Classic Buffer Overflow in FalconChristmas/fpp

Reported on May 30th 2021

✍️ Description


There are multiple .bss buffer overflows in :

char command[8192];
char response[256];


int main (int argc, char *argv[])
  memset(command, 0, sizeof(command));
    else if(strncmp(argv[1],"-v",2)==0)
      sprintf(command,"v,%s,",argv[2]); //overflow !, use snprintf instead

Here, sprintf is used to build a command using user input (argv[2]). This function doesn't check the size of argv[2] and will copy the entire content of argv[2] into char command[8192]; which is a 8192 bytes long buffer. This behavior leads to a buffer overflow, however, since this buffer is located in the .bss segment of the program (it's a global variable) I didn't find anything interesting to overwrite (during a very superficial analysis).

To exploit this behavior : call ./fpp -v $very_long_buffer or any other command that will call sprintf. To reach an interesting structure to overwrite you will certainly have to use a very long payload

💥 Mitigation

Use snprintf(command, sizeof(command),"v,%s,",argv[2]); instead