Bullet Physics Stack-Based Buffer Overflow Vulnerability in OFF Loader Allowing Remote Code Execution

A stack-based buffer overflow vulnerability has been identified in the OFF file parser of the Bullet Physics library, specifically in the VHACD utility, prior to version 3.26. This vulnerability allows remote attackers to execute arbitrary code by crafting an OFF file with an excessively long initial token. The issue arises from the parser's use of an unbounded format specifier, which can lead to a buffer overflow if the token exceeds 1023 bytes. The vulnerability can be exploited directly through the VHACD test utility or indirectly via the PyBullet library's vhacd function.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, leading to a crash and potentially allowing for arbitrary code execution, depending on the compiler and stack protection mechanisms in place.

Reproduction

To reproduce this vulnerability, create an OFF file with a first token that exceeds 1024 bytes (without spaces) and use the VHACD tool to process it. This will trigger the buffer overflow and cause a crash. Alternatively, the same effect can be achieved by using the PyBullet library to call the vhacd function with the crafted OFF file as input.

Remediation

Bullet Physics users are advised to update to version 3.26 or later, where this vulnerability has been addressed.