[lwip-devel] [bug #61480] MQTT: RCE caused by buffer overflow

lwip-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #61480] MQTT: RCE caused by buffer overflow

From:	Hyeonsu Kim
Subject:	[lwip-devel] [bug #61480] MQTT: RCE caused by buffer overflow
Date:	Sun, 14 Nov 2021 02:22:58 -0500 (EST)
User-agent:	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.44

URL:
  <https://savannah.nongnu.org/bugs/?61480>

                 Summary: MQTT: RCE caused by buffer overflow
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: icekrim
            Submitted on: Sun 14 Nov 2021 07:22:57 AM UTC
                Category: Security-related
                Severity: 3 - Normal
              Item Group: Crash Error
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None
            lwIP version: git head

    _______________________________________________________

Details:

Summary:
Integer Overflow in mqtt_parse_incoming of src/apps/mqtt/mqtt.c allows
attackers to perform a Remote Code Execution via MQTT packet with fixed header
length of 129 bytes or more

Description:
When the length of fixed_header of mqtt packet is 128 or more, buffer overflow
of virtually infinite length is possible by appropriately setting the header
value.

mqtt.c 893
cpy_len = (u16_t)LWIP_MIN((u16_t)(p->tot_len - in_offset), msg_rem_len);
/* Limit to available space in buffer */
buffer_space = MQTT_VAR_HEADER_BUFFER_LEN - fixed_hdr_len;
if (cpy_len > buffer_space) {
  cpy_len = buffer_space;
}
/* Adjust cpy_len to ensure zero-copy operation for remaining parts of current
message */
if (client->msg_idx >= MQTT_VAR_HEADER_BUFFER_LEN) {
  if (cpy_len > (p->len - in_offset))
    cpy_len = p->len - in_offset;
}
var_hdr_payload = (u8_t*)pbuf_get_contiguous(p, client->rx_buffer +
fixed_hdr_len, buffer_space, cpy_len, in_offset);
....

As described in bug #61479, attacker can make fixed_hdr_len higher than 129.
Because MQTT_VAR_HEADER_BUFFER_LEN is 128, a negative number (in this case -1)
is assigned to buffer_space, so buffer_space becomes a very large number.

cpy_len can be freely changed within the range of u16 type by a hacker by
modifying the remaining length of the MQTT packet. 
Therefore, an attacker can overwrite up to 65535 bytes from client->rx_buffer
+ fixed_hdr_len through pbuf_get_contiguous just by making fixed_hdr_len to
129.
This allows remote code execution in embedded systems to which memory
protection is not applied.

I have completed the POC on the stm32 board I have personally, and I will
prepare linux porting if necessary. Thank you.




    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?61480>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[lwip-devel] [bug #61480] MQTT: RCE caused by buffer overflow, Hyeonsu Kim <=

Prev by Date: [lwip-devel] [bug #61479] MQTT: DoS caused by unsigned integer overflow
Next by Date: [lwip-devel] [patch #10141] iteropts.sh: no warning on first run
Previous by thread: [lwip-devel] [bug #61479] MQTT: DoS caused by unsigned integer overflow
Next by thread: [lwip-devel] [patch #10141] iteropts.sh: no warning on first run
Index(es):
- Date
- Thread