Skip to content

Stack-buffer-overflow in libcoap #1310

Closed
@msxfXF

Description

@msxfXF

Environment

  • Build System: [Make]
  • Operating System: [Linux]
  • Operating System Version: [Ubuntu 20.04]
  • Hosted Environment: [None]

Report

  • [1] Vulnerabilities:

Stack-buffer-overflow in libcoap.

  • [2] Affected Versions:

Unspecified version (additional versions could also be affected).

  • [3] Vulnerability Type:

CWE-121: Stack Based Buffer Overflow

  • [4] Vendor of Product:

Libcoap

  • [5] Attack Type:

Local.

  • [6] Impact:

Potential code execution, crash, etc. Permit the attacker to execute arbitrary code on affected installations.

  • [7] Mitigation:

Overflow occurs in the handling of an input file in coap_new_oscore_conf() function. Proper boundary checking of the input file can provide a potential fix.

  • [8] Reproducing the Issue:

file overflow-1.c

//
// Created by msxfxf on 24-1-24.
//
// afl-clang-fast overflow-1.c -v -I../include -I../ -lssl -lcrypto ../libcoap/.libs/libcoap-3-openssl.a  -g -fsanitize=address -o overflow

#include "fcntl.h"
#include "unistd.h"
#include "coap3/coap_internal.h"
#include "oscore/oscore.h"
#include "oscore/oscore_context.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define MAX_LEN 1024

int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
    coap_context_t ctx[1];
    coap_oscore_conf_t *oscore_conf;
    cose_encrypt0_t cose[1];
    uint8_t nonce_buffer[13];
    coap_bin_const_t nonce = { 13, nonce_buffer };

    if (Size < 1 || Size > MAX_LEN)
        return 0;

    const coap_str_const_t conf = { Size, Data };

    memset(&ctx, 0, sizeof(ctx));
    oscore_conf = coap_new_oscore_conf(conf, NULL, NULL, 0);

    oscore_free_contexts(ctx);
    coap_delete_oscore_conf(oscore_conf);
    return 0;
}

#ifndef TESTING
int main(int argc, char **argv)
{
    uint8_t Data[MAX_LEN];
    size_t Size;
    int fd;

    if (argc != 2)
    {
        printf("Usage: %s <file>\n", argv[0]);
        return 0;
    }

    fd = open(argv[1], O_RDONLY);
    if (fd < 0)
    {
        perror("Error opening file");
        return 1;
    }

    Size = read(fd, Data, MAX_LEN);

    printf("Read %lu bytes from %s\n", Size, argv[1]);

    LLVMFuzzerTestOneInput(Data, Size);
    close(fd);
    return 0;
}
#endif

file: crash0

#astsi0
hem,hex_aster_secret,hex,"0102030405060708090a0b0c0d0e0f1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111$11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110"

Command: ./overflow-1 ./crash0.

Screenshot:

image image

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions