CVE-2023-27754

## Vulnerability vox2mesh 1.0 contains a stack-overflow vulnerability in the VoxReader::readChunk function within main.cpp, caused by an incorrect use of the memcpy() function. The issue is triggered when the program processes a specially crafted .vox file, leading to uncontrolled recursion or stack exhaustion.

Exploitation

An attacker can exploit this vulnerability by providing a malicious .vox file to the vulnerable vox2obj binary. No authentication or special privileges are required; the attacker only needs to convince a user (or automated system) to process the crafted file, for example via the command line: ./vox2obj input.vox output.obj. The stack overflow occurs during the reading and parsing of the chunk structure, as demonstrated in the proof-of-concept [1].

Impact

Successful exploitation results in a stack-overflow crash, causing the application to abort and leading to a denial of service (DoS). The overflow corrupts the stack, which may also allow arbitrary code execution, but the provided documentation indicates only a denial of service has been confirmed [1].

Mitigation

As of this writing, no official fix has been released for vox2mesh 1.0. The project appears to be unmaintained, and no mitigation or patched version is available. Users are advised to avoid processing untrusted .vox files with this software until a fix is provided [1].