StellarGroup HPX Insecure Deserialization Vulnerability Allowing Arbitrary Code Execution

A vulnerability exists in StellarGroup HPX version 1.11.0 that involves insecure deserialization of untrusted input. This flaw can lead to type confusion in shared pointers, allowing attackers to execute arbitrary code. The issue arises from insufficient type checking during the deserialization process, which can be exploited under certain conditions.

Impact

Exploitation of this vulnerability can result in type confusion, allowing for information disclosure, control flow hijacking, and arbitrary code execution. Such an attack could lead to local privilege escalation or remote code execution if the vulnerability is exploited over the network.

Reproduction

The vulnerability can be reproduced by deserializing shared pointers of different types, which creates a type confusion scenario. This can be done by first serializing the pointers and then modifying the serialized data to make one pointer reference another, bypassing type checks. After deserializing the modified data, the type confusion can be exploited to leak addresses, read arbitrary memory, or hijack control flow by manipulating vtable pointers of polymorphic classes.

Remediation

To address this vulnerability, it is recommended to implement proper type checks during the deserialization of shared pointers. This can be done by using a hashmap to map pointer addresses to their type IDs, ensuring that the types match before allowing the deserialization shortcut. For polymorphic classes, overload the type equality check to account for inheritance.