenced below for details. Impact : An attacker could execute arbitrary code with the privileges of the process via a maliciously crafted database file. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 96244 published 2017-01-03 reporter This script is Copyright (C) 2017 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/96244 title GLSA-201701-13 : HDF5: Multiple vulnerabilities code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 201701-13. # # The advisory text is Copyright (C) 2001-2017 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(96244); script_version("$Revision: 3.1 $"); script_cvs_date("$Date: 2017/01/03 14:55:09 $"); script_cve_id("CVE-2016-4330", "CVE-2016-4331", "CVE-2016-4332", "CVE-2016-4333"); script_xref(name:"GLSA", value:"201701-13"); script_name(english:"GLSA-201701-13 : HDF5: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-201701-13 (HDF5: Multiple vulnerabilities) Multiple arbitrary code execution vulnerabilities have been discovered in HDF5. Please review the CVE identifiers referenced below for details. Impact : An attacker could execute arbitrary code with the privileges of the process via a maliciously crafted database file. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/201701-13" ); script_set_attribute( attribute:"solution", value: "All HDF5 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=sci-libs/hdf5-1.8.18'" ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:hdf5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2017/01/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/03"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"sci-libs/hdf5", unaffected:make_list("ge 1.8.18"), vulnerable:make_list("lt 1.8.18"))) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get()); else security_warning(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "HDF5"); }
NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-392.NASL description This update for hdf5 fixes the following issues : - fix security issues (arbitary code execution): CVE-2016-4330: H5T_ARRAY Code Execution (boo#1011201) CVE-2016-4331: H5Z_NBIT Code Execution (boo#1011204) CVE-2016-4332: Shareable Message Type Code Execution (boo#1011205) CVE-2016-4333: Array index bounds issue (boo#1011198) last seen 2020-06-05 modified 2018-04-24 plugin id 109296 published 2018-04-24 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109296 title openSUSE Security Update : hdf5 (openSUSE-2018-392) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2018-392. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(109296); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2016-4330", "CVE-2016-4331", "CVE-2016-4332", "CVE-2016-4333"); script_name(english:"openSUSE Security Update : hdf5 (openSUSE-2018-392)"); script_summary(english:"Check for the openSUSE-2018-392 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for hdf5 fixes the following issues : - fix security issues (arbitary code execution): CVE-2016-4330: H5T_ARRAY Code Execution (boo#1011201) CVE-2016-4331: H5Z_NBIT Code Execution (boo#1011204) CVE-2016-4332: Shareable Message Type Code Execution (boo#1011205) CVE-2016-4333: Array index bounds issue (boo#1011198)" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1011198" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1011201" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1011204" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1011205" ); script_set_attribute(attribute:"solution", value:"Update the affected hdf5 packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5-devel-data"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5-devel-static"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5-examples"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5-openmpi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5-openmpi-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5-openmpi-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:hdf5-openmpi-devel-static"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libhdf5-10"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libhdf5-10-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libhdf5-10-openmpi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libhdf5-10-openmpi-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libhdf5_hl10"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libhdf5_hl10-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libhdf5_hl10-openmpi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libhdf5_hl10-openmpi-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3"); script_set_attribute(attribute:"patch_publication_date", value:"2018/04/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.3", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE42.3", reference:"hdf5-1.8.15-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"hdf5-debuginfo-1.8.15-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"hdf5-debugsource-1.8.15-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"hdf5-devel-1.8.15-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"hdf5-devel-data-1.8.15-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"hdf5-devel-static-1.8.15-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"hdf5-examples-1.8.15-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"hdf5-openmpi-1.8.15-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"hdf5-openmpi-debuginfo-1.8.15-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"hdf5-openmpi-devel-1.8.15-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"hdf5-openmpi-devel-static-1.8.15-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libhdf5-10-1.8.15-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libhdf5-10-debuginfo-1.8.15-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libhdf5-10-openmpi-1.8.15-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libhdf5-10-openmpi-debuginfo-1.8.15-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libhdf5_hl10-1.8.15-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libhdf5_hl10-debuginfo-1.8.15-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libhdf5_hl10-openmpi-1.8.15-7.3.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libhdf5_hl10-openmpi-debuginfo-1.8.15-7.3.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "hdf5 / hdf5-debuginfo / hdf5-debugsource / hdf5-devel / etc"); }
NASL family Debian Local Security Checks NASL id DEBIAN_DLA-771.NASL description Cisco Talos discovered that hdf5, a file format and library for storing scientific data, contained several vulnerabilities that could lead to arbitrary code execution when handling untrusted data. For Debian 7 last seen 2020-03-17 modified 2017-01-03 plugin id 96187 published 2017-01-03 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/96187 title Debian DLA-771-1 : hdf5 security update code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-771-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(96187); script_version("3.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2016-4330", "CVE-2016-4331", "CVE-2016-4332", "CVE-2016-4333"); script_name(english:"Debian DLA-771-1 : hdf5 security update"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "Cisco Talos discovered that hdf5, a file format and library for storing scientific data, contained several vulnerabilities that could lead to arbitrary code execution when handling untrusted data. For Debian 7 'Wheezy', these problems have been fixed in version 1.8.8-9+deb7u1. We recommend that you upgrade your hdf5 packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2016/12/msg00048.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/wheezy/hdf5" ); script_set_attribute(attribute:"solution", value:"Upgrade the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:hdf5-helpers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:hdf5-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-7"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-7-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-mpi-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-mpich2-7"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-mpich2-7-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-mpich2-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-openmpi-7"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-openmpi-7-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-openmpi-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libhdf5-serial-dev"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0"); script_set_attribute(attribute:"patch_publication_date", value:"2016/12/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/03"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"7.0", prefix:"hdf5-helpers", reference:"1.8.8-9+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"hdf5-tools", reference:"1.8.8-9+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"libhdf5-7", reference:"1.8.8-9+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"libhdf5-7-dbg", reference:"1.8.8-9+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"libhdf5-dev", reference:"1.8.8-9+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"libhdf5-doc", reference:"1.8.8-9+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"libhdf5-mpi-dev", reference:"1.8.8-9+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"libhdf5-mpich2-7", reference:"1.8.8-9+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"libhdf5-mpich2-7-dbg", reference:"1.8.8-9+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"libhdf5-mpich2-dev", reference:"1.8.8-9+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"libhdf5-openmpi-7", reference:"1.8.8-9+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"libhdf5-openmpi-7-dbg", reference:"1.8.8-9+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"libhdf5-openmpi-dev", reference:"1.8.8-9+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"libhdf5-serial-dev", reference:"1.8.8-9+deb7u1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_91E039EDD68911E6917114DAE9D210B8.NASL description Talos Security reports : - CVE-2016-4330 (TALOS-2016-0176) - HDF5 Group libhdf5 H5T_ARRAY Code Execution Vulnerability - CVE-2016-4331 (TALOS-2016-0177) - HDF5 Group libhdf5 H5Z_NBIT Code Execution Vulnerability - CVE-2016-4332 (TALOS-2016-0178) - HDF5 Group libhdf5 Shareable Message Type Code Execution Vulnerability - CVE-2016-4333 (TALOS-2016-0179) - HDF5 Group libhdf5 H5T_COMPOUND Code Execution Vulnerability last seen 2020-06-01 modified 2020-06-02 plugin id 96369 published 2017-01-10 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96369 title FreeBSD : hdf5 -- multiple vulnerabilities (91e039ed-d689-11e6-9171-14dae9d210b8) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(96369); script_version("3.3"); script_cvs_date("Date: 2018/12/19 13:21:18"); script_cve_id("CVE-2016-4330", "CVE-2016-4331", "CVE-2016-4332", "CVE-2016-4333"); script_name(english:"FreeBSD : hdf5 -- multiple vulnerabilities (91e039ed-d689-11e6-9171-14dae9d210b8)"); script_summary(english:"Checks for updated packages in pkg_info output"); script_set_attribute( attribute:"synopsis", value: "The remote FreeBSD host is missing one or more security-related updates." ); script_set_attribute( attribute:"description", value: "Talos Security reports : - CVE-2016-4330 (TALOS-2016-0176) - HDF5 Group libhdf5 H5T_ARRAY Code Execution Vulnerability - CVE-2016-4331 (TALOS-2016-0177) - HDF5 Group libhdf5 H5Z_NBIT Code Execution Vulnerability - CVE-2016-4332 (TALOS-2016-0178) - HDF5 Group libhdf5 Shareable Message Type Code Execution Vulnerability - CVE-2016-4333 (TALOS-2016-0179) - HDF5 Group libhdf5 H5T_COMPOUND Code Execution Vulnerability" ); # http://blog.talosintel.com/2016/11/hdf5-vulns.html script_set_attribute( attribute:"see_also", value:"http://blog.talosintelligence.com/2016/11/hdf5-vulns.html" ); # https://vuxml.freebsd.org/freebsd/91e039ed-d689-11e6-9171-14dae9d210b8.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?3c2d67c1" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:hdf5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:hdf5-18"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/11/17"); script_set_attribute(attribute:"patch_publication_date", value:"2017/01/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/10"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"hdf5<1.10.0")) flag++; if (pkg_test(save_report:TRUE, pkg:"hdf5-18<1.8.18")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3727.NASL description Cisco Talos discovered that hdf5, a file format and library for storing scientific data, contained several vulnerabilities that could lead to arbitrary code execution when handling untrusted data. last seen 2020-06-01 modified 2020-06-02 plugin id 95414 published 2016-12-01 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95414 title Debian DSA-3727-1 : hdf5 - security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-3727. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(95414); script_version("3.4"); script_cvs_date("Date: 2018/11/10 11:49:38"); script_cve_id("CVE-2016-4330", "CVE-2016-4331", "CVE-2016-4332", "CVE-2016-4333"); script_xref(name:"DSA", value:"3727"); script_name(english:"Debian DSA-3727-1 : hdf5 - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Cisco Talos discovered that hdf5, a file format and library for storing scientific data, contained several vulnerabilities that could lead to arbitrary code execution when handling untrusted data." ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845301" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/hdf5" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2016/dsa-3727" ); script_set_attribute( attribute:"solution", value: "Upgrade the hdf5 packages. For the stable distribution (jessie), these problems have been fixed in version 1.8.13+docs-15+deb8u1." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:hdf5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"patch_publication_date", value:"2016/11/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/01"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"8.0", prefix:"hdf5-helpers", reference:"1.8.13+docs-15+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"hdf5-tools", reference:"1.8.13+docs-15+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libhdf5-8", reference:"1.8.13+docs-15+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libhdf5-8-dbg", reference:"1.8.13+docs-15+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libhdf5-cpp-8", reference:"1.8.13+docs-15+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libhdf5-cpp-8-dbg", reference:"1.8.13+docs-15+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libhdf5-dev", reference:"1.8.13+docs-15+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libhdf5-doc", reference:"1.8.13+docs-15+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libhdf5-mpi-dev", reference:"1.8.13+docs-15+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libhdf5-mpich-8", reference:"1.8.13+docs-15+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libhdf5-mpich-8-dbg", reference:"1.8.13+docs-15+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libhdf5-mpich-dev", reference:"1.8.13+docs-15+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libhdf5-mpich2-dev", reference:"1.8.13+docs-15+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libhdf5-openmpi-8", reference:"1.8.13+docs-15+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libhdf5-openmpi-8-dbg", reference:"1.8.13+docs-15+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libhdf5-openmpi-dev", reference:"1.8.13+docs-15+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libhdf5-serial-dev", reference:"1.8.13+docs-15+deb8u1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Fedora Local Security Checks NASL id FEDORA_2016-3477B592E3.NASL description Security fix for CVE-2016-4330, CVE-2016-4331, CVE-2016-4332, CVE-2016-4333 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-12-28 plugin id 96157 published 2016-12-28 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96157 title Fedora 25 : hdf5 (2016-3477b592e3) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2016-3477b592e3. # include("compat.inc"); if (description) { script_id(96157); script_version("3.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2016-4330", "CVE-2016-4331", "CVE-2016-4332", "CVE-2016-4333"); script_xref(name:"FEDORA", value:"2016-3477b592e3"); script_name(english:"Fedora 25 : hdf5 (2016-3477b592e3)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Security fix for CVE-2016-4330, CVE-2016-4331, CVE-2016-4332, CVE-2016-4333 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2016-3477b592e3" ); script_set_attribute(attribute:"solution", value:"Update the affected hdf5 package."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:hdf5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:25"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/11/18"); script_set_attribute(attribute:"patch_publication_date", value:"2016/12/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/28"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^25([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 25", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC25", reference:"hdf5-1.8.17-2.fc25")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "hdf5"); }
Seebug
bulletinFamily | exploit |
description | ### Description HDF5 is a file format that is maintained by a non-profit organization, The HDF Group. HDF5 is designed to be used for storage and organization of large amounts of scientific data and is used to exchange data structures between applications in industries such as the GIS industry via libraries such as GDAL, OGR, or as part of software like ArcGIS. The vulnerability exists due to the library allocating space for the array using a value from the file, and then within the loop for initializing said array allowing a value within the file to modify the loop's terminator. Due to this, an aggressor can cause the loop's index to point outside the bounds of the array when initializing it. This is a heap-based buffer overflow, and can lead to code execution under the context of the application using the library. ### Tested Versions * hdf5-1.8.16.tar.bz2 * tools/h5ls: Version 1.8.16 * tools/h5stat: Version 1.8.16 * tools/h5dump: Version 1.8.16 ### Product Urls * http://www.hdfgroup.org/HDF5/ * http://www.hdfgroup.org/HDF5/release/obtainsrc.html * http://www.hdfgroup.org/ftp/HDF5/current/src/hdf5-1.8.16.tar.bz2 ### CVSSv3 Score 8.6 -- CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H ### Details The HDF file format is intended to be a general file format that is self-describing for various types of data structures used in the scientific community [1]. These data structures are intended to be stored in two types of objects, Datasets and Groups. Paralleling the file-format to a file system, a Dataset can be interpreted as a file, and a Group can be interpreted as a directory that's able to contain other Datasets or Groups. Associated with each entry, is metadata containing user-defined named attributes that can be used to describe the dataset. Within the HDF file format, paths can be specified as the '/'-separated posix format. When reading a dataset, the library will open the object using H5Dopenoid. Inside this function, the library will read the type and it's location. Once the type and it's location are read, then the library will pass the H5ODTYPEID value along with it's location onto H5Omsg_read. ``` src/H5Dint.c:1221 static herr_t H5D__open_oid(H5D_t *dataset, hid_t dapl_id, hid_t dxpl_id) { ... /* Open the dataset object */ if(H5O_open(&(dataset->oloc)) < 0) HGOTO_ERROR(H5E_DATASET, H5E_CANTOPENOBJ, FAIL, "unable to open") /* Get the type and space */ if(NULL == (dataset->shared->type = (H5T_t *)H5O_msg_read(&(dataset->oloc), H5O_DTYPE_ID, NULL, dxpl_id))) // XXX: \ HGOTO_ERROR(H5E_DATASET, H5E_CANTINIT, FAIL, "unable to load type info from dataset header") \ src/H5Omessage.c:463 void * H5O_msg_read(const H5O_loc_t *loc, unsigned type_id, void *mesg, hid_t dxpl_id) { H5O_t *oh = NULL; /* Object header to use */ void *ret_value; /* Return value */ ... /* Get the object header */ if(NULL == (oh = H5O_protect(loc, dxpl_id, H5AC_READ))) HGOTO_ERROR(H5E_OHDR, H5E_CANTPROTECT, NULL, "unable to protect object header") /* Call the "real" read routine */ if(NULL == (ret_value = H5O_msg_read_oh(loc->file, dxpl_id, oh, type_id, mesg))) // XXX: read the message from the object header HGOTO_ERROR(H5E_OHDR, H5E_READERROR, NULL, "unable to read object header message") ``` Inside H5Omsgreadoh, the application will use the typeid argument to determine which message type is being used for a message. This message type is used to determine which callback to use in order to handle the message. This process occurs within the macro H5OLOADNATIVE at H5Omessage.c:545 ``` src/H5Omessage.c:517 void * H5O_msg_read_oh(H5F_t *f, hid_t dxpl_id, H5O_t *oh, unsigned type_id, void *mesg) { const H5O_msg_class_t *type; /* Actual H5O class type for the ID */ unsigned idx; /* Message's index in object header */ void *ret_value = NULL; ... for(idx = 0; idx < oh->nmesgs; idx++) if(type == oh->mesg[idx].type) break; ... H5O_LOAD_NATIVE(f, dxpl_id, 0, oh, &(oh->mesg[idx]), NULL) ``` Inside the H5OLOADNATIVE macro, the application will select a structure containing function pointers out of the msg->type field. This structure contains various functions that are used to decode the message. When decoding a msg of type H5ODTYPEID, the library will dispatch into the H5Odtypeshareddecode function. This function will eventually call H5Odtypedecode. Inside H5Odtypedecode, the application will then call H5Odtypedecodehelper which is responsible for decoding the data types. ``` src/H5Oshared.h:50 static H5_INLINE void * H5O_SHARED_DECODE(H5F_t *f, hid_t dxpl_id, H5O_t *open_oh, unsigned mesg_flags, unsigned *ioflags, const uint8_t *p) { ... /* Decode native message directly */ if(NULL == (ret_value = H5O_SHARED_DECODE_REAL(f, dxpl_id, open_oh, mesg_flags, ioflags, p))) // XXX: \ HGOTO_ERROR(H5E_OHDR, H5E_CANTDECODE, NULL, "unable to decode native message") } /* end else */ \ src/H5Odtype.c:1091 static void * H5O_dtype_decode(H5F_t *f, hid_t H5_ATTR_UNUSED dxpl_id, H5O_t H5_ATTR_UNUSED *open_oh, unsigned H5_ATTR_UNUSED mesg_flags, unsigned *ioflags/*in,out*/, const uint8_t *p) { ... /* Allocate datatype message */ if(NULL == (dt = H5T__alloc())) HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed") /* Perform actual decode of message */ if(H5O_dtype_decode_helper(f, ioflags, &p, dt) < 0) HGOTO_ERROR(H5E_DATATYPE, H5E_CANTDECODE, NULL, "can't decode type") ``` Inside decode helper, the library will read a dword from the file and use the bottom 4 bits to determine the datatype. If the datatype is H5T_COMPOUND(6), the library will enter the case at src/H5Odtype.c:260. At the beginning of this case, the library will use a bitmask from the fields to allocate space for the number of members. ``` src/H5Odtype.c:133 static htri_t H5O_dtype_decode_helper(H5F_t *f, unsigned *ioflags/*in,out*/, const uint8_t **pp, H5T_t *dt) { ... case H5T_COMPOUND: { ... dt->shared->u.compnd.nmembs = flags & 0xffff; if(dt->shared->u.compnd.nmembs == 0) HGOTO_ERROR(H5E_DATATYPE, H5E_BADVALUE, FAIL, "invalid number of members: %u", dt->shared->u.compnd.nmembs) dt->shared->u.compnd.nalloc = dt->shared->u.compnd.nmembs; // XXX: proof-of-concept sets this to 3 dt->shared->u.compnd.memb = (H5T_cmemb_t *)H5MM_calloc(dt->shared->u.compnd.nalloc * sizeof(H5T_cmemb_t)); // XXX: buffer that's later written to dt->shared->u.compnd.memb_size = 0; ``` Immediately afterwards, the library will enter a loop that is terminated by the number of members in the prior snippet. For each iteration of this loop, the library will read a number of dimensions that will be passed to a function H5T_arraycreate. Although the library checks that the number of dimensions that are read are bound by 4, the check is done via an assertion. When the library is built in production mode[3], this assertion will be optimized out by the preprocessor. ``` src/H5Odtype.c:282 for(i = 0; i < dt->shared->u.compnd.nmembs; i++) { // XXX: u.array.ndims unsigned ndims = 0; /* Number of dimensions of the array field */ htri_t can_upgrade; /* Whether we can upgrade this type's version */ hsize_t dim[H5O_LAYOUT_NDIMS]; /* Dimensions of the array */ H5T_t *array_dt; /* Temporary pointer to the array datatype */ H5T_t *temp_type; /* Temporary pointer to the field's datatype */ ... if(version == H5O_DTYPE_VERSION_1) { /* Decode the number of dimensions */ ndims = *(*pp)++; // XXX: ndims can be changed within the loop HDassert(ndims <= 4); // XXX: assertion, if ndims > 4 then H5T_array_create will read oob *pp += 3; /*reserved bytes */ ... } /* end if */ ... if(version == H5O_DTYPE_VERSION_1) { ... if((array_dt = H5T__array_create(temp_type, ndims, dim)) == NULL) { // XXX: ndims is passed here ... } /* end if */ ``` Inside H5T_arraycreate, the library will use the ndims value as a terminator to a loop. This loop is used to calculate the size of the array. Due to the index being oob of the 4-element array, the loop can assign an arbitrary value to u.array.ndims and u.array.nelem. These values are actually a union within the structure that they're written to, and due to this can be used to change the length of the loop after the space has already been allocated. ``` src/H5Tarray.c:179 H5T_t * H5T__array_create(H5T_t *base, unsigned ndims, const hsize_t dim[/* ndims */]) { H5T_t *ret_value; /* new array data type */ unsigned u; /* local index variable */ ... /* Build new type */ if(NULL == (ret_value = H5T__alloc())) HGOTO_ERROR(H5E_RESOURCE, H5E_NOSPACE, NULL, "memory allocation failed") ret_value->shared->type = H5T_ARRAY; ... /* Set the array parameters */ ret_value->shared->u.array.ndims = ndims; // XXX: writes to u.compnd.nmembs /* Copy the array dimensions & compute the # of elements in the array */ for(u = 0, ret_value->shared->u.array.nelem = 1; u < ndims; u++) { H5_CHECKED_ASSIGN(ret_value->shared->u.array.dim[u], size_t, dim[u], hsize_t); ret_value->shared->u.array.nelem *= (size_t)dim[u]; // XXX: multiply using uninitialized values. writes to u.compnd.nalloc } /* end for */ /* Set the array's size (number of elements * element datatype's size) */ ret_value->shared->size = ret_value->shared->parent->shared->size * ret_value->shared->u.array.nelem; // XXX ... FUNC_LEAVE_NOAPI(ret_value) } /* end H5T__array_create */ ``` The structure's that overlap are located within the H5Tsharedt definition in src/H5Tpkg.h:288. In this structure, the "u" field is a union of both an H5Tarrayt and an H5TcompndT which both are used within the loop that was explained in the prior snippet. ``` src/H5Tpkg.h:288 typedef struct H5T_shared_t { hsize_t fo_count; /* number of references to this file object */ ... struct H5T_t *parent;/*parent type for derived datatypes */ union { H5T_atomic_t atomic; /* an atomic datatype */ H5T_compnd_t compnd; /* a compound datatype (struct) */ H5T_enum_t enumer; /* an enumeration type (enum) */ H5T_vlen_t vlen; /* a variable-length datatype */ H5T_opaque_t opaque; /* an opaque datatype */ H5T_array_t array; /* an array datatype */ } u; } H5T_shared_t; ``` In these structures, H5Tarrayt.nelem is the same as H5Tcompndt.nalloc, and H5Tarrayt.ndims is the same as H5Tcompndt.nmembs. These are defined below. The field's that are used to control the allocation and the loop are marked. ``` src/H5Tpkg.h:273 typedef struct H5T_array_t { size_t nelem; /* total number of elements in array */ // XXX: modified using elements outside of the dims variable unsigned ndims; /* member dimensionality */ // XXX: modified inside H5T__array_create size_t dim[H5S_MAX_RANK]; /* size in each dimension */ } H5T_array_t; src/H5Tpkg.h:217 typedef struct H5T_compnd_t { unsigned nalloc; /*num entries allocated in MEMB array*/ // XXX: used to control the allocation unsigned nmembs; /*number of members defined in struct*/ // XXX: used to terminate the loop H5T_sort_t sorted; /*how are members sorted? */ hbool_t packed; /*are members packed together? */ H5T_cmemb_t *memb; /*array of struct members */ size_t memb_size; /*total of all member sizes */ } H5T_compnd_t; ``` Referring back to the loop, these two fields are used to control when the loop terminates. Since u.array.ndims let's the librayr modify the value of u.compnd.nmembs, the code at line 391 will write outside the bounds of the allocation. This is a heap-based buffer overflow and can lead to code execution under the context of the application using the library. ``` src/H5Odtype.c:282 for(i = 0; i < dt->shared->u.compnd.nmembs; i++) { // XXX: u.array.ndims ... src/H5Odtype.c:391 ... /* Member size */ dt->shared->u.compnd.memb[i].size = temp_type->shared->size; // XXX: writes outside of bounds of loop. dt->shared->u.compnd.memb_size += temp_type->shared->size; /* Set the field datatype (finally :-) */ dt->shared->u.compnd.memb[i].type = temp_type; ``` ### Crash Analysis ``` $ gdb -q --args bin/h5stat poc.hdf 1542 ../../../tools/h5stat/h5stat.c: No such file or directory. (gdb) bp src/H5Odtype.c:278 Breakpoint 4 at 0xb6b04b3f: file ../../src/H5Odtype.c, line 278. (gdb) bp src/H5Odtype.c:312 Breakpoint 5 at 0xb6b07356: file ../../src/H5Odtype.c, line 312. (gdb) bp src/H5Odtype.c:352 Breakpoint 6 at 0xb6b091f7: file ../../src/H5Odtype.c, line 352. (gdb) bp src/H5Odtype.c:392 Breakpoint 7 at 0xb6b0a852: file ../../src/H5Odtype.c, line 392. (gdb) r Starting program: $HOME/hdf5-1.8.16/release/bin/h5stat poc.hdf Filename: poc.hdf Breakpoint 3, H5O_dtype_decode_helper (f=f@entry=0x83f0e48, ioflags=ioflags@entry=0xbfffed6c, pp=pp@entry=0xbfffed1c, dt=dt@entry=0x83df358) at ../../src/H5Odtype.c:278 278 dt->shared->u.compnd.memb = (H5T_cmemb_t *)H5MM_calloc(dt->shared->u.compnd.nalloc * sizeof(H5T_cmemb_t)); (gdb) p dt->shared->u.compnd.nalloc * sizeof(H5T_cmemb_t) $1 = 0x30 (gdb) n 279 dt->shared->u.compnd.memb_size = 0; (gdb) p dt->shared->u.compnd.memb $2 = (H5T_cmemb_t *) 0x83f4070 (gdb) ba dt->shared->u.compnd.memb + dt->shared->u.compnd.nalloc * sizeof(H5T_cmemb_t) Hardware watchpoint 7: *(dt->shared->u.compnd.memb + dt->shared->u.compnd.nalloc * sizeof(H5T_cmemb_t)) (gdb) c Continuing. Hardware watchpoint 7: *(dt->shared->u.compnd.memb + dt->shared->u.compnd.nalloc * sizeof(H5T_cmemb_t)) Old value = 0x0 New value = <unreadable> H5T__array_create (base=base@entry=0x83df448, ndims=ndims@entry=0x80, dim=dim@entry=0xbfffebc8) at ../../src/H5Tarray.c:206 206 ret_value->shared->u.array.nelem *= (size_t)dim[u]; (gdb) c Continuing. Breakpoint 6, H5O_dtype_decode_helper (f=f@entry=0x83f0e48, ioflags=ioflags@entry=0xbfffed6c, pp=pp@entry=0xbfffed1c, dt=dt@entry=0x83df358) at ../../src/H5Odtype.c:392 392 dt->shared->u.compnd.memb[i].size = temp_type->shared->size; (gdb) n Catchpoint 2 (signal SIGSEGV), 0x08148372 in H5O_dtype_decode_helper (f=f@entry=0x83f0e48, ioflags=ioflags@entry=0xbfffed6c, pp=pp@entry=0xbfffed1c, dt=dt@entry=0x83df358) at ../../src/H5Odtype.c:392 392 dt->shared->u.compnd.memb[i].size = temp_type->shared->size; Program terminated with signal SIGSEGV, Segmentation fault. The program no longer exists. (gdb) ==2061==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb2b20758 at pc 0xb699e18c bp 0xbfa0e618 sp 0xbfa0e610 WRITE of size 4 at 0xb2b20758 thread T0 #0 0xb699e18b in H5T__array_create $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Tarray.c:205 #1 0xb629b2e4 in H5O_dtype_decode_helper $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Odtype.c:352 #2 0xb628d881 in H5O_dtype_decode $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Odtype.c:1108 #3 0xb6259fd8 in H5O_dtype_shared_decode $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Oshared.h:84 #4 0xb6335a5c in H5O_msg_read_oh $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Omessage.c:554 #5 0xb63338a6 in H5O_msg_read $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Omessage.c:483 #6 0xb57d3b96 in H5D__open_oid $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Dint.c:1245 #7 0xb57d0df7 in H5D_open $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Dint.c:1153 #8 0xb56763f9 in H5Dopen2 $HOME/hdf5-1.8.16/memcheck/src/../../src/H5D.c:368 #9 0x80e0ecd in dataset_stats $HOME/hdf5-1.8.16/memcheck/tools/h5stat/../../../tools/h5stat/h5stat.c:473 #10 0x80d1d39 in obj_stats $HOME/hdf5-1.8.16/memcheck/tools/h5stat/../../../tools/h5stat/h5stat.c:685 #11 0x81d307d in traverse_cb $HOME/hdf5-1.8.16/memcheck/tools/lib/../../../tools/lib/h5trav.c:237 #12 0xb5c6a66a in H5G_visit_cb $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Gint.c:939 #13 0xb5cbea72 in H5G__node_iterate $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Gnode.c:1026 #14 0xb54b2c85 in H5B_iterate_helper $HOME/hdf5-1.8.16/memcheck/src/../../src/H5B.c:1175 #15 0xb54b06db in H5B_iterate $HOME/hdf5-1.8.16/memcheck/src/../../src/H5B.c:1220 #16 0xb5d17773 in H5G__stab_iterate $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Gstab.c:565 #17 0xb5ce2af2 in H5G__obj_iterate $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Gobj.c:707 #18 0xb5c67be2 in H5G_visit $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Gint.c:1174 #19 0xb6022f7d in H5Lvisit_by_name $HOME/hdf5-1.8.16/memcheck/src/../../src/H5L.c:1378 #20 0x81bed2e in traverse $HOME/hdf5-1.8.16/memcheck/tools/lib/../../../tools/lib/h5trav.c:310 #21 0x81c9df5 in h5trav_visit $HOME/hdf5-1.8.16/memcheck/tools/lib/../../../tools/lib/h5trav.c:1164 #22 0x80cf9e3 in main $HOME/hdf5-1.8.16/memcheck/tools/h5stat/../../../tools/h5stat/h5stat.c:1623 #23 0xb506ea82 (/lib/i386-linux-gnu/libc.so.6+0x19a82) #24 0x80cde74 in _start ($HOME/hdf5-1.8.16/memcheck/bin/h5stat+0x80cde74) 0xb2b20758 is located 0 bytes to the right of 168-byte region [0xb2b206b0,0xb2b20758) allocated by thread T0 here: #0 0x80b6b8e in calloc ($HOME/hdf5-1.8.16/memcheck/bin/h5stat+0x80b6b8e) #1 0xb6093d5b in H5MM_calloc $HOME/hdf5-1.8.16/memcheck/src/../../src/H5MM.c:107 #2 0xb6982712 in H5T__alloc $HOME/hdf5-1.8.16/memcheck/src/../../src/H5T.c:3462 #3 0xb699d08c in H5T__array_create $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Tarray.c:192 #4 0xb629b2e4 in H5O_dtype_decode_helper $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Odtype.c:352 #5 0xb628d881 in H5O_dtype_decode $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Odtype.c:1108 #6 0xb6259fd8 in H5O_dtype_shared_decode $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Oshared.h:84 #7 0xb6335a5c in H5O_msg_read_oh $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Omessage.c:554 #8 0xb63338a6 in H5O_msg_read $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Omessage.c:483 #9 0xb57d3b96 in H5D__open_oid $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Dint.c:1245 #10 0xb57d0df7 in H5D_open $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Dint.c:1153 #11 0xb56763f9 in H5Dopen2 $HOME/hdf5-1.8.16/memcheck/src/../../src/H5D.c:368 #12 0x80e0ecd in dataset_stats $HOME/hdf5-1.8.16/memcheck/tools/h5stat/../../../tools/h5stat/h5stat.c:473 #13 0x80d1d39 in obj_stats $HOME/hdf5-1.8.16/memcheck/tools/h5stat/../../../tools/h5stat/h5stat.c:685 #14 0x81d307d in traverse_cb $HOME/hdf5-1.8.16/memcheck/tools/lib/../../../tools/lib/h5trav.c:237 #15 0xb5c6a66a in H5G_visit_cb $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Gint.c:939 #16 0xb5cbea72 in H5G__node_iterate $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Gnode.c:1026 #17 0xb54b2c85 in H5B_iterate_helper $HOME/hdf5-1.8.16/memcheck/src/../../src/H5B.c:1175 #18 0xb54b06db in H5B_iterate $HOME/hdf5-1.8.16/memcheck/src/../../src/H5B.c:1220 #19 0xb5d17773 in H5G__stab_iterate $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Gstab.c:565 #20 0xb5ce2af2 in H5G__obj_iterate $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Gobj.c:707 #21 0xb5c67be2 in H5G_visit $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Gint.c:1174 #22 0xb6022f7d in H5Lvisit_by_name $HOME/hdf5-1.8.16/memcheck/src/../../src/H5L.c:1378 #23 0x81bed2e in traverse $HOME/hdf5-1.8.16/memcheck/tools/lib/../../../tools/lib/h5trav.c:310 #24 0x81c9df5 in h5trav_visit $HOME/hdf5-1.8.16/memcheck/tools/lib/../../../tools/lib/h5trav.c:1164 #25 0x80cf9e3 in main $HOME/hdf5-1.8.16/memcheck/tools/h5stat/../../../tools/h5stat/h5stat.c:1623 #26 0xb506ea82 (/lib/i386-linux-gnu/libc.so.6+0x19a82) SUMMARY: AddressSanitizer: heap-buffer-overflow $HOME/hdf5-1.8.16/memcheck/src/../../src/H5Tarray.c:205 H5T__array_create ``` ### Timeline * 2016-05-08 - Discovery * 2016-05-17 - Vendor Notification * 2016-11-15 - Public Disclosure ### References * [1] https://en.wikipedia.org/wiki/HierarchicalDataFormat * [2] http://www.hdfgroup.org/HDF5/ |
id | SSV:96651 |
last seen | 2017-11-19 |
modified | 2017-10-11 |
published | 2017-10-11 |
reporter | Root |
title | HDF5 Group libhdf5 H5T_COMPOUND Code Execution Vulnerability(CVE-2016-4333) |
Talos
id | TALOS-2016-0179 |
last seen | 2019-05-29 |
published | 2016-11-17 |
reporter | Talos Intelligence |
source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0179 |
title | HDF5 Group libhdf5 H5T_COMPOUND Code Execution Vulnerability |
References
- http://www.debian.org/security/2016/dsa-3727
- http://www.debian.org/security/2016/dsa-3727
- http://www.securityfocus.com/bid/94416
- http://www.securityfocus.com/bid/94416
- http://www.talosintelligence.com/reports/TALOS-2016-0179/
- http://www.talosintelligence.com/reports/TALOS-2016-0179/
- https://security.gentoo.org/glsa/201701-13
- https://security.gentoo.org/glsa/201701-13