Stack-based Buffer Overflow in falconchristmas/fpp


Reported on

May 30th 2021

✍️ Description


There is a stack based buffer overflow in :

    else if((strcmp(argv[1],"--log-mask") == 0) &&  argc > 2)
      char newMask[128];
      strcpy(newMask, argv[2]);//overflow


argv[2] is copied into newMask using strcpy, a fucntion that doesn't perform size validation when it copies buffers. This behavior leads to a buffer overflow.

🕵️‍♂️ Proof of Concept

Run : ./fpp --log-mask $(python -c'print("A"*140)')

💥 Impact

Crash, arbitrary code execution


to join this conversation