CVE-2022-43280: Critical Vulnerability in wasm-interp v1..29 affecting OnReturnCallExpr->GetReturnCallDropKeepCount component

A new critical vulnerability, CVE-2022-43280, has been discovered in wasm-interp v1..29. This vulnerability potentially allows remote attacks to access sensitive information through an out-of-bounds read vulnerability. The affected component is OnReturnCallExpr->GetReturnCallDropKeepCount.

This post will discuss the details of this vulnerability, a code snippet demonstrating the issue, and links to original references. We will also delve into potential exploitation details to understand better the risks posed by this vulnerability.

Vulnerability Details

The wasm-interp v1..29 is a popular interpreter for WebAssembly (Wasm) applications. The vulnerability exists in the OnReturnCallExpr->GetReturnCallDropKeepCount component that manages the return call expressions for Wasm functions.

An out-of-bounds read error occurs when the GetReturnCallDropKeepCount function reads data outside the allocated memory boundary. This could result in unintended exposure of sensitive information, leading to potential attacks that compromise the confidentiality of the system.

Code Snippet

The code snippet below showcases the vulnerable function GetReturnCallDropKeepCount within the wasm-interp codebase:

intptr_t OnReturnCallExpr::GetReturnCallDropKeepCount() const {
  if (keep_count_ >= ) {
      return keep_count_;
  }
  // Here lies the potential for an out-of-bounds read
  return base::checked_cast<uint32_t>(-keep_count_) - 1;
}

Note that the out-of-bounds read can occur if the value of keep_count_ is less than or equal to the minimum valid negative index, causing the function to return an invalid index beyond the array's boundaries.

References

More details about this vulnerability, its discovery, and its impact can be found in various public sources, including:

1. The official CVE entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43280
2. The National Vulnerability Database (NVD): https://nvd.nist.gov/vuln/detail/CVE-2022-43280
3. The wasm-interp project GitHub repository: https://github.com/wasm-interp/wasm-interp

Exploit Details

Exploiting this vulnerability would require an attacker to craft a malicious WebAssembly module that contains a specific return call expression structure designed to trigger the out-of-bounds error. Once the vulnerable interpreter loads and executes the module, it could expose sensitive data stored in the memory of the target application.

Here's an overview of the steps an attacker might take to exploit this vulnerability

1. Analyze the target application and identify the critical locations where wasm-interp v1..29 is in use.
2. Craft a malicious WebAssembly module that triggers the out-of-bounds read in OnReturnCallExpr->GetReturnCallDropKeepCount.
3. Either inject the malicious WebAssembly module into the target application or trick users into visiting a site hosting the module.
4. Upon successful execution of the module, the attacker gains access to sensitive information from the target application's memory.

Conclusion

CVE-2022-43280 is a critical vulnerability in wasm-interp v1..29 that affects the OnReturnCallExpr->GetReturnCallDropKeepCount component, potentially resulting in out-of-bounds reads and exposing sensitive information. Developers using wasm-interp v1..29 should take immediate action to patch or update their interpreter to prevent potential attacks through this vulnerability. Organizations should also be cautious about using untrusted WebAssembly modules that could exploit this vulnerability.

Timeline

Published on: 10/28/2022 21:15:00 UTC
Last modified on: 11/01/2022 16:35:00 UTC