Vulnerabilities > CVE-2017-2923 - Out-of-bounds Write vulnerability in multiple products

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL

Summary

An exploitable heap based buffer overflow vulnerability exists in the 'read_biff_next_record function' of FreeXL 1.0.3. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability.

Vulnerable Configurations

Part Description Count
Application
Freexl_Project
1
OS
Debian
2

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_555CD806B03111E7A36914DAE9D59F67.NASL
    descriptionCisco TALOS reports : An exploitable heap based buffer overflow vulnerability exists in the read_biff_next_record function of FreeXL 1.0.3. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability. An exploitable heap-based buffer overflow vulnerability exists in the read_legacy_biff function of FreeXL 1.0.3. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability.
    last seen2020-06-01
    modified2020-06-02
    plugin id103840
    published2017-10-16
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103840
    titleFreeBSD : Multiple exploitable heap-based buffer overflow vulnerabilities exists in FreeXL 1.0.3 (555cd806-b031-11e7-a369-14dae9d59f67)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1098.NASL
    descriptionThe Cisco Talos team reported two sensitive security issues affecting FreeXL-1.0.3 and any previous version. CVE-2017-2923 An exploitable heap based buffer overflow vulnerability exists in the read_biff_next_record function of FreeXL 1.0.3. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability. CVE-2017-2924 An exploitable heap-based buffer overflow vulnerability exists in the read_legacy_biff function of FreeXL 1.0.3. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability. For Debian 7
    last seen2020-03-17
    modified2017-09-18
    plugin id103258
    published2017-09-18
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103258
    titleDebian DLA-1098-1 : freexl security update
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-1082.NASL
    descriptionThis update for freexl to version 1.0.4 fixes several issues. These security issues were fixed : - CVE-2017-2924: Prevent heap-based buffer overflow in the read_legacy_biff function (bsc#1058433). - CVE-2017-2923: Prevent heap-based buffer overflow in the read_biff_next_record function (bsc#1058431).
    last seen2020-06-05
    modified2017-09-22
    plugin id103398
    published2017-09-22
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103398
    titleopenSUSE Security Update : freexl (openSUSE-2017-1082)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3976.NASL
    descriptionMarcin
    last seen2020-06-01
    modified2020-06-02
    plugin id103261
    published2017-09-18
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103261
    titleDebian DSA-3976-1 : freexl - security update

Seebug

bulletinFamilyexploit
description### Summary An exploitable heap based buffer overflow vulnerability exists in the read_biff_next_record function of FreeXL 1.0.3. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability. ### Tested Versions freexl 1.0.3 ### Product URLs https://www.gaia-gis.it/fossil/freexl/index ### CVSSv3 Score 8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ### CWE CWE-122: Heap-based Buffer Overflow ### Details FreeXL is a C library which can read Microsoft Excel File Format ( XLS ) files. The library is used by the SpatiaLite open source library. A heap-based buffer overflow appears in the `read_biff_next_record` function. The vulnerability appears in a situation when a BIFF record size is bigger than `workbook->record` field. The following code contains the vulnerability: ``` freexl_internals.h Line 278 unsigned char record[8224]; /* current record */ freexl.c Line 3723 static int Line 3724 read_biff_next_record (biff_workbook * workbook, int swap, int *errcode) Line 3725 { (...) Line 3772 /* fetching record-type and record-size */ Line 3773 memcpy (record_type.bytes, workbook->p_in, 2); Line 3774 workbook->p_in += 2; Line 3775 memcpy (record_size.bytes, workbook->p_in, 2); Line 3776 workbook->p_in += 2; (...) Line 3808 while (already_done < workbook->record_size) Line 3809 { Line 3810 /* reading a further sector */ Line 3811 ret = read_cfbf_next_sector (workbook, errcode); Line 3812 if (ret == -1) Line 3813 return -1; /* EOF found */ Line 3814 if (ret == 0) Line 3815 return 0; Line 3816 chunk = workbook->record_size - already_done; Line 3817 if (chunk <= workbook->fat->sector_size) Line 3818 { Line 3819 /* ok, finished: whole record reassembled */ Line 3820 memcpy (workbook->record + already_done, workbook->p_in, Line 3821 chunk); Line 3822 workbook->p_in += chunk; Line 3823 goto record_done; Line 3824 } Line 3825 /* record still spanning on the following sector */ Line 3826 memcpy (workbook->record + already_done, workbook->p_in, Line 3827 workbook->fat->sector_size); Line 3828 workbook->p_in += workbook->fat->sector_size; Line 3829 already_done += workbook->fat->sector_size; Line 3830 } ``` At line 3775 the `record_size` is read directly from the file, which is used to control the loop at line 3808. Then at lines 3820 and 3826 data will be copied into the record which has a fixed size of 8224. Since there are no checks to ensure that the record_size is smaller than this declared value, this will result in a heap-based buffer overflow. ### Crash Information ``` icewall@ubuntu:~/bugs/freexl-1.0.3/bin$ valgrind ./test_xl ./crashes/ef69e246113c046810b7ef908cc7a09f ==99598== Memcheck, a memory error detector ==99598== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==99598== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==99598== Command: ./test_xl ./crashes/ef69e246113c046810b7ef908cc7a09f ==99598== ==99598== Invalid write of size 2 ==99598== at 0x4C32723: memcpy@@GLIBC_2.14 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==99598== by 0x4E43F66: read_biff_next_record (freexl.c:3826) ==99598== by 0x4E448A7: common_open (freexl.c:4102) ==99598== by 0x4E44B39: freexl_open (freexl.c:4202) ==99598== by 0x400C3B: main (test_xl.c:84) ==99598== Address 0x572b128 is 0 bytes after a block of size 65,768 alloc'd ==99598== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==99598== by 0x4E3D4E8: alloc_workbook (freexl.c:1193) ==99598== by 0x4E44720: common_open (freexl.c:4037) ==99598== by 0x4E44B39: freexl_open (freexl.c:4202) ==99598== by 0x400C3B: main (test_xl.c:84) ==99598== ==99598== Invalid read of size 8 ==99598== at 0x50BDF20: fseek (fseek.c:35) ==99598== by 0x4E4394A: read_cfbf_sector (freexl.c:3666) ==99598== by 0x4E43AC5: read_cfbf_next_sector (freexl.c:3701) ==99598== by 0x4E43E9E: read_biff_next_record (freexl.c:3811) ==99598== by 0x4E448A7: common_open (freexl.c:4102) ==99598== by 0x4E44B39: freexl_open (freexl.c:4202) ==99598== by 0x400C3B: main (test_xl.c:84) ==99598== Address 0x8670017086708 is not stack'd, malloc'd or (recently) free'd ==99598== ==99598== ==99598== Process terminating with default action of signal 11 (SIGSEGV) ==99598== General Protection Fault ==99598== at 0x50BDF20: fseek (fseek.c:35) ==99598== by 0x4E4394A: read_cfbf_sector (freexl.c:3666) ==99598== by 0x4E43AC5: read_cfbf_next_sector (freexl.c:3701) ==99598== by 0x4E43E9E: read_biff_next_record (freexl.c:3811) ==99598== by 0x4E448A7: common_open (freexl.c:4102) ==99598== by 0x4E44B39: freexl_open (freexl.c:4202) ==99598== by 0x400C3B: main (test_xl.c:84) ==99598== Invalid read of size 8 ==99598== at 0x50C4193: _IO_flush_all_lockp (genops.c:786) ==99598== by 0x50C4329: _IO_cleanup (genops.c:951) ==99598== by 0x51BC338: __libc_freeres (in /lib/x86_64-linux-gnu/libc-2.23.so) ==99598== by 0x4A2868C: _vgnU_freeres (in /usr/lib/valgrind/vgpreload_core-amd64-linux.so) ==99598== Address 0x2000f0064001a is not stack'd, malloc'd or (recently) free'd ==99598== ==99598== ==99598== Process terminating with default action of signal 11 (SIGSEGV) ==99598== General Protection Fault ==99598== at 0x50C4193: _IO_flush_all_lockp (genops.c:786) ==99598== by 0x50C4329: _IO_cleanup (genops.c:951) ==99598== by 0x51BC338: __libc_freeres (in /lib/x86_64-linux-gnu/libc-2.23.so) ==99598== by 0x4A2868C: _vgnU_freeres (in /usr/lib/valgrind/vgpreload_core-amd64-linux.so) ==99598== ==99598== HEAP SUMMARY: ==99598== in use at exit: 114,272 bytes in 401 blocks ==99598== total heap usage: 403 allocs, 2 frees, 114,432 bytes allocated ==99598== ==99598== LEAK SUMMARY: ==99598== definitely lost: 4,096 bytes in 1 blocks ==99598== indirectly lost: 0 bytes in 0 blocks ==99598== possibly lost: 0 bytes in 0 blocks ==99598== still reachable: 110,176 bytes in 400 blocks ==99598== suppressed: 0 bytes in 0 blocks ==99598== Rerun with --leak-check=full to see details of leaked memory ==99598== ==99598== For counts of detected and suppressed errors, rerun with: -v ==99598== ERROR SUMMARY: 74 errors from 3 contexts (suppressed: 0 from 0) Segmentation fault (core dumped) ``` ### Timeline * 2017-09-06 - Vendor Disclosure * 2017-09-11 - Public Release ### CREDIT * Discovered by Marcin 'Icewall' Noga of Cisco Talos.
idSSV:96441
last seen2017-11-19
modified2017-09-12
published2017-09-12
reporterRoot
titleFreeXL read_biff_next_record Code Execution Vulnerability(CVE-2017-2923)

Talos

idTALOS-2017-0430
last seen2019-05-29
published2017-09-11
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0430
titleFreeXL read_biff_next_record Code Execution Vulnerability