Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stack buffer overflow in RT-Thread AT server #8288

Closed
0xdea opened this issue Nov 24, 2023 · 4 comments
Closed

Stack buffer overflow in RT-Thread AT server #8288

0xdea opened this issue Nov 24, 2023 · 4 comments

Comments

@0xdea
Copy link

0xdea commented Nov 24, 2023

Hi,

I would like to report another potential vulnerability in the current version of RT-Thread. Please let me know if you plan to ask for a CVE ID in case the vulnerability is confirmed. I'm available if you need further clarifications.

Potential stack buffer overflow in RT-Thread AT server

Summary

I spotted a potential stack buffer overflow vulnerability at the following location in the RT-Thread AT server source code:
https://github.com/RT-Thread/rt-thread/blob/master/components/net/at/src/at_server.c#L410

Details

Lack of length check in the at_cmd_get_name() function could lead to a stack buffer overflow at the marked line:

#ifdef AT_USING_SERVER
...
static rt_err_t at_cmd_get_name(const char *cmd_buffer, char *cmd_name)
{
    rt_size_t cmd_name_len = 0, i = 0;

    RT_ASSERT(cmd_name);
    RT_ASSERT(cmd_buffer);

    for (i = 0; i < strlen(cmd_buffer); i++)
    {
        if (*(cmd_buffer + i) == AT_CMD_QUESTION_MARK || *(cmd_buffer + i) == AT_CMD_EQUAL_MARK
                || *(cmd_buffer + i) == AT_CMD_CR
                || (*(cmd_buffer + i) >= AT_CMD_CHAR_0 && *(cmd_buffer + i) <= AT_CMD_CHAR_9))
        {
            cmd_name_len = i;
            rt_memcpy(cmd_name, cmd_buffer, cmd_name_len); /* VULN: cmd_buffer is AT_SERVER_RECV_BUFF_LEN bytes (256), while cmd_name is only AT_CMD_NAME_LEN bytes (16); therefore, it might be possible to overflow past the cmd_name buffer with a carefully crafted cmd_buffer */
            *(cmd_name + cmd_name_len) = '\0';

            return RT_EOK;
        }
    }

    return -RT_ERROR;
}

Impact

If the unchecked input above is confirmed to be attacker-controlled and crossing a security boundary, the impact of the reported buffer overflow vulnerability could range from denial of service to arbitrary code execution.
@0xdea
Copy link
Author

0xdea commented Dec 24, 2023

Hi, it's been one month since I reported this vulnerability, and I wanted to ask if you have any update. As standard practice, I plan to request a CVE ID for every confirmed vulnerability. I also intend to publish an advisory by February at the latest, unless there's a specific reason to postpone. Thanks!

yangpengya added a commit to yangpengya/rt-thread that referenced this issue Dec 24, 2023
@yangpengya
RT-Thread#8288
713cf9b
@0xdea 0xdea changed the title Potential stack buffer overflow in RT-Thread AT server Stack buffer overflow in RT-Thread AT server Feb 2, 2024
@0xdea
Copy link
Author

0xdea commented Feb 8, 2024

Hi there, CVE-2024-25393 was assigned to this vulnerability. I'm planning to publish my security advisory and writeup on March 5th. Thanks.

@mysterywolf
Copy link
Member

Hi so sorry for the late reply, I just review some issues. Yes you can, and thanks for the bug report!

@0xdea
Copy link
Author

0xdea commented Feb 19, 2024

You're welcome, happy to help! Thank you for your feedback.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@0xdea @mysterywolf