Open Asset Import Library Assimp Out-of-Bounds Read Vulnerability in CSM File Handler

A vulnerability allowing out-of-bounds read has been identified in Open Asset Import Library (Assimp) version 5.4.3. This issue arises in the CSM File Handler component, specifically within the 'Assimp::CSMImporter::InternReadFile' function of 'CSMLoader.cpp'. The vulnerability can be exploited remotely, potentially leading to arbitrary memory access and causing a crash by reading a null pointer. The issue has been publicly disclosed and is available as a proof-of-concept exploit.

Impact

Exploitation of this vulnerability causes a segmentation fault by attempting to read memory addresses that are out of bounds, specifically accessing a null pointer. This type of out-of-bounds read can often be leveraged to read sensitive information from memory, and in some cases, could lead to more severe consequences such as arbitrary code execution.

Reproduction

The vulnerability can be reproduced by building Assimp with address sanitizer enabled, which will catch memory access errors. After compiling the library, a fuzzer can be used to send a crafted CSM file to the 'InternReadFile' function. The fuzzer should be set up to target the specific vulnerability by manipulating the 'na' argument to trigger the out-of-bounds read. This can be done by encoding the exploit into a base64 string, which is then decoded and used as input for the fuzzer.