CVE-2021-33797 - Buffer-Overflow Vulnerability in Artifex MuJS Versions 1..1 to 1.1.1 due to Integer Overflow in js_strtod()

Introduction: Exploit Details and Potential Impact

Security researchers have recently discovered a buffer-overflow vulnerability in the popular JavaScript library Artifex MuJS, which affects versions 1..1 to 1.1.1. This vulnerability, labeled as CVE-2021-33797, is caused by an integer overflow in the js_strtod() function when reading in floating-point exponents. This leads to a buffer overflow in the pointer *d, potentially allowing attackers to execute arbitrary code or crash the application.

In this post, we will analyze the source code of the vulnerable function, examine the exploit, and provide links to the original references for further information.

The vulnerability is found in the file jsdtoa.c within the library. Here's the relevant code snippet

// jsdtoa.c

...

DOUBLE js_strtod(const TCHAR *s00, TCHAR **se)
{
    ...
    for (exponent = ;; p++) {
        ...
        expon = value.precision - LXs - 1 - exponent;
        rdi = (expon + LXdigits - 1) / LXdigits;
        d = tens + LXdigits + 2;
    ...
}

The integer overflow occurs when the value derived from the exponent variable is excessively large. The variable rdi is computed based on expon and is then used to allocate memory for the pointer d. The incorrect memory allocation can lead to a buffer overflow vulnerability.

Exploit

A proof-of-concept exploit has been published that demonstrates the vulnerability by triggering the buffer overflow. An attacker can use this exploit to cause a denial-of-service or potentially execute arbitrary code on the affected system. Here's the POC exploit code:

// CVE-2021-33797 POC.js

const malicious_input = "2" + ".".repeat(536870912) + "3" + "e".repeat(536870909);

try {
  parseFloat(malicious_input);
} catch (e) {
  console.error("Error:", e);
}

This JavaScript code snippet creates a malicious input string that can trigger the buffer overflow in the vulnerable jsdtoa.c function. When executing this code on an affected version of Artifex MuJS, the application will either crash or display a memory error.

Original References

For more information and in-depth analysis of the vulnerability, please refer to the following sources:

- CVE-2021-33797: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33797
- Artifex MuJS GitHub Repo: https://github.com/ccxvii/mujs
- Original Security Advisory: https://github.com/ccxvii/mujs/security/advisories/GHSA-xh3w-3jq3-6642
- NIST National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2021-33797

Conclusion

Users running vulnerable versions of Artifex MuJS (1..1 to 1.1.1) should update their library as soon as possible to resolve this CVE-2021-33797 buffer-overflow vulnerability. Ensure you follow the best practices for securing your JavaScript applications and stay up-to-date with the latest security advisories by subscribing to notifications from the library maintainers and keeping an eye on vulnerability databases.

Timeline

Published on: 04/17/2023 22:15:00 UTC
Last modified on: 04/26/2023 23:05:00 UTC