rustsec-2021-0123
Vulnerability from osv_rustsec
Published
2021-11-14 12:00
Modified
2023-06-13 13:10
Summary
Converting `NSString` to a String Truncates at Null Bytes
Details

Methods of [NSString] for conversion to a string may return a partial result. Since they call [CStr::from_ptr] on a pointer to the string buffer, the string is terminated at the first null byte, which might not be the end of the string.

In addition to the vulnerable functions listed for this issue, the implementations of [Display], [PartialEq], [PartialOrd], and [ToString] for [NSString] are also affected, since they call those functions.

Impact

Since [NSString] is commonly used as the type for paths by the Foundation framework, null byte truncation might allow for easily bypassing file extension checks. For example, if a file name is provided by a user and validated to have one of a specific set of extensions, with validation taking place before truncation, an attacker can add an accepted extension after a null byte (e.g., file.exe\0.txt). After truncation, the file name used by the application would be file.exe.

It would be better to generate unique names for files, instead of using user-provided names, but not all applications take this approach.

Example:

let string = NSString::from_str("null\0byte");
println!("{}", string);

That example only prints the string "null".

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "categories": [],
        "cvss": null,
        "informational": null
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [
            "fruity::foundation::NSString::to_str",
            "fruity::foundation::NSString::to_str_with_nul",
            "fruity::foundation::NSString::to_string",
            "fruity::foundation::NSString::to_string_with_nul"
          ],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "fruity",
        "purl": "pkg:cargo/fruity"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.1.0"
            },
            {
              "fixed": "0.3.0"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [
    "CVE-2021-43620",
    "GHSA-h352-g5vw-3926"
  ],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "Methods of [`NSString`] for conversion to a string may return a partial result.\nSince they call [`CStr::from_ptr`] on a pointer to the string buffer, the\nstring is terminated at the first null byte, which might not be the end of the\nstring.\n\nIn addition to the vulnerable functions listed for this issue, the\nimplementations of [`Display`], [`PartialEq`], [`PartialOrd`], and [`ToString`]\nfor [`NSString`] are also affected, since they call those functions.\n\n## Impact\n\nSince [`NSString`] is commonly used as the type for paths by the [Foundation]\nframework, null byte truncation might allow for easily bypassing file extension\nchecks. For example, if a file name is provided by a user and validated to have\none of a specific set of extensions, with validation taking place before\ntruncation, an attacker can add an accepted extension after a null byte (e.g.,\n`file.exe\\0.txt`). After truncation, the file name used by the application\nwould be `file.exe`.\n\nIt would be better to generate unique names for files, instead of using\nuser-provided names, but not all applications take this approach.\n\n## Example:\n\n```rust\nlet string = NSString::from_str(\"null\\0byte\");\nprintln!(\"{}\", string);\n```\n\nThat example only prints the string \"null\".\n\n[`CStr::from_ptr`]: https://doc.rust-lang.org/std/ffi/struct.CStr.html#method.from_ptr\n[`Display`]: https://doc.rust-lang.org/std/fmt/trait.Display.html\n[Foundation]: https://developer.apple.com/documentation/foundation\n[`NSString`]: https://docs.rs/fruity/0.2.0/fruity/foundation/struct.NSString.html\n[`PartialEq`]: https://doc.rust-lang.org/std/cmp/trait.PartialEq.html\n[`PartialOrd`]: https://doc.rust-lang.org/std/cmp/trait.PartialOrd.html\n[`ToString`]: https://doc.rust-lang.org/std/string/trait.ToString.html",
  "id": "RUSTSEC-2021-0123",
  "modified": "2023-06-13T13:10:24Z",
  "published": "2021-11-14T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/fruity"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2021-0123.html"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/nvzqz/fruity/issues/14"
    }
  ],
  "related": [],
  "severity": [],
  "summary": "Converting `NSString` to a String Truncates at Null Bytes"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.