Three vulnerabilities – CVE-2023-33863, CVE-2023-33864, CVE-2023-33865 – have been uncovered in the implementation of RenderDoc. In order to enhance cyber security and protect digital assets, it is crucial to understand these weaknesses their potential consequences, and the necessary steps that organizations should take.
RenderDoc, a highly useful standalone graphics debugger, has become an invaluable tool for developers. With its MIT license and open-source nature, RenderDoc offers a comprehensive platform for in-depth analysis and capturing single frames in a wide range of applications, including Vulkan, D3D11, OpenGL & OpenGL ES, and D3D12. It is compatible with multiple operating systems like Windows, Linux, Android, and even the Nintendo Switch™. However, like any software, RenderDoc is not exempt from vulnerabilities.
When operating, RenderDoc loads the shared library librenderdoc.so into the application to be debugged, initiating a server thread. This thread listens on TCP port 38920 across all network interfaces, awaiting client connections. Unfortunately, it is within this specific implementation that the three vulnerabilities were identified.
Here’s everything you need to know:
What is CVE-2023-33865?
RenderDoc, versions up to 1.26, contains a critical vulnerability identified as CVE-2023-33865. The vulnerability affects an unidentified code block in the file /tmp/RenderDoc, allowing for symlink vulnerabilities through manipulation with an unknown input. The CWE-61 classification defines this vulnerability as the software’s failure to adequately handle symbolic links that point outside of the intended control sphere when opening a file or directory. Exploiting this vulnerability could permit unauthorized access to files, impacting confidentiality, integrity, and availability.
This weakness was disclosed on 06/06/2023, and the advisory can be found on seclists.org. While technical details are known, there is currently no available exploit.
Notably, this symlink vulnerability can be exploited by any local attacker without requiring elevated privileges. Successful exploitation could grant the attacker the privileges of the RenderDoc user. The intricate details of this vulnerability make it an intellectually stimulating challenge to exploit.
This symlink vulnerability in /tmp/RenderDoc, is closely examined to understand its implications. The vulnerability arises when the shared library, librenderdoc.so, is LD_PRELOADed into the application under debug, triggering the library_loaded() function and initiating two distinct actions.
Firstly, the function creates the /tmp/RenderDoc directory. Notably, it repurposes this directory even if it already exists, regardless of ownership (referred to as Bob’ for our discussion) within RenderDoc. Secondly, it opens a log file following the structure /tmp/RenderDoc/RenderDoc_app_YYYY.MM.DD_hh.mm.ss.log. If the log file doesn’t exist, it is created, and data is appended to it in a continuous manner.
These actions introduce a significant security loophole. An attacker can anticipate Bob’s actions by preemptively creating the /tmp/RenderDoc directory. This directory can be populated with numerous symlinks in the format /tmp/RenderDoc/RenderDoc_app_YYYY.MM.DD_hh.mm.ss.log, each symlink pointing to an arbitrary file within the system. Consequently, when Bob executes RenderDoc, the linked file is either created (if it doesn’t already exist) or modified, with the actions occurring under Bob’s privileges.
Through this strategy, the attacker can inject arbitrary strings into the chosen file by transmitting them to RenderDoc over TCP port 38920. However, the attacker faces a hurdle: RenderDoc adds an unmodifiable header before each incoming string. If the transmitted string contains newline characters, RenderDoc splits it into multiple lines, each starting with the uncontrollable header. This lack of control over the header prevents the attacker from leveraging Bob’s standard dotfiles, such as .profile, .bashrc, .ssh/authorized_keys and so forth, with the goal of escalating privileges.
What is CVE-2023-33864?
Another vulnerability, identified as CVE-2023-33864, involves an integer underflow leading to a heap-based buffer overflow. This vulnerability can be exploited remotely by an attacker to execute arbitrary code on the targeted machine. The exploitation method utilizes a unique malloc exploitation technique that has demonstrated reliability and efficiency despite the presence of various protective measures such as glibc, ASLR, PIE, NX, and stack canaries.
RenderDoc, up to version 1.26, has been discovered to have a critical vulnerability. This vulnerability affects an undisclosed processing function within the software. The vulnerability arises from the manipulation of an unknown input, resulting in an integer underflow vulnerability.
The Common Weakness Enumeration (CWE) categorizes this issue as CWE-191. The vulnerability occurs when the product subtracts one value from another, resulting in a value that is less than the minimum allowable integer value and producing an incorrect result. The impact of this vulnerability extends to confidentiality, integrity, and availability.
The disclosure of this weakness took place on 06/06/2023, and the advisory can be accessed on seclists.org. This specific vulnerability is identified as CVE-2023-33864. Technical details regarding the vulnerability are currently unknown, and there is no available exploit.
What is CVE-2023-33863?
RenderDoc, up to version 1.26, has been found to have a critical vulnerability identified as CVE-2023-33863. The vulnerability affects an unspecified function and arises from the manipulation of an unknown input, resulting in an integer overflow vulnerability. According to CWE classification, this issue falls under CWE-190. The software performs a calculation that can lead to an integer overflow or wraparound when the underlying logic assumes that the resulting value will always be larger than the original value. This flaw can introduce additional weaknesses when the calculation is utilized for resource management or execution control. The impact of this vulnerability extends to confidentiality, integrity, and availability.
The disclosure of this weakness occurred on 06/06/2023, and the advisory can be accessed on seclists.org. The vulnerability is specifically identified as CVE-2023-33863. It is worth noting that this integer overflow flaw can result in a heap-based buffer overflow, which could potentially be exploited by a remote attacker to execute arbitrary code on the affected machine.
Have the CVEs been actively exploited in the wild?
Although no successful exploitation attempts have been made thus far, the security implications of this vulnerability should not be underestimated.
How to fix these vulnerabilities
RenderDoc swiftly addressed these three vulnerabilities upon receiving coordinated disclosure within just a few hours. They released version 1.27, which includes the necessary fixes to mitigate these vulnerabilities.
The aforementioned commits (i.e., RenderDoc <= v1.26 is vulnerable, but v1.27 is fixed) resolved all three vulnerabilities on May 19, 2023. The vulnerabilities were addressed through the following commits:
- Commit 601ed56111ce3803d8476d438ade1c92d6092856
- Commit e0464fea4f9a7f149c4ee1d84e5ac57839a4a862
- Commit 1f72a09e3b4fd8ba45be4b0db4889444ef5179e2
- Commit 203fc8382a79d53d2035613d9425d966b1d4958e
- Commit 771aa8e769b72e6a36b31d6e2116db9952dcbe9b
RenderDoc also listens on TCP port 39920; however, it only permits connections from private IP addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and can be further configured to restrict access. In contrast, RenderDoc allows anyone to connect to TCP port 38920 (the exploited port) and cannot be configured to limit the connections to specific users.
Qualys strongly advises security teams to promptly apply patches for these vulnerabilities.
Next steps
Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors:
- Can you trust ChatGPT’s package recommendations?
- MITRE ATTACK framework – Mapping techniques to CVEs
- Exploit maturity: an introduction
- OWASP Top 10 vulnerabilities 2022: what we learned
- How to fix CVE-2023-25610 in FortiOS
And finally…
Don’t get found out by new vulnerabilities. Vulcan Cyber gives you full visibility and oversight of your threat environment and lets you prioritize, remediate and communicate your cyber risk across your entire organization. Get a demo today.
