Hello qDecoder users!!!
I'm pleased to announce qDecoder 12.1.0 release.
This is a maintenance release includes important security updates that fixes possible vulnerability in URL decoding (see the report attached below). All the qDecoder users are recommended to upgrade to this version as soon as possible.
Best,
Seungyoung Kim
What's Changed
- Security update: add check on improperly encoded input by @wolkykim in #29
- Fix crash when multipart boundary is missing. by @MelanieRed in #26
- Add unit test framework and tests by @wolkykim in #29
- Other minor updates and improvements
- Build compatibility updates for Mac
- Relocate Windows MinGW build codes under src/compat folder
- Document updates
Full Changelog: v12.0.8...v12.1.0
qDecoder Vulnerability Report Details
Software: qDecoder
Software URL: https://github.com/wolkykim/qdecoder
Version Reviewed: Latest git revision as of 30/05/2022, commit e43f6cc
Bug Type: Heap Overflow
Vector: Protocol, network request parsing
Impact: Remote Code Execution
Discovery Date: 17/05/2022
Discovered By: Giulio De Pasquale and Jesse Hertz of Apple Information Security
Summary:
It is possible to corrupt and control the heap chunks by sending a request ending with the "%" character. QDecoder does not perform a sanity check on the bytes appended after the "%" character, leading to a buffer overflow and possible remote code execution, dependent on the usage of the library.
Technical Details:
QDecoder parses potentially untrusted network requests passed through GET and POST requests or HTML Cookies. HTTP clients tend to send the requests encoded with the standard URL encoding, which QDecoder supports.
As part of the parsing process, QDecoder decodes a request's data from its URL encoded form [1]. URL encoded strings use the character "%" to represent the beginning of special two bytes long character sequences.
When QDecoder encounters the escaping character, it attempts to decode the following two bytes, subsequently advancing the buffer pointer forward by two bytes [2]. When the data buffer is fully traversed, the parser will place a null character at the end of the decoded request [3] to signify the end of the request string.
Unfortunately, the parser does not check the buffer's boundaries, causing a corruption if the request URL ends in a "%" character. When no data is present after the escaping character, the buffer pointer would be advanced by two bytes, effectively jumping over the expected boundary. At this point, the loop would keep reading past the request data until it encounters a null byte, leading to a heap overflow. Additionally, the overflow overwrites the original null byte, creating an overlong string that spans more than one heap chunk. The overflow corrupts the heap chunks when the buffer is reused subsequently by QDecoder [4], which would keep reading until the erroneously placed null byte.
Conclusion and impact:
An attacker can trigger the overflow by sending a request ending with the "%" character. The vulnerability allows controlling the heap chunks' previous size, bk, and fd pointers [5]. By carefully setting the bk and fd pointers, the chunks could be used to write anywhere in the process memory and, finally, lead to remote code execution.
Mitigations/Workarounds:
We propose to add a sanity check for the bytes following the "%" escape character in the _q_urldecode
function in internal.c
.
References:
[1]: https://github.com/wolkykim/qdecoder/blob/8cef3e8040b73cdaff31469f2e6c1a97d0d7c9c7/src/internal.c#L131
[2]: https://github.com/wolkykim/qdecoder/blob/8cef3e8040b73cdaff31469f2e6c1a97d0d7c9c7/src/internal.c#L146
[3]: https://github.com/wolkykim/qdecoder/blob/8cef3e8040b73cdaff31469f2e6c1a97d0d7c9c7/src/internal.c#L155
[4]: https://github.com/wolkykim/qdecoder/blob/8cef3e8040b73cdaff31469f2e6c1a97d0d7c9c7/src/qcgireq.c#L818
[5]: https://sourceware.org/git/?p=glibc.git;a=blob;f=malloc/malloc.c;h=96149549758dd424f5c08bed3b7ed1259d5d5664;hb=bdc3009b8ff0effdbbfb05eb6b10966753cbf9b8#l1060