Bug 1167756 (CVE-2014-9273) - CVE-2014-9273 hivex: missing checks for small-sized files
Summary: CVE-2014-9273 hivex: missing checks for small-sized files
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-9273
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20141029,repor...
Depends On: 1158992 1158993 1167795
Blocks: 1167758 1193283
TreeView+ depends on / blocked
 
Reported: 2014-11-25 11:07 UTC by Martin Prpič
Modified: 2019-06-08 20:17 UTC (History)
20 users (show)

Fixed In Version: hivex 1.3.11
Doc Type: Bug Fix
Doc Text:
It was found that hivex attempted to read, and possibly write, beyond its allocated buffer when reading a hive file with a very small size or with a truncated or improperly formatted content. An attacker able to supply a specially crafted hive file to an application using the hivex library could possibly use this flaw to execute arbitrary code with the privileges of the user running that application.
Clone Of:
Environment:
Last Closed: 2015-07-22 08:45:49 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0301 normal SHIPPED_LIVE Moderate: hivex security, bug fix, and enhancement update 2015-03-05 17:34:28 UTC
Red Hat Product Errata RHSA-2015:1378 normal SHIPPED_LIVE Moderate: hivex security and bug fix update 2015-07-20 17:58:31 UTC

Description Martin Prpič 2014-11-25 11:07:00 UTC
It was reported that hivex [1], a library that can read and write hive files (undocumented binary files that Windows uses to store the Windows Registry on disk), did not properly handle small-sized hive files. An attacker able to supply a hive file of a small size to an application using the hivex library could use this flaw to read, and possibly write, up to 4095 bytes beyond the end of the allocated buffer, potentially resulting in arbitrary code execution with the with the privileges of the user running that application.

This issue has been fixed in upstream version 3.11 of hivex. Upstream patches are available at:

https://github.com/libguestfs/hivex/commit/357f26fa64fd1d9ccac2331fe174a8ee9c607adb
https://github.com/libguestfs/hivex/commit/4bbdf555f88baeae0fa804a369a81a83908bd705

Reproducer: https://bugzilla.redhat.com/show_bug.cgi?id=1158992#c0

[1] https://www.redhat.com/archives/libguestfs/2014-October/msg00235.html

Acknowledgements:

Red Hat would like to thank Mahmoud Al-Qudsi of NeoSmart Technologies for reporting this issue.

Comment 1 Richard W.M. Jones 2014-11-25 11:10:03 UTC
(In reply to Martin Prpic from comment #0)
> It was reported that hivex [1], a library that can read and write hive files
> (undocumented binary files that Windows uses to store the Windows Registry
> on disk), did not properly handle small-sized hive files. An attacker able
> to supply a hive file of a small size to an application using the hivex
> library could use this flaw to read, and possibly write, up to 4095 bytes
> beyond the end of the allocated buffer, potentially resulting in arbitrary
> code execution with the with the privileges of the user running that
> application.
> 
> This issue has been fixed in upstream version 3.11 of hivex.

^^ 1.3.11

Comment 3 Martin Prpič 2014-11-25 12:28:03 UTC
CVE request: http://seclists.org/oss-sec/2014/q4/787

Comment 4 Martin Prpič 2014-11-25 12:39:48 UTC
Created hivex tracking bugs for this issue:

Affects: epel-5 [bug 1167795]

Comment 6 Richard W.M. Jones 2014-11-25 13:27:10 UTC
Debian maintainer was notified (a while back) and is going to
submit an update for Jessie.

Comment 7 Vincent Danen 2014-11-25 18:15:02 UTC
Statement:

(none)

Comment 8 Richard W.M. Jones 2014-11-25 18:18:11 UTC
I think we need a RHEL 6 bug ...

Comment 9 Vincent Danen 2014-11-25 18:23:13 UTC
(In reply to Richard W.M. Jones from comment #8)
> I think we need a RHEL 6 bug ...

Is the impact more severe than a local (potential) elevation of privileges on a Windows registry file that you are copying to a Linux platform?  If looking at it from a libguestfs perspective, the user (presumably an administrator with access to a Windows guest) would need to load the registry for that VM (something that probably requires privilege to begin with).  This is a fairly unlikely scenario with a simple mitigation: don't open an untrusted hive file.  I don't believe we need to provide an ASYNC erratum for this and can defer this fix to a later update.

Am I missing anything that makes it more severe than that?

Comment 10 Richard W.M. Jones 2014-11-25 18:35:07 UTC
(In reply to Vincent Danen from comment #9)
> (In reply to Richard W.M. Jones from comment #8)
> > I think we need a RHEL 6 bug ...
> 
> Is the impact more severe than a local (potential) elevation of privileges
> on a Windows registry file that you are copying to a Linux platform?  If
> looking at it from a libguestfs perspective, the user (presumably an
> administrator with access to a Windows guest) would need to load the
> registry for that VM (something that probably requires privilege to begin
> with).  This is a fairly unlikely scenario with a simple mitigation: don't
> open an untrusted hive file.  I don't believe we need to provide an ASYNC
> erratum for this and can defer this fix to a later update.
> 
> Am I missing anything that makes it more severe than that?

No you're about right there.  However I was thinking it'd
be good to have it fixed for RHEL 6.7, but I'll leave it
up to you to decide.

Comment 12 Martin Prpič 2014-12-05 13:22:24 UTC
MITRE assigned CVE-2014-9273 to this issue:

http://seclists.org/oss-sec/2014/q4/903

Comment 13 Fedora Update System 2014-12-11 06:27:38 UTC
hivex-1.3.5-6.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 errata-xmlrpc 2015-03-05 13:42:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:0301 https://rhn.redhat.com/errata/RHSA-2015-0301.html

Comment 15 errata-xmlrpc 2015-07-22 07:17:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1378 https://rhn.redhat.com/errata/RHSA-2015-1378.html


Note You need to log in before you can comment on or make changes to this bug.