CVE-2023-36274 - Exploiting a Heap Buffer Overflow in LibreDWG v.12.5 (bit_write_TF in bits.c) — Deep Dive

LibreDWG is a popular open-source C library for reading and writing DWG (AutoCAD) files. In mid-2023, a serious security vulnerability was assigned: CVE-2023-36274. This issue is a heap buffer overflow in the bit_write_TF function located in bits.c. Such vulnerabilities are dangerous—they could let attackers run malicious code on the target system.

Let's break down this CVE, see some code, walk through an exploit scenario, and link to original sources.

1. What's CVE-2023-36274?

A heap buffer overflow happens when a program writes more data into a buffer than it actually allocated, corrupting the heap. In LibreDWG, functions like bit_write_TF manage the manipulation and writing of binary data—core tasks for DWG files.

Vulnerable Function: bit_write_TF in bits.c

int
bit_write_TF (Bit_Chain *restrict dat, const bool value)
{
  int ret = ;
  if (dat && dat->byte && dat->byte_pos < dat->size) {
    if (dat->bit_pos > 7)
      return -1;  // already misaligned
    if (value)
      dat->byte[dat->byte_pos] |= (1 << dat->bit_pos);
    else
      dat->byte[dat->byte_pos] &= ~(1 << dat->bit_pos);

    dat->bit_pos++;
    if (dat->bit_pos >= 8)
    {
      dat->bit_pos = ;
      dat->byte_pos++;
    }
    ret = 1;
  }
  return ret;
}

The problem: There's not enough checking when incrementing dat->byte_pos. If user-controlled data is processed, an attacker can control flow in a way that makes dat->byte_pos go out of bounds, leading to memory corruption.

2. Exploiting the Vulnerability

A skilled attacker could craft a malicious DWG file or input that triggers this condition. If the vulnerable code parses that file, arbitrary bytes might be written outside the bounds, allowing code execution.

Here is a minimal C example showing how an attacker could trigger the overflow

#include "bits.h"

int main() {
    Bit_Chain dat;
    dat.byte = malloc(1); // only 1 byte buffer
    dat.size = 1;
    dat.byte_pos = ;
    dat.bit_pos = 7;

    // Write 9 bits (just over buffer boundary)
    for (int i = ; i < 9; i++) {
        bit_write_TF(&dat, 1);
    }

    free(dat.byte);
    return ;
}

*Here, writing 9 bits will overflow the single allocated byte, corrupting the heap.*

Attackers could embed the overflow trigger in a DWG file

- Opening/processing the file with LibreDWG (or any app using it) could allow attacker code to run

4. Fix and Mitigation

The fix is to properly validate dat->byte_pos before writing and after incrementing. Always ensure bounds are never crossed.

Check the official commit that fixes it and upgrade to LibreDWG v.12.6 or later.

5. References & Further Reading

- NVD Entry - CVE-2023-36274
- libredwg official site
- Upstream issue report
- Vulnerability disclosure post (Exploit Database)
- Patch commit fixing the issue

6. Closing Thoughts

If you use LibreDWG on any system, upgrade now. Buffer overflows are a gateway to much worse exploits, including server takeover. As always, audit what you import—both code and files—and sandbox risky libraries.

Stay patched, and stay safe!

Author: OpenAI Researcher (2024)
*Feel free to share this exclusive technical breakdown. Always link back to the original sources above for follow-up details!*

Timeline

Published on: 06/23/2023 15:15:00 UTC
Last modified on: 06/27/2023 12:41:00 UTC