![]() ![]() Using a build of the code with address sanitizer enabled (x86-64 for convenience), the vulnerability can be also demonstrated using specially crafted input: =31170=ERROR: AddressSanitizer: heap-buffer-overflow on address 0圆0700000032f at pc 0x55b0167b85c8 bp 0x7ffca0e2aa60 sp 0x7ffca0e2aa50 We verified the issue by sending a large boundary value string to the HTTP server that crashed it. Moreover, the ‘num’ parameter of the call was incorrectly calculated based on pointer arithmetic of an attacker-controlled string without further boundary checks: The file http-s_req.o in charge of handling HTTP requests raised an alert that indicated that a function semantically equivalent to strncpy() was called on tainted data. In order to make our analysis work, we had to implement support for the special libc used in Micrium ( )Īfter that, we left our code running on the different binaries and inspected the results. We selected uC-HTTP binaries for analysis since we suspected that most of the alerts raised by PRIS were going to be easy candidates for our taint analysis component to reason about in terms of correlating function parameters to pointers to networking data. We found the vulnerability while testing the compatibility of our binary analysis engine PRIS™ with Silicon Labs’ Gecko SDK. P_conn->FormBoundaryPtr = ASCII_CHAR_NULL P_val++ // Remove space before boundary val. P_val = Str_Char_N(p_val, len, ASCII_CHAR_EQUALS_SIGN) Platform/micrium_os/net/source/http/server/http_server_req.c (function HTTPsReq_HdrParse): static void HTTPsReq_HdrParse (HTTPs_INSTANCE *p_instance, Following HTML 4.01 Specification and RFC2045 and EFC2388, the implementation checks the presence of a boundary when the Content-Type header is multipart/form-data and stores it in p_conn->FormBoundaryPtr However, when calculating the size of the string segment to be copied, the implementation does not check the resulting value against the maximum length the allocated buffer can hold ( HTTPs_FORM_BOUNDARY_STR_LEN_MAX) The HTTP server supports multipart requests. ![]() An attacker can send an HTTP request to trigger this vulnerability. A specially crafted HTTP request can lead to remote code execution. SummaryĪ heap based buffer overflow vulnerability exists in the HTTP Server functionality of Micrium uC-HTTP 3.01.01. The HTTP server included in it supports many HTTP features, enabling embedded systems developers to rely on it for a variety of use cases in their design. The uC-HTTP implementation is used on embedded systems that are running the ♜/OS II or ♜/OS III RTOS kernels. In addition to the two highly popular kernels, ♜/OS features support for TCP/IP, USB-Device, USB-Host, and Modbus, as well as a robust File System. ΜC/OS is a full-featured embedded operating system originally developed by Micriµm™, it is provided as part of Silicon Lab’s Gecko SDK. Sep 16, 2022: Silicon Labs allocates CVE-2022-24942 for the vulnerability after resolving technical issues with their CVE Services systems.įeb 15, 2023: Release of this write-up. May 26, 2022: Silicon Labs acknowledges the issue.Īug 3, 2022: Silicon Labs officially confirms the issue with a fix.Īug 13, 2022: Silicon Labs releases advisory with version 4.1.1.0 of Gecko SDK. ![]() May 26, 2022: BugProve reports the issue to Silicon Labs. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |