Summary
Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.
The default handler for the well_known_core resource coap_well_known_core_default_handler writes user-provided option data and other data into a fixed size buffer without validating the buffer is large enough to contain the response. This vulnerability allows an attacker to corrupt neighboring stack location, including security-sensitive addresses like the return address, leading to denial of service or arbitrary code execution.
Details
Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.
Here is the execution trace that trigger the vulnerability:
- In
nanocoap.h:L2621, RIOT registers coap_well_known_core_default_handler as the handler to the path /.well-known/core
- In
sock.c:L1217, the nanocoap server is started with a fixed-size response buffer. By default, this buffer has only 112 bytes (default value of CONFIG_NANOCOAP_SERVER_BUF_SIZE).
- An attacker sends a valid CoAP packet to the nanocoap server with the CoAP header and extended token length greater than 112 bytes.
- The packet is received by the
sock_udp_recv_buf_aux function and validated by the coap_parse_udp function. Specifically, this validation only ensures the received packet is valid but does not enforce any maximum size on the extended token or options in the packet. coap_handle_req is then called to process the packet, with the pointer and size of the fixed-size buffer passed as arguments.
- coap_handle_req ->
coap_tree_handler -> resource->handler -> coap_well_known_core_default_handler.
- The coap_well_known_core_default_handler function calculates a pointer to the payload based on the length of the header and extended token length nanocoap.c:L1510 and does not validate the computed pointer is still within the bounds of the fixed size buffer.
- Finally, in lines
1512 -- 1526 the handler goes on to write multiple bytes of data into the computed pointer, including options data from the received packet, without validating the bounds of the pointer.
PoC
Complete instructions, including specific configuration details, to reproduce the vulnerability.
Impact
What kind of vulnerability is it? Who is impacted?
This is an out-of-bound write vulnerability and will affect RIOT users who:
- Use the nanocoap server implementation
- Enable and expose the well-known/core resource to untrusted clients
- Supports extended token length feature.
This vulnerability will allow an attacker to corrupt stack memory, overwrite sensitive data and addresses, and in the worst case (especially in embedded systems where memory protections are commonly absent), hijack the execution of the server.
AmPaschal Reporter
Summary
Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.
The default handler for the well_known_core resource
coap_well_known_core_default_handlerwrites user-provided option data and other data into a fixed size buffer without validating the buffer is large enough to contain the response. This vulnerability allows an attacker to corrupt neighboring stack location, including security-sensitive addresses like the return address, leading to denial of service or arbitrary code execution.Details
Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.
Here is the execution trace that trigger the vulnerability:
nanocoap.h:L2621, RIOT registerscoap_well_known_core_default_handleras the handler to the path/.well-known/coresock.c:L1217, the nanocoap server is started with a fixed-size response buffer. By default, this buffer has only 112 bytes (default value of CONFIG_NANOCOAP_SERVER_BUF_SIZE).sock_udp_recv_buf_auxfunction and validated by thecoap_parse_udpfunction. Specifically, this validation only ensures the received packet is valid but does not enforce any maximum size on the extended token or options in the packet.coap_handle_reqis then called to process the packet, with the pointer and size of the fixed-size buffer passed as arguments.coap_tree_handler->resource->handler->coap_well_known_core_default_handler.1512 -- 1526the handler goes on to write multiple bytes of data into the computed pointer, including options data from the received packet, without validating the bounds of the pointer.PoC
Complete instructions, including specific configuration details, to reproduce the vulnerability.
Impact
What kind of vulnerability is it? Who is impacted?
This is an out-of-bound write vulnerability and will affect RIOT users who:
This vulnerability will allow an attacker to corrupt stack memory, overwrite sensitive data and addresses, and in the worst case (especially in embedded systems where memory protections are commonly absent), hijack the execution of the server.