From: "zdi-disclosures@trendmicro.com" <zdi-disclosures@trendmicro.com>
To: "ofono@lists.linux.dev" <ofono@lists.linux.dev>
Subject: ZDI-CAN-23307: New Vulnerability Report
Date: Thu, 29 Feb 2024 15:39:32 +0000 [thread overview]
Message-ID: <DM5PR0102MB347702F68C385430DEFB2589805F2@DM5PR0102MB3477.prod.exchangelabs.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 4798 bytes --]
The attachment could not be scanned for viruses because it is a password protected file.
ZDI-CAN-23307: oFono AT CMGL Command Uninitialized Variable Information Disclosure Vulnerability
-- CVSS -----------------------------------------
3.3: AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
-- ABSTRACT -------------------------------------
Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:
oFono - oFono
-- VULNERABILITY DETAILS ------------------------
* Version tested: 16.0.3
* Installer file: agl-demo-platform-crosssdk-raspberrypi4-64.wic.xz
* Platform tested: Raspberry Pi
---
### Analysis
at_cmgr_notify uninitialized stack
```
In Ofono drivers/atmodem/sms.c the function decode_hex_own_buf is used to decode the hexadecimal encoded payload. These payloads are used for encoded SMS messages.
The return value of decode_hex_own_buf is not always checked, if the decoding fails, the function leave the decoding buffer initialized and the possessing continues.
It's possible to have a partially initialized buffer and have a valid SMS header with stack uninitialized data as a body, the function decode_hex_own_buf returns if a non-hexadecimal character is hit, so it's possible to send only the SMS header and non-hexadecimal char for the SMS body.
The processing will continue with an SMS body that leaks uninitialized stack.
In at_cmgr_notify, at_cmt_notify, at_cmgl_notify the uninitialized stack can be returned to the modem, for
devices with STK functionality. Here is the path :
1. ofono_sms_deliver_notify
2. __ofono_sms_sim_download
3. stk_send_envelope
4. mbm_stk_envelope(onMBMmodems)
The uninitialized buffer is sent to the modem with "AT*STKE=" command. Note that there are other bugs used on the path:
��� pdu_len is used as uninitialized stack value if decode_hex_own_buf fails
��� tpdu_len is used as a signed integer in size compare in sms_decode
The size of the leak is limited by other stack overflows in sms_decode and stk_pdu_from_envelope. Leaking uninitialized stack data is used in our chain get the ASLR (program and libraries) and the stack cookie.
```
-- CREDIT ---------------------------------------
This vulnerability was discovered by:
Synacktiv (@Synacktiv) working with Trend Micro Zero Day Initiative
-- FURTHER DETAILS ------------------------------
Supporting files:
If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number.
Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up to the deadline, please coordinate with us so that we may release our advisory detailing the issue. If the 120-day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations, so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time:
Zero Day Initiative
zdi-disclosures@trendmicro.com
The PGP key used for all ZDI vendor communications is available from:
http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc
-- INFORMATION ABOUT THE ZDI --------------------
Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.
Please contact us for further details or refer to:
http://www.zerodayinitiative.com
-- DISCLOSURE POLICY ----------------------------
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
For details about what personal information we collect and why, please see our Privacy Notice on our website at: Read privacy policy<http://www.trendmicro.com/privacy>
[-- Attachment #2: ZDI-CAN-23307.zip --]
[-- Type: application/x-zip-compressed, Size: 1914368 bytes --]
reply other threads:[~2024-02-29 15:43 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DM5PR0102MB347702F68C385430DEFB2589805F2@DM5PR0102MB3477.prod.exchangelabs.com \
--to=zdi-disclosures@trendmicro.com \
--cc=ofono@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).