[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [bug #61480] MQTT: RCE caused by buffer overflow
From: |
Hyeonsu Kim |
Subject: |
[lwip-devel] [bug #61480] MQTT: RCE caused by buffer overflow |
Date: |
Sun, 14 Nov 2021 02:22:58 -0500 (EST) |
User-agent: |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.44 |
URL:
<https://savannah.nongnu.org/bugs/?61480>
Summary: MQTT: RCE caused by buffer overflow
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: icekrim
Submitted on: Sun 14 Nov 2021 07:22:57 AM UTC
Category: Security-related
Severity: 3 - Normal
Item Group: Crash Error
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Planned Release: None
lwIP version: git head
_______________________________________________________
Details:
Summary:
Integer Overflow in mqtt_parse_incoming of src/apps/mqtt/mqtt.c allows
attackers to perform a Remote Code Execution via MQTT packet with fixed header
length of 129 bytes or more
Description:
When the length of fixed_header of mqtt packet is 128 or more, buffer overflow
of virtually infinite length is possible by appropriately setting the header
value.
mqtt.c 893
cpy_len = (u16_t)LWIP_MIN((u16_t)(p->tot_len - in_offset), msg_rem_len);
/* Limit to available space in buffer */
buffer_space = MQTT_VAR_HEADER_BUFFER_LEN - fixed_hdr_len;
if (cpy_len > buffer_space) {
cpy_len = buffer_space;
}
/* Adjust cpy_len to ensure zero-copy operation for remaining parts of current
message */
if (client->msg_idx >= MQTT_VAR_HEADER_BUFFER_LEN) {
if (cpy_len > (p->len - in_offset))
cpy_len = p->len - in_offset;
}
var_hdr_payload = (u8_t*)pbuf_get_contiguous(p, client->rx_buffer +
fixed_hdr_len, buffer_space, cpy_len, in_offset);
....
As described in bug #61479, attacker can make fixed_hdr_len higher than 129.
Because MQTT_VAR_HEADER_BUFFER_LEN is 128, a negative number (in this case -1)
is assigned to buffer_space, so buffer_space becomes a very large number.
cpy_len can be freely changed within the range of u16 type by a hacker by
modifying the remaining length of the MQTT packet.
Therefore, an attacker can overwrite up to 65535 bytes from client->rx_buffer
+ fixed_hdr_len through pbuf_get_contiguous just by making fixed_hdr_len to
129.
This allows remote code execution in embedded systems to which memory
protection is not applied.
I have completed the POC on the stm32 board I have personally, and I will
prepare linux porting if necessary. Thank you.
_______________________________________________________
Reply to this item at:
<https://savannah.nongnu.org/bugs/?61480>
_______________________________________________
Message sent via Savannah
https://savannah.nongnu.org/
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [lwip-devel] [bug #61480] MQTT: RCE caused by buffer overflow,
Hyeonsu Kim <=