Talos Vulnerability Report

TALOS-2022-1669

Open Babel MSI format atom uninitialized pointer dereference vulnerability

July 21, 2023
CVE Number

CVE-2022-44451

SUMMARY

A use of uninitialized pointer vulnerability exists in the MSI format atom functionality of Open Babel 3.1.1 and master commit 530dbfa3. A specially crafted malformed file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Open Babel 3.1.1
Open Babel master commit 530dbfa3

PRODUCT URLS

Open Babel - https://openbabel.org/

CVSSv3 SCORE

9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-824 - Access of Uninitialized Pointer

DETAILS

Open Babel is a popular library for converting chemical file formats, currently supporting about 130 different file formats. It implements bindings for several programming languages. Because of the nature of the library, and since there are many online chemical format converters and molecule viewers which might be using Open Babel in their backend for parsing and conversion, we consider this software as potentially accessible via network.

Open Babel ships a simple converter application called obabel that can be used to trigger the issue described in this advisory. obabel supports -i and -o parameters, which select the input and output formats to perform the conversion. obabel supports multiple input and output files (as does the Open Babel library itself): this technically allows multiple vulnerabilities to trigger in sequence, which in turn could make some vulnerabilities easier to exploit. In this advisory, however, we focus on only one input file and a corresponding output file.

When a single input file and output file are supplied, obabel.cpp records the input and output formats (if supplied) and calls OBConversion::FullConvert in obconversion.cpp. Inside this function, there’s a call to OpenAndSetFormat, which uses FormatFromExt to derive the input format from the filename extension if no -i parameter was supplied. Similarly, OpenInAndOutFiles can be used to derive both input and output formats from the filename extensions when none are supplied.
Depending on how the obabel application is invoked, different paths could actually take place. Eventually, pInFormat and pOutFormat (of base class OBFormat) objects are allocated, which are instances of the classes that implement the selected input and output formats.

The code then proceeds with a call to OBConversion::Convert, which eventually leads to calling pInFormat->ReadMolecule and pOutFormat->WriteMolecule.

In this advisory, we describe an issue in the msi file format (formats/msiformat.cpp) when parsing an input file via ReadMolecule.

      bool MSIFormat::ReadMolecule(OBBase* pOb, OBConversion* pConv)
      {
        ...
        unsigned int startBondAtom, endBondAtom, bondOrder;
        bool atomRecord = false;
        bool bondRecord = false;
[1]     OBAtom *atom;
        ...

[2]     while (ifs.getline(buffer,BUFF_SIZE))
          {
            ...

            // atom record
[3]         if (!bondRecord && strstr(buffer, "Atom") != nullptr) {
              atomRecord = true;
              openParens++;
              continue;
            }
            ...

            // atom information
[4]         if (atomRecord) {
[5]           if (strstr(buffer, "ACL") != nullptr) {
                tokenize(vs, buffer);
                // size should be 5 -- need a test here
                if (vs.size() != 5) return false; // timvdm 18/06/2008
                vs[3].erase(0,1); // "6 => remove the first " character
                unsigned int atomicNum = atoi(vs[3].c_str());
                if (atomicNum == 0)
                  atomicNum = 1; // hydrogen ?

                // valid element, so create the atom
[6]             atom = mol.NewAtom();
                atom->SetAtomicNum(atomicNum);
                continue;
              }
[7]           else if (strstr(buffer, "XYZ") != nullptr) {
                tokenize(vs, buffer);
                // size should be 6 -- need a test here
                if (vs.size() != 6) return false; // timvdm 18/06/2008
                vs[3].erase(0,1); // remove ( character
                vs[5].erase(vs[5].length()-2, 2); // remove trailing )) characters
[8]             atom->SetVector(atof(vs[3].c_str()),
                                atof(vs[4].c_str()),
                                atof(vs[5].c_str()));
                continue;
              }
            } // end of atom records

At [1], an atom pointer is declared but not initialized. Then the code starts to scan each line in the file [2]. If a line containing “Atom” is found, atomRecord is set to true. This allows the condition to be entered at [4] on the next line read. If the line also contains “ACL”, a new atom is instantiated and the atom pointer gets initialized [6]. However, if the line contains “XYZ” [7], atom is dereferenced without checking if it has ever been initialized [8]. For example, it’s possible to supply a file containing only “XYZ” lines. This will allow multiple arbitrary writes to execute with controlled values, since all parameters to SetVector are under attacker control.

    void OBAtom::SetVector(const double v_x,const double v_y,const double v_z)
    {
      if (!_c)
        _v.Set(v_x,v_y,v_z);
      else
        {
          (*_c)[_cidx  ] = v_x;
          (*_c)[_cidx+1] = v_y;
          (*_c)[_cidx+2] = v_z;
        }
    }

Because _c and _cidx are referenced as an offset from the uninitialized atom pointer and parameters are arbitrary, SetVector provides a powerful exploitation primitive. The atom pointer is stored on the stack, and, depending on how the code is compiled and the stack is laid out, the pointer could be under full control of an attacker, who could in turn use this to execute arbitrary code.

Crash Information

$ ./bin/obabel -i msi atom.uninit.msi -o sdf
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1296594==ERROR: AddressSanitizer: SEGV on unknown address 0x1b468d20 (pc 0xf6de7783 bp 0xffff3178 sp 0xffff3130 T0)
==1296594==The signal is caused by a READ memory access.
    #0 0xf6de7783 in OpenBabel::OBAtom::SetVector(double, double, double) ./src/atom.cpp:419
    #1 0xf59563df in OpenBabel::MSIFormat::ReadMolecule(OpenBabel::OBBase*, OpenBabel::OBConversion*) ./src/formats/msiformat.cpp:193
    #2 0xf751a915 in OpenBabel::OBMoleculeFormat::ReadChemObjectImpl(OpenBabel::OBConversion*, OpenBabel::OBFormat*) ./src/obmolecformat.cpp:102
    #3 0xf63c358c in OpenBabel::OBMoleculeFormat::ReadChemObject(OpenBabel::OBConversion*) ./include/openbabel/obmolecformat.h:116
    #4 0xf72a204e in OpenBabel::OBConversion::Convert() ./src/obconversion.cpp:545
    #5 0xf72c717a in OpenBabel::OBConversion::Convert(std::istream*, std::ostream*) ./src/obconversion.cpp:481
    #6 0xf72cf4f3 in OpenBabel::OBConversion::FullConvert(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) ./src/obconversion.cpp:1514
    #7 0x565594ea in main ./tools/obabel.cpp:370
    #8 0xf77923b4 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #9 0xf779247e in __libc_start_main_impl ../csu/libc-start.c:389
    #10 0x5655c356 in _start (./bin/obabel+0x7356)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ./src/atom.cpp:419 in OpenBabel::OBAtom::SetVector(double, double, double)
==1296594==ABORTING
VENDOR RESPONSE

Since the maintainer of this software did not release a patch during the 90 day window specified in our policy, we have now decided to release the information regarding this vulnerability, to make users of the software aware of this problem. See Cisco’s Coordinated Vulnerability Disclosure Policy for more information: https://tools.cisco.com/security/center/resources/vendor_vulnerability_policy.html

TIMELINE

2022-12-20 - Initial Vendor Contact
2023-01-12 - Vendor Disclosure
2023-07-21 - Public Release

Credit

Discovered by Claudio Bozzato of Cisco Talos.