CVE-2020-13995

Vulnerability

The vulnerability exists in the US Air Force Sensor Data Management System's extract75 utility (version 7.5), which parses National Imagery Transmission Format (NITF) 2.0/2.1 files. A global buffer overflow occurs in the variable sBuffer when processing a specially crafted NITF file. This overflow leads to a Write-What-Where condition by overwriting global variables until a pointer such as DES_info or image_info is reached. By controlling that pointer, an attacker achieves an arbitrary write when its fields are assigned [1].

Exploitation

An attacker only needs to supply a malicious NITF file to the extract75 parser. No prior authentication or special privileges are required. The attacker crafts a NITF file that causes sBuffer to overflow, clobbering successive global variables. Once a pointer like DES_info or image_info is overwritten, the subsequent field assignments result in an arbitrary write. The data written is derived from the file as an integer (e.g., a 9-digit integer from a controlled field). The proof-of-concept (PoC) further targets strncpy to hijack the instruction pointer. Multiple similar overflow paths exist, and exploiting the image_info overflow could yield 10 bytes of control, or potentially more with negative integer values [1].

Impact

Successful exploitation results in arbitrary write and code execution. The attacker gains full control of the instruction pointer, enabling arbitrary code execution in the context of the extract75 process. This allows a complete compromise of confidentiality, integrity, and availability for the affected system [1].

Mitigation

No official patch has been announced as of publication (September 2020). The affected version is extract75 version 7.5. Users should avoid processing untrusted NITF files with this utility until a fix is released. There is no known workaround that addresses the underlying overflow. The CVE is not listed in the CISA Known Exploited Vulnerabilities catalog [1].