MapTool 1.11.5 Denial Of Service

MapTool version 1.11.5 suffers from a denial of service vulnerability.


SHA-256 | 4917ca645001504e1c789a893326d9349c92cfb53fc6172f7b813c5e0e69dfba

Document Title:
===============
MapTool v1.11.5 - Denial of Service Vulnerability


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2318


Release Date:
=============
2022-10-10


Vulnerability Laboratory ID (VL-ID):
====================================
2318


Common Vulnerability Scoring System:
====================================
5.7


Vulnerability Class:
====================
Denial of Service


Current Estimated Price:
========================
500€ - 1.000€


Product & Service Introduction:
===============================
MapTool is a fully featured, flexible virtual tabletop. Not only does MapTool come with powerful tools for creating detailed maps
but also a chat function, an initiative tracker, and a detailed token management system to create characters, monsters, objects,
and anything you can imagine. MapTool's user interface is highly configurable, and features not being used can be hidden out of sight.
The latest version of MapTool can be found on GitHub. MapTool attempts to use Semantic Versioning to help groups know whether a change
may break their game or not so they can decide when to upgrade. Exciting new features can be tested in development (alpha or beta) builds,
but for your game where stability matters sticking to the major releases is recommended. MapTool campaigns saved in newer versions may not
work on older versions, so be careful with your campaign files when trying out development builds.

(Copy of the Homepage:https://wiki.rptools.info/index.php/MapTool )
(Download Software:https://www.rptools.net/toolbox/download-rptools-products )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a remote denial of service vulnerability in the official MapTool v1.11.5 software.

Affected Product(s):
====================
Rptools
Product: MapTool v1.11.5 - (Windows) (Linux) (MacOS)


Vulnerability Disclosure Timeline:
==================================
2022-06-03: Researcher Notification & Coordination (Security Researcher)
2022-06-04: Vendor Notification (Security Department)
2022-**-**: Vendor Response/Feedback (Security Department)
2022-**-**: Vendor Fix/Patch (Service Developer Team)
2022-**-**: Security Acknowledgements (Security Department)
2022-10-10: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Authentication Type:
====================
Restricted Authentication (Guest Privileges)


User Interaction:
=================
No User Interaction


Disclosure Type:
================
Independent Security Research


Technical Details & Description:
================================
The remote denial of service software vulnerability is located in the chat function of the official MapTool v1.11.5 windows software.
Attackers with chat access can transmit a malformed special crafted payload that returns a null pointer in javax.swing.text.html.StyleSheet
(javax.swing.text.View) and javax.swing.text.html.BlockView.layoutMinorAxis. Attacker are able to inject payloads to crash the application
immediatly and permanently. The compromised communication and project can be saved as cmpgn file and crashs the application on each import
with the unhandled null pointer exception.

Vulnerable Module(s):
[+] Chat (Werkzeuge / Tools)

Vulnerable Function(s):
[+] javax.swing.text.html.StyleSheet$BoxPainter
[+] javax.swing.text.html.BlockView.layoutMinorAxis


Proof of Concept (PoC):
=======================
The remote denial of service vulnerability can be exploited by remote attacker or without interaction or local users.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability locally:
1. Install the maptool newst version
2. Start the tool and open a own host
3. Open the message chat box
4. Include the payload and push the send button
5. The software crashs locally by null pointer
Note: open the client again and copy the chat with a cmpgn file
6. Now you can locally import it to crash the host via null pointer

Manual steps to reproduce the vulnerability remotely:
1. Install the maptool newst version
2. Start the tool and join an exisiting party
3. Open the chat
4. Inject the payload with a local js or base64 encoded link and submit it
5. The host receives the chat message and clicks the link the host session crashs via null pointer

Payload:
<FRAMESET></FRAMESET>

PoC:
testfile.cmpgn

--- Debug Session Logs ---
java.lang.ArrayIndexOutOfBoundsException: Index 1 out of bounds for length 1
at java.desktop/javax.swing.text.html.BlockView.layoutMinorAxis(Unknown Source)
at java.desktop/javax.swing.text.html.HTMLEditorKit$HTMLFactory$BodyBlockView.layoutMinorAxis(Unknown Source)
at java.desktop/javax.swing.text.BoxView.setSpanOnAxis(Unknown Source)
at java.desktop/javax.swing.text.BoxView.layout(Unknown Source)
at java.desktop/javax.swing.text.BoxView.setSize(Unknown Source)
at java.desktop/javax.swing.text.BoxView.updateChildSizes(Unknown Source)
at java.desktop/javax.swing.text.BoxView.setSpanOnAxis(Unknown Source)
at java.desktop/javax.swing.text.BoxView.layout(Unknown Source)
at java.desktop/javax.swing.text.BoxView.setSize(Unknown Source)
at java.desktop/javax.swing.plaf.basic.BasicTextUI$RootView.setSize(Unknown Source)
at java.desktop/javax.swing.plaf.basic.BasicTextUI.getPreferredSize(Unknown Source)
at java.desktop/javax.swing.JComponent.getPreferredSize(Unknown Source)
at java.desktop/javax.swing.JEditorPane.getPreferredSize(Unknown Source)
at java.desktop/javax.swing.ScrollPaneLayout.layoutContainer(Unknown Source)
at java.desktop/java.awt.Container.layout(Unknown Source)
at java.desktop/java.awt.Container.doLayout(Unknown Source)
at java.desktop/java.awt.Container.validateTree(Unknown Source)
at java.desktop/java.awt.Container.validate(Unknown Source)
at java.desktop/javax.swing.RepaintManager$3.run(Unknown Source)
at java.desktop/javax.swing.RepaintManager$3.run(Unknown Source)
at java.base/java.security.AccessController.doPrivileged(Unknown Source)
at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)
at java.desktop/javax.swing.RepaintManager.validateInvalidComponents(Unknown Source)
at java.desktop/javax.swing.RepaintManager$ProcessingRunnable.run(Unknown Source)
at java.desktop/java.awt.event.InvocationEvent.dispatch(Unknown Source)
at java.desktop/java.awt.EventQueue.dispatchEventImpl(Unknown Source)
at java.desktop/java.awt.EventQueue$4.run(Unknown Source)
at java.desktop/java.awt.EventQueue$4.run(Unknown Source)
at java.base/java.security.AccessController.doPrivileged(Unknown Source)
at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)
at java.desktop/java.awt.EventQueue.dispatchEvent(Unknown Source)
at net.rptools.maptool.client.swing.MapToolEventQueue.dispatchEvent(MapToolEventQueue.java:54)
at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
at java.desktop/java.awt.WaitDispatchSupport$2.run(Unknown Source)
at java.desktop/java.awt.WaitDispatchSupport$4.run(Unknown Source)
at java.desktop/java.awt.WaitDispatchSupport$4.run(Unknown Source)
at java.base/java.security.AccessController.doPrivileged(Unknown Source)
at java.desktop/java.awt.WaitDispatchSupport.enter(Unknown Source)
at java.desktop/java.awt.Dialog.show(Unknown Source)
at java.desktop/java.awt.Component.show(Unknown Source)
at java.desktop/java.awt.Component.setVisible(Unknown Source)
at java.desktop/java.awt.Window.setVisible(Unknown Source)
at java.desktop/java.awt.Dialog.setVisible(Unknown Source)
at net.rptools.maptool.client.swing.MapToolEventQueue.displayPopup(MapToolEventQueue.java:109)
at net.rptools.maptool.client.swing.MapToolEventQueue.dispatchEvent(MapToolEventQueue.java:73)
at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.desktop/java.awt.EventDispatchThread.run(Unknown Source)
-
Java.lang.NullPointerException: Cannot invoke "javax.swing.text.html.StyleSheet$BoxPainter.getInset(int, javax.swing.text.View)" because "this.painter" is null
at java.desktop/javax.swing.text.html.TableView.updateInsets(Unknown Source)
at java.desktop/javax.swing.text.html.TableView.calculateMajorAxisRequirements(Unknown Source)
at java.desktop/javax.swing.text.BoxView.checkRequests(Unknown Source)
at java.desktop/javax.swing.text.BoxView.getMinimumSpan(Unknown Source)
at java.desktop/javax.swing.text.BoxView.calculateMajorAxisRequirements(Unknown Source)
at java.desktop/javax.swing.text.html.BlockView.calculateMajorAxisRequirements(Unknown Source)
at java.desktop/javax.swing.text.BoxView.checkRequests(Unknown Source)
at java.desktop/javax.swing.text.BoxView.getMinimumSpan(Unknown Source)
at java.desktop/javax.swing.text.html.BlockView.getMinimumSpan(Unknown Source)
at java.desktop/javax.swing.text.BoxView.calculateMajorAxisRequirements(Unknown Source)
at java.desktop/javax.swing.text.html.BlockView.calculateMajorAxisRequirements(Unknown Source)
at java.desktop/javax.swing.text.html.HTMLEditorKit$HTMLFactory$BodyBlockView.calculateMajorAxisRequirements(Unknown Source)
at java.desktop/javax.swing.text.BoxView.checkRequests(Unknown Source)
at java.desktop/javax.swing.text.BoxView.getMinimumSpan(Unknown Source)
at java.desktop/javax.swing.text.html.BlockView.getMinimumSpan(Unknown Source)
at java.desktop/javax.swing.text.BoxView.calculateMajorAxisRequirements(Unknown Source)
at java.desktop/javax.swing.text.html.BlockView.calculateMajorAxisRequirements(Unknown Source)
at java.desktop/javax.swing.text.BoxView.checkRequests(Unknown Source)
at java.desktop/javax.swing.text.BoxView.setSpanOnAxis(Unknown Source)
at java.desktop/javax.swing.text.BoxView.layout(Unknown Source)
at java.desktop/javax.swing.text.BoxView.setSize(Unknown Source)
at java.desktop/javax.swing.plaf.basic.BasicTextUI$RootView.setSize(Unknown Source)
at java.desktop/javax.swing.plaf.basic.BasicTextUI.getPreferredSize(Unknown Source)
at java.desktop/javax.swing.JComponent.getPreferredSize(Unknown Source)
at java.desktop/javax.swing.JEditorPane.getPreferredSize(Unknown Source)
at java.desktop/javax.swing.ScrollPaneLayout.layoutContainer(Unknown Source)
at java.desktop/java.awt.Container.layout(Unknown Source)
at java.desktop/java.awt.Container.doLayout(Unknown Source)
at java.desktop/java.awt.Container.validateTree(Unknown Source)
at java.desktop/java.awt.Container.validate(Unknown Source)
at java.desktop/javax.swing.RepaintManager$3.run(Unknown Source)
at java.desktop/javax.swing.RepaintManager$3.run(Unknown Source)
at java.base/java.security.AccessController.doPrivileged(Unknown Source)
at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)
at java.desktop/javax.swing.RepaintManager.validateInvalidComponents(Unknown Source)
at java.desktop/javax.swing.RepaintManager$ProcessingRunnable.run(Unknown Source)
at java.desktop/java.awt.event.InvocationEvent.dispatch(Unknown Source)
at java.desktop/java.awt.EventQueue.dispatchEventImpl(Unknown Source)
at java.desktop/java.awt.EventQueue$4.run(Unknown Source)
at java.desktop/java.awt.EventQueue$4.run(Unknown Source)
at java.base/java.security.AccessController.doPrivileged(Unknown Source)
at java.base/java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)
at java.desktop/java.awt.EventQueue.dispatchEvent(Unknown Source)
at net.rptools.maptool.client.swing.MapToolEventQueue.dispatchEvent(MapToolEventQueue.java:54)
at java.desktop/java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
at java.desktop/java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.desktop/java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.desktop/java.awt.EventDispatchThread.run(Unknown Source)


Security Risk:
==============
The security risk of the remote denial of service vulnerability in the maptool software is estimated as medium.


Credits & Authors:
==================
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains: https://www.vulnerability-lab.com ; https://www.vuln-lab.com ;https://www.vulnerability-db.com

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.

Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™



--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE


Related Posts