Bio-Formats performs unsafe Java deserialization of attacker-controlled memoization cache files (.bfmemo) during image processing. The loci.formats.Memoizer class automatically loads and deserializes memo files associated with images without validation, integrity checks, or trust enforcement. An attacker can exploit this behavior by supplying a crafted or corrupted .bfmemo file—either fully attacker-controlled or derived from a legitimate memo file—causing Bio-Formats to deserialize untrusted data. This can lead to denial-of-service, logic manipulation, or remote code execution when suitable gadget chains are present on the classpath.
*Impact:* An attacker can: * Trigger deserialization of untrusted data * Cause repeated parsing failures (denial-of-service) * Influence reader discovery and class loading * Potentially achieve remote code execution when suitable gadget chains exist The vulnerability is reachable through standard image processing workflows and does not require non-default configuration. *Proof of Concept:* Corrupting a Legitimate Memo File This PoC demonstrates exploitation by modifying a legitimately generated .bfmemo file, which closely mirrors a real-world attack scenario. Step 1 – Generate a Valid Memo File [Step 1/4] Creating valid TIFF image... [+] Created valid.tif [Step 2/4] Generating legitimate memo file... [+] Memo created at: ./root/bioformats/.valid.tif.bfmemo [+] Size: 34815 bytes Step 2 – Corrupt the Existing Memo File [Step 4/4] Corrupting memo file... [+] Corrupted memo (appended 400 garbage bytes) [+] Created symlink to memo file Example Output [*] Loading valid.tif with Memoizer... java.lang.ClassNotFoundException: loci.formats.in.URLReader at loci.formats.ClassList.parseLine(ClassList.java:196) at loci.formats.ClassList.parseFile(ClassList.java:258) at loci.formats.Memoizer.<init>(Memoizer.java:540) java.lang.ClassNotFoundException: loci.formats.in.SlideBook6Reader java.lang.ClassNotFoundException: loci.formats.in.ScreenReader java.lang.ClassNotFoundException: loci.formats.in.ZarrReader java.lang.ClassNotFoundException: ch.epfl.biop.formats.in.ZeissQuickStartCZIReader _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
