osec-2018-01
Vulnerability from osv_ocaml
Published
2018-04-06 18:29
Modified
2025-12-16 12:00
Summary
An integer overflow in the `bigarray` serialization module leads to arbitrary code execution
Details

Bug description

The bigarray module in all recent ocaml versions is capable of reading in serialized (marshalled) objects from a external source which is often used for network operations and interprocess communication.

byterun/bigarray.c

Line 458 in ea60609

 b->data = malloc(elt_size * num_elts);

A integer overflow vulnerability allows under certain circumstances an remote attacker to input a corrupt object and edit arbitrary addresses in the processes memory which leads over common techniques (in this take libc one gadget but any rop gadget or got table vector would work) to arbitrary memory access (!) and in the course also arbitrary code execution

Please check the writeup.pdf for more details !!

In variations of this the exploit is usable in all ocaml versions we tested no matter if compiled to binary or intepreted (!)

Steps to reproduce

Check out the attached archive and run the makefile (or use the precompile executable) the exploit can be run by executing exploit.py (python2.7 and pwntools are required) The last step of code execution is using a one-gadget attack technique and is specific to the glibc version in use (e.g. tested is debian glibc 2.24-11+deb9u1) but can with minimal amount of work be ported to any libc version on any patch level to our knowledge

Of course you can also use the exploit.py to write your own version of exploit

Additional information

This Vulnerability in ocaml was discovered by me (maximilian.tschirschnitz@gmx.de) and the exploit collaboratly developed with (philipp.hagenlocher@tum.de) For illustration purposes it was packaged as security challenge to demonstrate the impact of the issue (see writeup.pdf)

Credits
Maximilian Tschirschnitz mailto:maximilian.tschirschnitz@gmx.de
Philipp Hagenlocher mailto:philipp.hagenlocher@tum.de
Xavier Leroy
Gabriel Scherer
To clipboard 

{
  "affected": [
    {
      "ecosystem_specific": {
        "opam_constraint": "ocaml {\u003c \"4.07.0\"}"
      },
      "package": {
        "ecosystem": "opam",
        "name": "ocaml",
        "purl": "pkg:opam/ocaml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.07.0"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9664c7ee807c2dfa802f53cabd405ff58e219c47"
            }
          ],
          "repo": "https://github.com/ocaml/ocaml",
          "type": "GIT"
        }
      ],
      "versions": [
        "3.07",
        "3.07+1",
        "3.07+2",
        "3.08.0",
        "3.08.1",
        "3.08.2",
        "3.08.3",
        "3.08.4",
        "3.09.0",
        "3.09.1",
        "3.09.2",
        "3.09.3",
        "3.10.0",
        "3.10.1",
        "3.10.2",
        "3.11.0",
        "3.11.1",
        "3.11.2",
        "3.12.0",
        "3.12.1",
        "4.00.0",
        "4.00.1",
        "4.01.0",
        "4.02.0",
        "4.02.1",
        "4.02.2",
        "4.02.3",
        "4.02.4",
        "4.03.0",
        "4.03.1",
        "4.04.0",
        "4.04.1",
        "4.04.2",
        "4.04.3",
        "4.05.0",
        "4.05.1",
        "4.06.0",
        "4.06.1",
        "4.06.2"
      ]
    }
  ],
  "aliases": [
    "CVE-2018-9838"
  ],
  "credits": [
    {
      "contact": [
        "mailto:maximilian.tschirschnitz@gmx.de"
      ],
      "name": "Maximilian Tschirschnitz",
      "type": "REPORTER"
    },
    {
      "contact": [
        "mailto:philipp.hagenlocher@tum.de"
      ],
      "name": "Philipp Hagenlocher",
      "type": "REPORTER"
    },
    {
      "name": "Xavier Leroy",
      "type": "REMEDIATION_DEVELOPER"
    },
    {
      "name": "Gabriel Scherer",
      "type": "REMEDIATION_REVIEWER"
    }
  ],
  "database_specific": {
    "cwe": [
      "CWE-190"
    ],
    "human_link": "https://github.com/ocaml/security-advisories/tree/main/advisories/2018/OSEC-2018-01.md",
    "osv": "https://github.com/ocaml/security-advisories/tree/generated-osv/2018/OSEC-2018-01.json"
  },
  "details": "## Bug description\n\nThe bigarray module in all recent ocaml versions is capable of reading in serialized (marshalled) objects from a external source which is often used for network operations and interprocess communication.\n\nbyterun/bigarray.c\n\nLine 458 in ea60609\n```C\n b-\u003edata = malloc(elt_size * num_elts);\n```\n\nA integer overflow vulnerability allows under certain circumstances an remote attacker to input a corrupt object and edit arbitrary addresses in the processes memory which leads over common techniques (in this take libc one gadget but any rop gadget or got table vector would work) to arbitrary memory access (!) and in the course also arbitrary code execution\n\nPlease check the writeup.pdf for more details !!\n\nIn variations of this the exploit is usable in all ocaml versions we tested no matter if compiled to binary or intepreted (!)\n\n## Steps to reproduce\n\nCheck out the attached archive and run the makefile (or use the precompile executable)\nthe exploit can be run by executing exploit.py (python2.7 and pwntools are required)\nThe last step of code execution is using a one-gadget attack technique and is specific to the glibc version in use (e.g. tested is debian glibc 2.24-11+deb9u1) but can with minimal amount of work be ported to any libc version on any patch level to our knowledge\n\nOf course you can also use the exploit.py to write your own version of exploit\n\n## Additional information\n\nThis Vulnerability in ocaml was discovered by me (maximilian.tschirschnitz@gmx.de) and the exploit collaboratly developed with (philipp.hagenlocher@tum.de)\nFor illustration purposes it was packaged as security challenge to demonstrate the impact of the issue (see writeup.pdf)",
  "id": "OSEC-2018-01",
  "modified": "2025-12-16T12:00:00Z",
  "published": "2018-04-06T18:29:00Z",
  "references": [
    {
      "type": "REPORT",
      "url": "https://github.com/ocaml/ocaml/issues/7765"
    },
    {
      "type": "FIX",
      "url": "https://github.com/ocaml/ocaml/pull/1718"
    }
  ],
  "schema_version": "1.7.4",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "An integer overflow in the `bigarray` serialization module leads to arbitrary code execution"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.