Mongoose HTTPS server (compiled with mbedTLS support) is vulnerable to remote OOB write attack via connection request after exhausting memory pool.
Incorrect handling of the value returned by calloc in mg_tls_init may lead to:
out-of-bound write attempt and segmentation fault error in case of restrictive memory protection,
near NULL pointer (at 0x458) overwrite in case of limited memory restrictions (e.g. in embedded environments).
Memory allocations are triggered during handling of each HTTPS requests, so the allocation error can be caused remotely by flooding with requests until exhausting the memory.
In some embedded environments near zero memory areas are used to store device configuration, so in this case such configuration can be overwritten remotely.
Open in the browser following URL (where <MONGOOSE_ADDR> is address of tested Mongoose instance):
https://<MONGOOSE_ADDR>:8000
You should receive similar output:
process 30197 is executing new program: mongoose/examples/http-restful-server/example
2021-01-21 00:00:00 I log.c:18:mg_log_set Setting log level to 2
2021-01-21 00:00:00 I sock.c:453:mg_listen 1 accepting on https://localhost:8000
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff79970d0 in mbedtls_ssl_init () from /usr/lib/x86_64-linux-gnu/libmbedtls.so.10
#0 0x00007ffff79970d0 in mbedtls_ssl_init () from /usr/lib/x86_64-linux-gnu/libmbedtls.so.10
#1 0x0000555555560fa9 in mg_tls_init (c=0x5555557688c0, opts=0x7fffffffdbf0) at src/tls.c:70
#2 0x000055555556377a in fn (c=0x5555557688c0, ev=4, ev_data=0x0, fn_data=0x0) at main.c:28
#3 0x0000555555557df1 in mg_call (c=0x5555557688c0, ev=4, ev_data=0x0) at src/event.c:9
#4 0x000055555555fae4 in accept_conn (mgr=0x7fffffffdd20, lsn=0x5555557686c0) at src/sock.c:393
#5 0x0000555555560484 in mg_mgr_poll (mgr=0x7fffffffdd20, ms=1000) at src/sock.c:543
#6 0x00005555555638de in main () at main.c:51
The text was updated successfully, but these errors were encountered:
Mongoose HTTPS server (compiled with mbedTLS support) is vulnerable to remote OOB write attack via connection request after exhausting memory pool.
Incorrect handling of the value returned by calloc in mg_tls_init may lead to:
Memory allocations are triggered during handling of each HTTPS requests, so the allocation error can be caused remotely by flooding with requests until exhausting the memory.
In some embedded environments near zero memory areas are used to store device configuration, so in this case such configuration can be overwritten remotely.
Vulnerable code (mongoose.c):
See following recommendations for details (especially the calloc example):
https://wiki.sei.cmu.edu/confluence/display/c/ERR33-C.+Detect+and+handle+standard+library+errors
The issue can be reproduced and tested using ErrorSanitizer (https://gitlab.com/ErrorSanitizer/ErrorSanitizer).
Reproduction steps:
Install gdb
Download and unpack code of ErrorSanitizer (https://gitlab.com/ErrorSanitizer/ErrorSanitizer)
Perform compilation of ErrorSanitizer according to the manual (https://gitlab.com/ErrorSanitizer/ErrorSanitizer#compilation)
cd ErrorSanitizer; make
Set ESAN to the path of ErrorSanitizer directory
export ESAN=/opt/...
Download and unzip attached map temp_2.cur_input
temp_2.cur_input.zip
Install mbedTLS library
Download, unzip and compile mongoose example "http-restful-server" with define MBEDTLS_DIR set for mbedTLS directory and debug symbols (-g)
Run Mongoose "http-restful-server" example with ErrorSanitizer in gdb using:
gdb -batch -ex='run' -ex='backtrace' --args env LD_PRELOAD="$ESAN/error_sanitizer_preload.so" ./example temp_2.cur_input
Open in the browser following URL (where <MONGOOSE_ADDR> is address of tested Mongoose instance):
https://<MONGOOSE_ADDR>:8000
You should receive similar output:
The text was updated successfully, but these errors were encountered: