20-Years Old Vulnerability in LZO Compression Algorithm Went to Planet Mars
A 20 year old critical subtle integer overflow vulnerability has been discovered in Lempel-Ziv-Oberhumer (LZO), an extremely efficient data compression algorithm that focuses on decompression speed, which is almost five times faster than zlib and bzip compression algorithms.

Lempel-Ziv-Oberhumer (LZO) was developed in 1994 by Markus Oberhumer and currently it is one of the most popular and widespread compression algorithm used in the Linux kernel, some Samsung Android mobile devices, other embedded devices and several open-source libraries including OpenVPN, MPlayer2, Libav, FFmpeg.

Don A. Bailey, founder and CEO of Lab Mouse Security, who disclosed the technical details of the buffer overrun vulnerability in LZO/LZ4 algorithm, explains that if an attacker carefully craft a piece of compressed data that would run malicious code when the software attempted to decompress it.

According to advisory, if buffers of 16MB or more can be passed to LZO/LZ4 then exploitation is possible only under limited circumstances. The vulnerability in the algorithm could also trigger buffer overflows, denial of service and remote code execution (RCE).

"As this issue only affects 32-bit systems and also can only happen if you use uncommonly huge buffer sizes where you have to decompress more than 16 MiB (2^24 bytes) compressed bytes within a single function call the practical implications are limited."
20-Years Old Vulnerability in LZO Compression Algorithm Went to Planet Mars
Lempel-Ziv-Oberhumer (LZO) algorithm is also used in some car and aircraft systems, as well as NASA's Rover, Curiosity, which is right now on planet Mars and has completed its first year this week.

"The scope of this algorithm touches everything from embedded micro controllers on the Mars Rover, mainframe operating systems, modern day desktops, and mobile phones." Bailey wrote in a blog post.
However, he denied from the practical exploitation of Curiosity Rover by any hacker, "NASA accepted the bug reports. I doubt it is vulnerable to an attacker. The Rover is so compartmentalized within NASA it would be hard to get to, and even harder to push a malicious payload to it. I doubt you could send it enough data to trigger the bug," Bailey explained.
Multimedia applications such as MPlayer2, libav and FFmpeg are potentially affected by the discovered vulnerability and it could be used to execute code remotely. "If you're viewing a video, a malicious video will execute a shell on your computer, so you could get code execution by playing a video." Bailey warned.

The LZO vulnerability is significant and even exists in kernels for Samsung Android devices to increase kernel loading speed. However, each implementation and architecture is using modified versions of LZO, so a potential attacker should have to build custom malicious payloads for each implementation and this limits the overall severity of the flaw.

  • CVE-2014-4607 - LZO code
  • CVE-2014-4608 (LZO) - Kernel code
  • CVE-2014-4609 - Libav
  • CVE-2014-4610 - FFmpeg
  • CVE-2014-4611 (LZ4) - Kernel code
LZO has finally been patched in latest LZO version 2.07, Linux kernel version 3.15.2 and various open-source media libraries including, FFmpeg and libav have also released latest patched versions.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.