Classic Buffer Overflow in FalconChristmas/fpp

Valid
Reported on May 30th 2021

✍️ Description

Hi,

There are multiple .bss buffer overflows in https://github.com/FalconChristmas/fpp/blob/f4a1621c8be15a41305269830b700a2b5443aa0f/src/fpp.c#L64 :

char command[8192];
char response[256];

/**/

int main (int argc, char *argv[])
{
  memset(command, 0, sizeof(command));
  SetupDomainSocket();
  if(argc>1)
  {
    /**/
    else if(strncmp(argv[1],"-v",2)==0)
    {
      sprintf(command,"v,%s,",argv[2]); //overflow !, use snprintf instead
      SendCommand(command);
    }

Here, sprintf is used to build a command using user input (argv[2]). This function doesn't check the size of argv[2] and will copy the entire content of argv[2] into char command[8192]; which is a 8192 bytes long buffer. This behavior leads to a buffer overflow, however, since this buffer is located in the .bss segment of the program (it's a global variable) I didn't find anything interesting to overwrite (during a very superficial analysis).

To exploit this behavior : call ./fpp -v $very_long_buffer or any other command that will call sprintf. To reach an interesting structure to overwrite you will certainly have to use a very long payload

💥 Mitigation

Use snprintf(command, sizeof(command),"v,%s,",argv[2]); instead