Vulnerabilities > CVE-2017-2923 - Out-of-bounds Write vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
An exploitable heap based buffer overflow vulnerability exists in the 'read_biff_next_record function' of FreeXL 1.0.3. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 | |
OS | 2 |
Common Weakness Enumeration (CWE)
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_555CD806B03111E7A36914DAE9D59F67.NASL description Cisco TALOS reports : An exploitable heap based buffer overflow vulnerability exists in the read_biff_next_record function of FreeXL 1.0.3. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability. An exploitable heap-based buffer overflow vulnerability exists in the read_legacy_biff function of FreeXL 1.0.3. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability. last seen 2020-06-01 modified 2020-06-02 plugin id 103840 published 2017-10-16 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103840 title FreeBSD : Multiple exploitable heap-based buffer overflow vulnerabilities exists in FreeXL 1.0.3 (555cd806-b031-11e7-a369-14dae9d59f67) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1098.NASL description The Cisco Talos team reported two sensitive security issues affecting FreeXL-1.0.3 and any previous version. CVE-2017-2923 An exploitable heap based buffer overflow vulnerability exists in the read_biff_next_record function of FreeXL 1.0.3. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability. CVE-2017-2924 An exploitable heap-based buffer overflow vulnerability exists in the read_legacy_biff function of FreeXL 1.0.3. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability. For Debian 7 last seen 2020-03-17 modified 2017-09-18 plugin id 103258 published 2017-09-18 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103258 title Debian DLA-1098-1 : freexl security update NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-1082.NASL description This update for freexl to version 1.0.4 fixes several issues. These security issues were fixed : - CVE-2017-2924: Prevent heap-based buffer overflow in the read_legacy_biff function (bsc#1058433). - CVE-2017-2923: Prevent heap-based buffer overflow in the read_biff_next_record function (bsc#1058431). last seen 2020-06-05 modified 2017-09-22 plugin id 103398 published 2017-09-22 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103398 title openSUSE Security Update : freexl (openSUSE-2017-1082) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3976.NASL description Marcin last seen 2020-06-01 modified 2020-06-02 plugin id 103261 published 2017-09-18 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103261 title Debian DSA-3976-1 : freexl - security update
Seebug
bulletinFamily | exploit |
description | ### Summary An exploitable heap based buffer overflow vulnerability exists in the read_biff_next_record function of FreeXL 1.0.3. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability. ### Tested Versions freexl 1.0.3 ### Product URLs https://www.gaia-gis.it/fossil/freexl/index ### CVSSv3 Score 8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ### CWE CWE-122: Heap-based Buffer Overflow ### Details FreeXL is a C library which can read Microsoft Excel File Format ( XLS ) files. The library is used by the SpatiaLite open source library. A heap-based buffer overflow appears in the `read_biff_next_record` function. The vulnerability appears in a situation when a BIFF record size is bigger than `workbook->record` field. The following code contains the vulnerability: ``` freexl_internals.h Line 278 unsigned char record[8224]; /* current record */ freexl.c Line 3723 static int Line 3724 read_biff_next_record (biff_workbook * workbook, int swap, int *errcode) Line 3725 { (...) Line 3772 /* fetching record-type and record-size */ Line 3773 memcpy (record_type.bytes, workbook->p_in, 2); Line 3774 workbook->p_in += 2; Line 3775 memcpy (record_size.bytes, workbook->p_in, 2); Line 3776 workbook->p_in += 2; (...) Line 3808 while (already_done < workbook->record_size) Line 3809 { Line 3810 /* reading a further sector */ Line 3811 ret = read_cfbf_next_sector (workbook, errcode); Line 3812 if (ret == -1) Line 3813 return -1; /* EOF found */ Line 3814 if (ret == 0) Line 3815 return 0; Line 3816 chunk = workbook->record_size - already_done; Line 3817 if (chunk <= workbook->fat->sector_size) Line 3818 { Line 3819 /* ok, finished: whole record reassembled */ Line 3820 memcpy (workbook->record + already_done, workbook->p_in, Line 3821 chunk); Line 3822 workbook->p_in += chunk; Line 3823 goto record_done; Line 3824 } Line 3825 /* record still spanning on the following sector */ Line 3826 memcpy (workbook->record + already_done, workbook->p_in, Line 3827 workbook->fat->sector_size); Line 3828 workbook->p_in += workbook->fat->sector_size; Line 3829 already_done += workbook->fat->sector_size; Line 3830 } ``` At line 3775 the `record_size` is read directly from the file, which is used to control the loop at line 3808. Then at lines 3820 and 3826 data will be copied into the record which has a fixed size of 8224. Since there are no checks to ensure that the record_size is smaller than this declared value, this will result in a heap-based buffer overflow. ### Crash Information ``` icewall@ubuntu:~/bugs/freexl-1.0.3/bin$ valgrind ./test_xl ./crashes/ef69e246113c046810b7ef908cc7a09f ==99598== Memcheck, a memory error detector ==99598== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==99598== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==99598== Command: ./test_xl ./crashes/ef69e246113c046810b7ef908cc7a09f ==99598== ==99598== Invalid write of size 2 ==99598== at 0x4C32723: memcpy@@GLIBC_2.14 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==99598== by 0x4E43F66: read_biff_next_record (freexl.c:3826) ==99598== by 0x4E448A7: common_open (freexl.c:4102) ==99598== by 0x4E44B39: freexl_open (freexl.c:4202) ==99598== by 0x400C3B: main (test_xl.c:84) ==99598== Address 0x572b128 is 0 bytes after a block of size 65,768 alloc'd ==99598== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==99598== by 0x4E3D4E8: alloc_workbook (freexl.c:1193) ==99598== by 0x4E44720: common_open (freexl.c:4037) ==99598== by 0x4E44B39: freexl_open (freexl.c:4202) ==99598== by 0x400C3B: main (test_xl.c:84) ==99598== ==99598== Invalid read of size 8 ==99598== at 0x50BDF20: fseek (fseek.c:35) ==99598== by 0x4E4394A: read_cfbf_sector (freexl.c:3666) ==99598== by 0x4E43AC5: read_cfbf_next_sector (freexl.c:3701) ==99598== by 0x4E43E9E: read_biff_next_record (freexl.c:3811) ==99598== by 0x4E448A7: common_open (freexl.c:4102) ==99598== by 0x4E44B39: freexl_open (freexl.c:4202) ==99598== by 0x400C3B: main (test_xl.c:84) ==99598== Address 0x8670017086708 is not stack'd, malloc'd or (recently) free'd ==99598== ==99598== ==99598== Process terminating with default action of signal 11 (SIGSEGV) ==99598== General Protection Fault ==99598== at 0x50BDF20: fseek (fseek.c:35) ==99598== by 0x4E4394A: read_cfbf_sector (freexl.c:3666) ==99598== by 0x4E43AC5: read_cfbf_next_sector (freexl.c:3701) ==99598== by 0x4E43E9E: read_biff_next_record (freexl.c:3811) ==99598== by 0x4E448A7: common_open (freexl.c:4102) ==99598== by 0x4E44B39: freexl_open (freexl.c:4202) ==99598== by 0x400C3B: main (test_xl.c:84) ==99598== Invalid read of size 8 ==99598== at 0x50C4193: _IO_flush_all_lockp (genops.c:786) ==99598== by 0x50C4329: _IO_cleanup (genops.c:951) ==99598== by 0x51BC338: __libc_freeres (in /lib/x86_64-linux-gnu/libc-2.23.so) ==99598== by 0x4A2868C: _vgnU_freeres (in /usr/lib/valgrind/vgpreload_core-amd64-linux.so) ==99598== Address 0x2000f0064001a is not stack'd, malloc'd or (recently) free'd ==99598== ==99598== ==99598== Process terminating with default action of signal 11 (SIGSEGV) ==99598== General Protection Fault ==99598== at 0x50C4193: _IO_flush_all_lockp (genops.c:786) ==99598== by 0x50C4329: _IO_cleanup (genops.c:951) ==99598== by 0x51BC338: __libc_freeres (in /lib/x86_64-linux-gnu/libc-2.23.so) ==99598== by 0x4A2868C: _vgnU_freeres (in /usr/lib/valgrind/vgpreload_core-amd64-linux.so) ==99598== ==99598== HEAP SUMMARY: ==99598== in use at exit: 114,272 bytes in 401 blocks ==99598== total heap usage: 403 allocs, 2 frees, 114,432 bytes allocated ==99598== ==99598== LEAK SUMMARY: ==99598== definitely lost: 4,096 bytes in 1 blocks ==99598== indirectly lost: 0 bytes in 0 blocks ==99598== possibly lost: 0 bytes in 0 blocks ==99598== still reachable: 110,176 bytes in 400 blocks ==99598== suppressed: 0 bytes in 0 blocks ==99598== Rerun with --leak-check=full to see details of leaked memory ==99598== ==99598== For counts of detected and suppressed errors, rerun with: -v ==99598== ERROR SUMMARY: 74 errors from 3 contexts (suppressed: 0 from 0) Segmentation fault (core dumped) ``` ### Timeline * 2017-09-06 - Vendor Disclosure * 2017-09-11 - Public Release ### CREDIT * Discovered by Marcin 'Icewall' Noga of Cisco Talos. |
id | SSV:96441 |
last seen | 2017-11-19 |
modified | 2017-09-12 |
published | 2017-09-12 |
reporter | Root |
title | FreeXL read_biff_next_record Code Execution Vulnerability(CVE-2017-2923) |
Talos
id | TALOS-2017-0430 |
last seen | 2019-05-29 |
published | 2017-09-11 |
reporter | Talos Intelligence |
source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0430 |
title | FreeXL read_biff_next_record Code Execution Vulnerability |
References
- http://www.securityfocus.com/bid/100807
- http://www.securityfocus.com/bid/100807
- https://www.debian.org/security/2017/dsa-3976
- https://www.debian.org/security/2017/dsa-3976
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0430
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0430