[riot-notifications] [RIOT-OS/RIOT] nanocoap: options buffer overflow (#10753)

nmeum notifications at github.com
Fri Jan 11 10:11:01 CET 2019

#### Description

nanocoap contains a buffer overflow which has been introduced with
commit dee793d29f09bafa83bb2c9fe293eb7b16fc009a. The bug allows an
attacker to overflow the `options` buffer in the `coap_pkt_t` supplied
to `coap_parse`.

The relevant code part is the following:

if (option_delta) {
        optpos->opt_num = option_nr;
        optpos->offset = (uintptr_t)option_start - (uintptr_t)hdr;
        DEBUG("optpos option_nr=%u %u\n", (unsigned)option_nr, (unsigned)optpos->offset);

`optpos` is a pointer to the `options` buffer in the `coap_pkt_t`. This
pointer is incremented without checking if it exceeds
`NANOCOAP_NOPTS_MAX` (the size of the buffer). It also used to write a
new option at the current position in the `options` buffer.

To trigger this buffer overflow an attacker can send a CoAP request
containing more than `NANOCOAP_NOPTS_MAX` options to a nanocoap server.
This may allow an attacker to crash the nanocoap server and cause a
denial of service. Additionally, a clever attacker might also be able to
use this for a remote code execution.

#### Steps to reproduce the issue

A malicious CoAP packet triggering this vulnerability can be send to a RIOT
node in order to crash it. I created a malicious packet containing 42 which
should successfully crash native.

To test this build `examples/nanocoap_server` and send the crafted
malicious packet to it. For example:

$ while sleep 1; do busybox nc -u '[ip-address]' 5683 -e base64 -d crash; done


I personally prefer full disclosure for reporting such issues. Especially since #10749 hasn't been resolved yet. I also believe that doing full disclosure including documentation of an exploit worked quite well to get #10739 fixed in time. Besides, I didn't want to sit on this any longer and full disclosure is way better than no disclosure at all.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riot-os.org/pipermail/notifications/attachments/20190111/0e22b4b8/attachment.html>

More information about the notifications mailing list