Squirrel Stack-Based Buffer Overflow Vulnerability in Format Validation Function

A stack-based buffer overflow vulnerability has been identified in Squirrel versions through 3.2. The issue arises in the validate_format function within the sqstdlib/sqstdstring.cpp library. The vulnerability is caused by an off-by-one error in the length validation of format specifiers, allowing a specifier of exactly 20 characters to overflow a 20-byte stack buffer. This flaw can be exploited locally by executing manipulated Squirrel scripts that access the string library.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, where the overflowed bytes can corrupt adjacent stack variables or the saved frame pointer. This could potentially be exploited to execute arbitrary code.

Reproduction

The vulnerability can be reproduced by using a Squirrel script that passes a format specifier exactly 20 characters long to the validate_format function. This can be done by creating a Squirrel script that includes the string library and calls a function that triggers the validate_format function with a carefully crafted format specifier. The buffer overflow can be verified using AddressSanitizer, which will report a stack-buffer-overflow error.

Remediation

Users are advised to update to a version of Squirrel that has addressed this vulnerability. The off-by-one error in the length check should be corrected to properly validate format specifiers.