Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Twenty-year-old vulnerability in LZO finally patched

Steve Ragan | June 27, 2014
LZO is a compression algorithm that touches almost everything.


After twenty years, a vulnerability in Lempel-Ziv-Oberhumer (LZO), an extremely efficient compression algorithm, has finally been patched. The flaw, a subtle integer overflow, existed for as long as it did because of the practice of recycling code in the development community.

Due to this, the vulnerability touches everything from open source libraries, mobile phones (Android on Samsung devices), and other embedded devices.

LZO was created in 1994 by Markus Oberhumer. The compression algorithm is optimized for speed, and it regularly outperforms zlib and bzip. The most common use is image data, which makes it perfect for applications that rely on video transmissions or projects that need to send large image files.

Since its creation, LZO has been used by many scientific and open source projects, including NASA's Rover, Curiosity, which just celebrated its Martian one-year anniversary this week.

Other uses for LZO include OpenVPN, MPlayer2, Libav, FFmpeg, the Linux Kernel, and Juniper's Junos IPSec. Moreover, LZ4 (a variant of LZO) is used for compression in ZFS (Solaris), Apache's Hadoop, and FreeBSD.

"With its popularity increasing, Lempel-Ziv-Oberhumer has been rewritten by many engineering firms for both closed and open systems. These rewrites, however, have always been based on Oberhumer's core open source implementation. As a result, they all inherited a subtle integer overflow. Even LZ4 has the same exact bug, but changed very slightly," wrote Don Bailey, founder and CEO of Lab Mouse Security.

Bailey discovered the flaws while manually auditing the LZO code. When asked if he was worried about someone going after NASA's Curiosity, he told CSO that was unlikely.

"NASA accepted the bug reports. I doubt it is vulnerable to an attacker. The Rover is so compartmentalized within NASA it would be hard to get to, and even harder to push a malicious payload to it. I doubt you could send it enough data to trigger the bug," he said.

"My bigger concern was actually the Rover accidentally triggering the bug by attempting to send corrupted data to NASA. If the camera took a corrupt snapshot for any reason, the [compression / de-compression] algorithm may accidentally trigger a fault causing the Rover to lock up. I know they have a heavily fault tolerant platform, but there are conditions where this may cause looped faults."

The vulnerability itself occurs when processing a Literal Run.

"A Literal Run is simply a way of finding and interpreting binary data. By attacking this functionality, an adversary can use this data to control a vulnerable application in an unintended way, potentially allowing for remote system compromise or elevated privileges," Bailey explained.

However, depending on what the attacker is targeting, they'll need to construct a malicious payload to fit each particular implementation of LZO. This limits the overall severity of the flaw, because the different overflow requirements mean that an attacker will have to put in some work to make something happen.


1  2  Next Page 

Sign up for Computerworld eNewsletters.