OSEC-2018-01

See a problem?

Import Source

https://github.com/ocaml/security-advisories/blob/generated-osv/2018/OSEC-2018-01.json

JSON Data

https://api.test.osv.dev/v1/vulns/OSEC-2018-01

Aliases

CVE-2018-9838

Published

2018-04-06T18:29:00Z

Modified

2026-02-09T09:46:07.687267Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

An integer overflow in the `bigarray` serialization module leads to arbitrary code execution

Details

Bug description

The bigarray module in all recent ocaml versions is capable of reading in serialized (marshalled) objects from a external source which is often used for network operations and interprocess communication.

byterun/bigarray.c

Line 458 in ea60609

 b->data = malloc(elt_size * num_elts);

A integer overflow vulnerability allows under certain circumstances an remote attacker to input a corrupt object and edit arbitrary addresses in the processes memory which leads over common techniques (in this take libc one gadget but any rop gadget or got table vector would work) to arbitrary memory access (!) and in the course also arbitrary code execution

Please check the writeup.pdf for more details !!

In variations of this the exploit is usable in all ocaml versions we tested no matter if compiled to binary or intepreted (!)

Steps to reproduce

Check out the attached archive and run the makefile (or use the precompile executable) the exploit can be run by executing exploit.py (python2.7 and pwntools are required) The last step of code execution is using a one-gadget attack technique and is specific to the glibc version in use (e.g. tested is debian glibc 2.24-11+deb9u1) but can with minimal amount of work be ported to any libc version on any patch level to our knowledge

Of course you can also use the exploit.py to write your own version of exploit

Additional information

This Vulnerability in ocaml was discovered by me (maximilian.tschirschnitz@gmx.de) and the exploit collaboratly developed with (philipp.hagenlocher@tum.de) For illustration purposes it was packaged as security challenge to demonstrate the impact of the issue (see writeup.pdf)

Database specific

{
    "osv": "https://github.com/ocaml/security-advisories/tree/generated-osv/2018/OSEC-2018-01.json",
    "cwe": [
        "CWE-190"
    ],
    "human_link": "https://github.com/ocaml/security-advisories/tree/main/advisories/2018/OSEC-2018-01.md"
}

References

Credits

- Maximilian Tschirschnitz - REPORTER
- - mailto:maximilian.tschirschnitz@gmx.de
- Philipp Hagenlocher - REPORTER
- - mailto:philipp.hagenlocher@tum.de
- Xavier Leroy - REMEDIATION_DEVELOPER
- Gabriel Scherer - REMEDIATION_REVIEWER

Affected packages

opam / ocaml

Package

Name: ocaml
Purl: pkg:opam/ocaml

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.07.0

Type: GIT
Repo: https://github.com/ocaml/ocaml
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

9664c7ee807c2dfa802f53cabd405ff58e219c47

Affected versions

3.*

3.07

3.07+1

3.07+2

3.08.0

3.08.1

3.08.2

3.08.3

3.08.4

3.09.0

3.09.1

3.09.2

3.09.3

3.10.0

3.10.1

3.10.2

3.11.0

3.11.1

3.11.2

3.12.0

3.12.1

4.*

4.00.0

4.00.1

4.01.0

4.02.0

4.02.1

4.02.2

4.02.3

4.02.4

4.03.0

4.03.1

4.04.0

4.04.1

4.04.2

4.04.3

4.05.0

4.05.1

4.06.0

4.06.1

4.06.2

Ecosystem specific

{
    "opam_constraint": "ocaml {< \"4.07.0\"}"
}

Database specific

source

"https://github.com/ocaml/security-advisories/blob/generated-osv/2018/OSEC-2018-01.json"