Bitsery Insecure Deserialization Vulnerability Leading to Type Confusion and Potential Code Execution

A vulnerability in the Bitsery library, specifically in versions through 5.2.4, allows for insecure deserialization of shared pointers. This issue arises in the 'loadFromSharedState' function within 'include/bitsery/ext/std_smart_ptr.h'. The vulnerability can be exploited remotely, leading to type confusion, address leakage, arbitrary memory reading, VTable hijacking, and potentially arbitrary code execution. The vulnerability is rooted in the library's handling of shared pointers during deserialization, which can be manipulated to reference objects of incorrect types, bypassing type checks and causing unintended behavior.

Impact

Exploitation of this vulnerability can result in type confusion, allowing an attacker to manipulate object references and potentially execute arbitrary code. The vulnerability also enables address leakage, which can be used to bypass Address Space Layout Randomization (ASLR) and facilitate further exploitation.

Reproduction

The vulnerability can be reproduced by serializing shared pointers of different types, including polymorphic classes, and then deserializing the data while manipulating the type information. This can be done using a crafted buffer that exploits the deserialization process, causing the library to incorrectly handle the shared pointer types. After deserialization, the manipulated pointers can be used to access sensitive data or hijack the program's control flow.

Remediation

Users are advised to upgrade to Bitsery version 5.2.5, which addresses the vulnerability by implementing proper type checks during the deserialization of shared pointers. The updated version is available on the Bitsery GitHub releases page.