xlnt-Community xlnt Heap-Based Buffer Overflow Vulnerability in Compound Document Parser

A heap-based buffer overflow vulnerability has been identified in xlnt-Community xlnt versions through 1.6.1. The issue arises in the Compound Document Parser, specifically within the 'xlnt::detail::binary_writer::append' function, located in 'source/detail/binary.hpp'. This vulnerability allows for heap corruption by writing data beyond the allocated buffer size. The problem occurs when the 'read_sector' function, called by 'read_msat', improperly handles the Master Sector Allocation Table, leading to a memory overflow. The vulnerability can be exploited locally, and a public exploit is available.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, leading to heap corruption.

Reproduction

The vulnerability can be reproduced by building xlnt with release optimization and AddressSanitizer (ASan) enabled. After compiling the application, it can be run with a malformed Compound Document file that triggers the buffer overflow during the parsing process. The ASan report will indicate the heap-buffer-overflow error, confirming the vulnerability.

Remediation

Users are advised to update to xlnt version 1.6.1 or later, where this vulnerability has been fixed.