Skip to content

Packet Type Confusion during IPHC send

Critical
chrysn published GHSA-jwmv-47p2-hgq2 Apr 24, 2023

Package

RIOT-OS

Affected versions

< 2022.10

Patched versions

2022.10

Description

Impact

RIOT-OS contains a network stack with the ability to process 6LoWPAN frames. An attacker can send a crafted frame to the device resulting in a type confusion between IPv6 extension headers and a UDP header. This occures while encoding a 6LoWPAN IPHC header. The type confusion manifests in an out of bounds write in the packet buffer. The overflow can be used to corrupt other packets and the allocator metadata. Corrupting a pointer will easily lead to denial of service. While carefully manipulating the allocator metadata gives an attacker the possibility to write data to arbitrary locations and thus execute arbitrary code.

Patches

Workarounds

  • Backport the patches listed above

For more information

If you have any questions or comments about this advisory:

Bug Details

During calculation of the size for the IPHC snippet the first snippet of type GNRC_NETTYPE_UNDEF is assumed to be the UDP header and only the required 8 bytes are added to the size.
But during forwarding this snippet can also contain the IPv6 extension headers which may be much larger (source)

if (ptr->type == GNRC_NETTYPE_UNDEF) {
    /* most likely UDP for now so use that (XXX: extend if extension
     * headers make problems) */
    dispatch_size += sizeof(udp_hdr_t);
    break;  /* nothing special after UDP so quit even if more UNDEF
             * come */
}
else {
    dispatch_size += ptr->size;
}
...
dispatch = gnrc_pktbuf_add(NULL, NULL, dispatch_size + 1,
                           GNRC_NETTYPE_SIXLOWPAN);

While compressing the headers the type is only taken from the next header field of the IPv6 header/extension header and not from the snippet type (source):

    nh = ((ipv6_hdr_t *)pkt->next->data)->nh;
#ifdef MODULE_GNRC_SIXLOWPAN_IPHC_NHC
    while (_compressible_nh(nh)) {
        ssize_t local_pos = 0;
        switch (nh) {
            case PROTNUM_UDP:
                ...
            case PROTNUM_IPV6: {    /* encapsulated IPv6 header */
                ...
            case PROTNUM_IPV6_EXT_HOPOPT:
            case PROTNUM_IPV6_EXT_RH:
            case PROTNUM_IPV6_EXT_FRAG:
            case PROTNUM_IPV6_EXT_DST:
            case PROTNUM_IPV6_EXT_MOB:
                ...

The compressed headers can be larger than the allocated space and thus overflow the allocated packet buffer.

Severity

Critical
9.8
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE ID

CVE-2023-24823

Credits