In 2022, a critical security flaw was discovered within Bentley View, a popular tool for viewing engineering and architectural models. This vulnerability, identified as CVE-2022-43656 (also known as ZDI-CAN-18492), affects the way Bentley View handles FBX files—a common 3D file format. In this post, we'll break down what this vulnerability is, how it works, and what risks it brings. We'll also give you example code snippets and references for further reading.
What is CVE-2022-43656?
CVE-2022-43656 is a vulnerability that allows attackers to perform out-of-bounds reads when Bentley View parses certain malicious FBX files. In simple words, if you open a specially crafted FBX file (maybe downloaded from the internet or sent via email), Bentley View could accidentally disclose sensitive data from its own memory. In some scenarios, this information leak could also be used with other bugs to run malicious code on your system.
User interaction required: Yes (have to open a file or click a link)
- ZDI Reference: ZDI-23-022
The FBX File Parsing Flaw
FBX is a complex format, used for storing 3D models and scenes. When Bentley View opens one, it allocates buffers in memory to read and store the file’s data. The flaw exists when the program reads more data than was initially allocated for a buffer—reading past the end, into memory it shouldn’t access.
Example of the Problem:
Suppose Bentley View expects to get a string of 64 characters from the file and allocates 64 bytes. But the FBX file actually contains 100 characters in that field. If the parsing routine doesn’t double-check the size, the program will read an extra 36 bytes. These bytes could include sensitive data: passwords, keys, or metadata from other running software.
Let's look at a simplified C-like pseudocode inspired by the bug report
// Pseudocode: How an out-of-bounds read could happen during FBX parsing
void ParseFBXStringField(FILE *fbx) {
char buffer[64];
unsigned int len = readLengthFromFBX(fbx);
// Bug: Not checking if 'len' is greater than the buffer allows OOB read
fread(buffer, 1, len, fbx);
// Possibly leak out-of-bounds bytes as 'buffer' is used unsafely later
processString(buffer, len);
}
Insecure behavior: len might be larger than buffer, so data from adjacent memory locations are read and possibly returned to the user or crashed out.
Convince the victim to open it in Bentley View (maybe via phishing, email, or web link).
3. Trigger the out-of-bounds read, causing the program to include sensitive memory data in an error, model output, or even crash report.
The data grabbed this way can sometimes include authentication tokens, paths, or even crash the software. In combination with other vulnerabilities (like memory corruption or buffer writing bugs), attackers could take over the machine.
Do not open FBX files from unknown sources.
- Keep Bentley View updated—check for security patches on Bentley’s advisories page.
References
- ZDI-23-022 | Zero Day Initiative Advisory
- NVD Entry for CVE-2022-43656
- Bentley Systems Security Advisories
- FBX File Format Specs (Autodesk)
Conclusion
CVE-2022-43656 reminds us how easily file parsing bugs can lead to serious security issues, especially in tools that handle complex formats like 3D models. Always keep critical software updated, be cautious about opening files from others, and follow your company's security guidance.
If you’re a developer, audit code that parses files—always check lengths before reading. For everyone else, be careful what you open!
*Got questions or want to learn more about software vulnerabilities? Leave a comment below!*
Timeline
Published on: 05/07/2024 23:15:15 UTC
Last modified on: 05/08/2024 13:15:00 UTC