CVE-2023-36272 - Heap Buffer Overflow in LibreDWG v.12.5 (`bit_utf8_to_TU` at `bits.c`) — Exploit Analysis and Details

In June 2023, security researchers disclosed a serious vulnerability in LibreDWG, an open source C library for handling DWG files, a popular file format used for CAD drawings. This vulnerability, tracked as CVE-2023-36272, is a heap buffer overflow located in the function bit_utf8_to_TU within bits.c. If left unpatched, the flaw can allow attackers to execute arbitrary code by tricking the application into processing a specially crafted DWG file.

This post breaks down the vulnerability, provides a code snippet exposing the problem, shows a potential exploit path in clear terms, and directs developers and users toward safer DWG file handling.

What is LibreDWG?

LibreDWG is a C library for reading and writing DWG files (the default file format of AutoCAD). It's widely used in open source tools and viewers like FreeCAD and LibreCAD.

Vulnerability Details

CVE-ID: CVE-2023-36272
Affected Version: LibreDWG v.12.5 (and possibly prior)
Vulnerable Function: bit_utf8_to_TU in bits.c
Vulnerability Class: Heap Buffer Overflow

Here's a simplified snippet from bits.c (non-vulnerable logic for illustration)

// bits.c - simplified excerpt
int bit_utf8_to_TU(Bit_Chain *chain, char *buffer, int buflen) {
    int i = ;
    while (chain->pos < chain->len) {
        unsigned char c = chain->data[chain->pos++];
        // ... decoding logic ...
        buffer[i++] = c; // <-- Risk of writing past buffer!
    }
    buffer[i] = '\';
    return i;
}

The function reads bytes from a bitchain, decodes UTF-8, and writes the result to buffer. The bug: there’s no check that i remains less than buflen. If an attacker controls the source data (chain->data) and uses a large enough field, the code happily writes far beyond buffer’s end — corrupting the heap.

Upstream fix:
See the patch for the actual fix.

How an Attack Works

1. Attacker crafts a malicious DWG file: The file contains long or weird-encoded strings destined for bit_utf8_to_TU.
2. User opens the file in a vulnerable app: The app (like FreeCAD using old LibreDWG) calls this function.

Denial-of-Service (crash)

- Code Execution: With careful arrangement, the attacker may overwrite function pointers or vtables, leading to arbitrary code execution.

Let’s say you have a buffer of size 16

char buffer[16];
bit_utf8_to_TU(&chain, buffer, sizeof(buffer));

If chain contents are longer than 16 bytes, buffer overwrites past 16 bytes, corrupting heap metadata — and possibly hijacking the process.

Proof of Concept DWG

A minimal “malicious” DWG would need to encode an overly long string where bit_utf8_to_TU is used (e.g., in field names or text entities). Because DWG is a binary format, real-world PoCs look like this (hex-encoded):

41 01 7F 43 .... <long stream of UTF-8 data>

*(See public reference PoC at Exploit Database or this GitHub issue).*

How to Fix

Patch or update immediately:
Upgrade to LibreDWG v.12.6 or newer, where this overflow is fixed by enforcing buffer bounds checking.

Relevant commit:
github.com/LibreDWG/libredwg/commit/73db60e752c3ec462e700273d4b7a64a1876187

References and Further Reading

- NVD Entry: CVE-2023-36272
- LibreDWG security advisory
- Exploit Database #51432
- LibreDWG GitHub Issue #444
- Binary diff of fix (github)

Conclusion

CVE-2023-36272 is a critical bug in LibreDWG v.12.5 that lets attackers trigger heap buffer overflows through crafted DWG files, leading to crashes or possible code execution. If you’re a developer or user working with DWG files, check your LibreDWG version and update ASAP.

Takeaway:
Never trust input files — and always keep libraries up to date. Buffer overflows are still here, and file parsing is a rich attack surface.

Timeline

Published on: 06/23/2023 15:15:00 UTC
Last modified on: 06/27/2023 12:18:00 UTC