A security vulnerability has been detected in WebAssembly wabt up to 1.0.39. This issue affects the function wabt::Decompiler::VarName of the file /src/repro/wabt/bin/wasm-decompile of the component wasm-decompile. Such manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. Unfortunately, the project has no active maintainer at the moment. In a reply to the issue report somebody recommended to the researcher to provide a PR himself.
WebAssembly (Wasm) wabt up to version 1.0.39 is vulnerable to an out-of-bounds read vulnerability, allowing for potential information disclosure and system compromise. The flaw resides in the wabt::Decompiler::VarName function within the wasm-decompile component, and a publicly disclosed exploit exists. Due to the lack of an active maintainer, patching this critical vulnerability is currently challenging, increasing the risk of exploitation.
Step 1: Payload Preparation: The attacker crafts a malicious WebAssembly (.wasm) file. This file is designed to exploit the vulnerability in wabt::Decompiler::VarName.
Step 2: Triggering Decompilation: The attacker provides the malicious .wasm file to a system that uses wasm-decompile from wabt (version <= 1.0.39). This could be through a local file upload, a network service that processes .wasm files, or any other mechanism that invokes the decompiler.
Step 3: Vulnerability Execution: The wasm-decompile tool attempts to decompile the malicious .wasm file. During the decompilation process, the wabt::Decompiler::VarName function is called.
Step 4: Out-of-Bounds Read: Due to the crafted .wasm file, the VarName function attempts to access memory outside the allocated bounds. This read operation retrieves data from an unintended memory location.
Step 5: Information Disclosure (or potential for further exploitation): The data read from the out-of-bounds location is either displayed to the attacker (information disclosure) or used in a way that allows the attacker to further control the system. The specific impact depends on the nature of the data read and how it is used by the application.
The vulnerability stems from an out-of-bounds read within the wabt::Decompiler::VarName function in wasm-decompile. The root cause is likely an improper bounds check or calculation when accessing memory associated with variable names during the decompilation process. Specifically, the code fails to validate the index used to access a data structure (e.g., an array or buffer) containing variable name information. This allows an attacker to provide a crafted WebAssembly file that, when decompiled, triggers an access outside the allocated memory region. This leads to the disclosure of sensitive information or, in more severe cases, could be leveraged to overwrite critical data, potentially leading to arbitrary code execution if the attacker can control the contents of the memory read.