Thanks for the great project first. I have found some vulnerabilities during reading the source code.
memory corruption in parse_multipart
when nf receive sbi(http2) message with Content-Type: multipart/releated , parse_multipart in lib/sbi/message.c will try to parse all parts in the request, but the struct multipart_parser_data_s only have OGS_SBI_MAX_NUM_OF_PART which is 8 member, and this will cause a memory corruption to stack memory.
below is a poc requests to crash the amfd(which listen on 127.0.0.5:7777):
namf-comm/v1/ue-contexts/imsi-901700000000001/n1-n2-messages in amf will call amf_namf_comm_handle_n1_n2_message_transferin src/amf/namf-handler.c OpenAPI_n1_n2_message_transfer_req_data_parseFromJSON can parse a data without n2_info_container and return n2_info_container as null. This will skip the if on line 113
n2InfoContainer = N1N2MessageTransferReqData->n2_info_container;
if (n2InfoContainer) {
smInfo = n2InfoContainer->sm_info;
if (!smInfo) {
ogs_error("No smInfo");
return OGS_ERROR;
}
n2InfoContent = smInfo->n2_info_content;
if (!n2InfoContent) {
ogs_error("No n2InfoContent");
return OGS_ERROR;
}
this case will not set n2InfoContent , but on line 156 , n2InfoContent is being dereferenced
switch (n2InfoContent->ngap_ie_type) {
below is a poc crash amfd(this requires a live ue context, i was using ueransim to simulate a imsi-901700000000001 here):
Thanks for the great project first. I have found some vulnerabilities during reading the source code.
memory corruption in
parse_multipartwhen nf receive sbi(http2) message with
Content-Type: multipart/releated,parse_multipartinlib/sbi/message.cwill try to parse all parts in the request, but the structmultipart_parser_data_sonly haveOGS_SBI_MAX_NUM_OF_PARTwhich is 8 member, and this will cause a memory corruption to stack memory.below is a poc requests to crash the amfd(which listen on 127.0.0.5:7777):
null pointer dereference
namf-comm/v1/ue-contexts/imsi-901700000000001/n1-n2-messagesin amf will callamf_namf_comm_handle_n1_n2_message_transferinsrc/amf/namf-handler.cOpenAPI_n1_n2_message_transfer_req_data_parseFromJSONcan parse a data without n2_info_container and returnn2_info_containeras null. This will skip the if on line 113n2InfoContainer = N1N2MessageTransferReqData->n2_info_container; if (n2InfoContainer) { smInfo = n2InfoContainer->sm_info; if (!smInfo) { ogs_error("No smInfo"); return OGS_ERROR; } n2InfoContent = smInfo->n2_info_content; if (!n2InfoContent) { ogs_error("No n2InfoContent"); return OGS_ERROR; }this case will not set
n2InfoContent, but on line 156 ,n2InfoContentis being dereferencedswitch (n2InfoContent->ngap_ie_type) {below is a poc crash amfd(this requires a live ue context, i was using ueransim to simulate a imsi-901700000000001 here):
leommxj from Chaitin Security Research Lab.
The text was updated successfully, but these errors were encountered: