When parsing certain XML documents that contain large numbers of elements, an integer overflow can occur, causing a heap buffer underflow. An attacker can exploit this by sending a specially crafted XML document to an application that uses Expat. An attacker can force an application to parse a large number of XML documents by sending a large number of outgoing network requests. When parsing such documents, the application's stack can end up overflowing and eventually underrunning, causing a memory corruption and potentially a remote code execution. This issue was addressed by updating Expat to version 2.4.4.

Note: libexpat before 2.4.3 is no longer supported. Software that uses or consumes libexpat should upgrade to a newer version. libexpat beforeis no longer supported. Software that uses or consumes libexpat should upgrade to a newer version.

Operation Scenarios

This vulnerability can be exploited to cause a remote code execution on the target system by sending a specially crafted XML document.
The vulnerability is triggered when parsing certain XML documents that contain large numbers of elements. By sending a large number of outgoing network requests, an attacker can exploit this issue and force an application to parse a high volume of XML documents, resulting in memory corruption and ultimately remote code execution.  However, the attacker needs to know the target IP address first in order for exploitation to succeed.  Software that uses or consumes libexpat should upgrade to a newer version.

What is Expat?

The Expat library is used by many applications for parsing XML documents. This may include content from web pages and HTTP request responses, or any other XML-based format.

Vulnerability Reporting

If you have found a vulnerability in Expat, please send an email to the following address.

expat-security@lists.sourceforge.net

Timeline

Published on: 01/10/2022 14:12:00 UTC
Last modified on: 06/14/2022 11:15:00 UTC

References