CVE-2024-22857
published 2024-03-07CVE-2024-22857: Heap based buffer flow in zlog v1.1.0 to v1.2.17 in zlog_rule_new().The size of record_name is MAXLEN_PATH(1024) + 1 but file_path may have data upto…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.70%
74.3th percentile
Heap based buffer flow in zlog v1.1.0 to v1.2.17 in zlog_rule_new().The size of record_name is MAXLEN_PATH(1024) + 1 but file_path may have data upto MAXLEN_CFG_LINE(MAXLEN_PATH*4) + 1. So a check was missing in zlog_rule_new() while copying the record_name from file_path + 1 which caused the buffer overflow. An attacker can exploit this vulnerability to overwrite the zlog_record_fn record_func function pointer to get arbitrary code execution or potentially cause remote code execution (RCE).
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability resides in zlog_rule_new() where record_name (sized MAXLEN_PATH+1 = 1025 bytes) is overflowed by file_path data up to MAXLEN_CFG_LINE (MAXLEN_PATH*4)+1 bytes — monitor for heap corruption or anomalous writes in this function during zlog config parsing. ↗
- →The overflow targets the zlog_record_fn record_func function pointer on the heap — look for heap metadata corruption or unexpected function pointer overwrites in zlog processes as a sign of exploitation. ↗
- →Affected versions are zlog v1.1.0 through v1.2.17 — flag any deployment of these versions in your environment as vulnerable to heap-based buffer overflow via crafted config input. ↗
- ·The overflow is triggered via a crafted zlog configuration file where a file_path rule value exceeds MAXLEN_PATH (1024 bytes), up to MAXLEN_CFG_LINE (MAXLEN_PATH*4 = 4096 bytes) — exploitation requires the ability to supply or influence the zlog configuration file. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
https://github.com/HardySimpson/zlog/https://github.com/HardySimpson/zlog/blob/1a7b1a6fb956b92a4079ccc91f30da21f34ca063/src/rule.h#L30https://github.com/HardySimpson/zlog/pull/251https://www.cybersecurity-help.cz/vdb/SB2024022842https://www.ebryx.com/blogs/arbitrary-code-execution-in-zlog-cve-2024-22857https://github.com/HardySimpson/zlog/https://github.com/HardySimpson/zlog/blob/1a7b1a6fb956b92a4079ccc91f30da21f34ca063/src/rule.h#L30https://github.com/HardySimpson/zlog/pull/251https://www.cybersecurity-help.cz/vdb/SB2024022842https://www.ebryx.com/blogs/arbitrary-code-execution-in-zlog-cve-2024-22857
2024-03-07
Published