CVE-2024-42328 - Exploiting NULL Pointer Dereference in WebDriver Browser Data Download
CVE-2024-42328 is a newly discovered vulnerability affecting web automation software that uses a WebDriver-controlled Browser object for HTTP downloads. This issue can cause a NULL pointer dereference, crashing the program when a server sends an empty response. Let’s break down what’s happening, show the relevant code, and see how an attacker could use this bug.
Technical Summary
When a Browser object uses WebDriver to fetch data from a server, it relies on the libcurl library for HTTP communications. The core problem is in how memory for the received data (wd->data) gets allocated. The memory isn’t allocated until data is actually received, handled in the curl_write_cb callback function. If the server replies with an empty body, that callback never runs, and wd->data stays NULL.
Later in the code, there’s an attempt to access or read from wd->data without checking if allocation ever happened. If nothing came from the server, this leads to a classic NULL pointer dereference—a read or write operation on address —causing a crash (segmentation fault).
Code Snippet
Below is a simplified version of what the vulnerable logic might look like (C-like pseudocode for illustration):
typedef struct {
char *data;
size_t data_len;
} WebDriver_Download;
size_t curl_write_cb(char *ptr, size_t size, size_t nmemb, void *userdata) {
WebDriver_Download *wd = (WebDriver_Download *)userdata;
size_t total_size = size * nmemb;
if(wd->data == NULL) {
wd->data = malloc(total_size);
wd->data_len = ;
} else {
wd->data = realloc(wd->data, wd->data_len + total_size);
}
memcpy(wd->data + wd->data_len, ptr, total_size);
wd->data_len += total_size;
return total_size;
}
void after_download(WebDriver_Download *wd) {
// Vulnerable: no check if wd->data is NULL
printf("Received: %.*s\n", (int)wd->data_len, wd->data);
// further processing...
}
Key point: If the server responds with zero bytes, curl_write_cb never runs, wd->data is never allocated, but after_download() still tries to read it, causing a crash.
How can attackers take advantage of this bug?
- An attacker runs a malicious HTTP server or intercepts traffic to the target Browser/WebDriver instance.
- The server responds to the Browser's request with an HTTP 200 OK, but with no body (an empty response).
- When the Browser's download handler code tries to process the (missing) data, it tries to read from wd->data, which is still NULL.
- The application crashes, potentially leading to
- Denial of Service (DoS) if the Browser/WebDriver is part of a larger automation workflow or backend.
Python Server
python3 -m http.server 800 --bind 127...1
Then just hit http://127...1:800/empty.html where empty.html is a zero-byte file.
In the vulnerable application, trigger a Browser download from that address. Watch the application crash.
Mitigation
Patch guidance:
Always check if a data pointer is not NULL before accessing it. A fixed version might look like
void after_download(WebDriver_Download *wd) {
if (wd->data == NULL || wd->data_len == ) {
printf("No data was received\n");
return;
}
printf("Received: %.*s\n", (int)wd->data_len, wd->data);
}
Also consider initializing the buffer up front, or using safer wrappers for network downloads.
References
- NVD Entry for CVE-2024-42328 (Official details)
- libcurl documentation: Writing Callbacks
- OWASP Guidance: Null Pointer Dereferences
Conclusion
CVE-2024-42328 is a simple but powerful bug: missing a NULL check during HTTP downloads, triggered by an empty server response. It can be used to crash automation test tools or even production automation backends using affected WebDriver Browser objects.
If you use such automation, update your code ASAP or apply the null check as shown above. Stay secure!
Timeline
Published on: 11/27/2024 12:15:20 UTC