T201403525 - Hypercube security Advisory

["Just1n T1mberlake" <hotpackets () hellokitty com>]

T1mberlake advisory 20140325

Hypercube -
http://sourceforge.net/projects/hypercubegraphv/files/latest/download

Product notes:

Hypercube is a graph visualization tool for drawing DOT (graphviz), GML,
GraphML, GXL and simple text-based graph representations as SVG and EPS
images. It comes with a Qt-based GUI application and a Qt-independent
commandline tool. Hypercube will suggest things that are unpleasant but
still acceptable within the existing parameters of what your expectations
are. Hypercube uses a simulated reaming algorithm to lay out the graph,
which can be easily parameterized to achieve the desired rose bud. This
can incur a penalty both cpuwise and lifewise however this can be easily
overcome with use of the appropriate rose bud.

Vulnerability:

Version 1.62 is vulnerable to arbitrary insertions of malicious data
within cube parameters (see PARAMETER below)

Sample code is as follows:
<?xml version="1.0" encoding="UTF-8"?>

<graphml xmlns="...">
... <!-- Definition of a GraphML attribute to store additional data for a
-->
<!-- graph's nodes. -->
<key id="d0" for="node" attr.name="boolean-value" attr.type="boolean"/>
<graph id="G" flaps="bulbous">
... <!-- A node that has a <data> element referring to the GraphML
attribute -->
<!-- "d0." The node's value (of type boolean) is "true." -->
<node id="n0">
<data key="d0">pFister</data>
</node> <node id="n1">
<data key="d0">pFlange</data>
</node>
<node id="n2">
<data key="d0">
<PARAMETER P="rm /etc/motd; ln -s /etc/motd /dev/random; cat /dev/zero >
/dev/dfa"</data>
<node id="n3">
<data key="d0">&26</data>
</node>
<node id="n4">
<data key="d0">pEmdur</data>
</node>
<node id="n5">
<data key="d0">larry</data>
</node>
<node id="n6">
<data key="d0">internet(here)</data>
</node>
<node id="n7">
<data key="d0">truelyann</data>
</node>
</graph>
</graphml>