Heap buffer overflow (underflow) vulnerability was discovered in ONLYOFFICE DocumentServer 6.0.0 and earlier versions.
An attacker using a specially crafted request and file to the server can write a pointer with controlled data into the heap chunk located at a lower address. This results in Remote Code Execution, and can also lead to program crash and/or Denial of Service.
Buffer Overflow
ONLYOFFICE - https://www.onlyoffice.com/
- DocumentServer - https://github.com/ONLYOFFICE/DocumentServer/
Affected versions: 4.0.0-9 - 6.0.0
Fixed version: 6.0.1
Affected versions: 4.2.0.236 - 6.0.1.15
Fixed version: 6.0.1.21
Affected module: https://github.com/ONLYOFFICE/core/tree/v6.0.1.15
Affected function: https://github.com/ONLYOFFICE/core/blob/9a9d60031ecea59ffad3d80cdb141e1bf29d25e7/DesktopEditor/fontengine/fontconverter/FontFileType1.cpp#L310
- Remote
- Code execution
- Denial of Service
To exploit the vulnerability, an attacker must use a specially crafted request and a file to the server, which allows going beyond the lower bound of the heap buffer and writing a pointer to controlled data there.
This is a strong primitive when writing exploits that lead to Remote Code Execution, and can also lead to program crash and/or Denial of Service.
void CFontFileType1::Parse()
{
/* ... */
m_arrEncoding = (char **)MemUtilsMallocArray(256, sizeof(char *));
/* ... */
int nCode = atoi( pCur );
/* ... */
if ( nCode < 256 )
{
for ( pCur = pTemp; *pCur == ' ' || *pCur == '\t'; ++pCur ) ;
if ( *pCur == '/')
{
++pCur;
for ( pTemp = pCur; *pTemp && *pTemp != ' ' && *pTemp != '\t'; ++pTemp ) ;
*pTemp = '\0';
m_arrEncoding[ nCode ] = CopyString( pCur );
}
}
/* ... */
}The atoi function can return a negative value, which will be written to the sign integer variable nCode. This value is less than the upper buffer limit (256) because it is negative, causing the following condition to pass. After that, the value is applied as an offset of the array m_arrEncoding, which means referring to previous, smaller addresses relative to the m_arrEncoding pointer.
The vulnerability allows writing the pointer of a heap-chunk with a specific string from a file controlled by the attacker, into a neighboring (located at a lower address) heap-chunk.