From: "zdi-disclosures@trendmicro.com" <zdi-disclosures@trendmicro.com>
To: "ofono@lists.linux.dev" <ofono@lists.linux.dev>
Subject: ZDI-CAN-23459: New Vulnerability Report
Date: Thu, 29 Feb 2024 15:43:10 +0000 [thread overview]
Message-ID: <DM5PR0102MB34772A4F75D85840DAAD36EB805F2@DM5PR0102MB3477.prod.exchangelabs.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 6702 bytes --]
The attachment could not be scanned for viruses because it is a password protected file.
ZDI-CAN-23459: oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation Vulnerability
-- CVSS -----------------------------------------
7.8: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
-- ABSTRACT -------------------------------------
Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:
oFono - oFono
-- VULNERABILITY DETAILS ------------------------
* Version tested:2.3
* Installer file:-
* Platform tested:ubuntu 23.10 desktop edition
---
### Analysis
```
heap overflow bug is triggered within the parse_dataobj_frame_layout() function during STK PDU decoding
here assumed that the attack scenario is accessible from a compromised modem
```
~~~C++
struct stk_command_set_frames {
struct stk_frame_id frame_id;
struct stk_frame_layout frame_layout;
struct stk_frame_id frame_id_default;
};
static bool parse_dataobj_frame_layout(struct comprehension_tlv_iter *iter,
void *user)
{
struct stk_frame_layout *fl = user;
const uint8_t *data;
uint8_t len = comprehension_tlv_iter_get_length(iter);
if (len < 2)
return false;
data = comprehension_tlv_iter_get_data(iter);
if (data[0] != STK_LAYOUT_HORIZONTAL &&
data[0] != STK_LAYOUT_VERTICAL)
return false;
fl->layout = data[0];
fl->len = len - 1;
memcpy(fl->size, data + 1, fl->len); // overflow
return true;
}
~~~
debug output
```
Breakpoint 8, 0x0000555555580859 in memcpy (__len=254, __src=0x55555559ee74 <set_frame_111+20>, __dest=0x616000000095) at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
29 return __builtin___memcpy_chk (__dest, __src, __len,
(gdb) bt
#0 0x0000555555580859 in memcpy (__len=254, __src=0x55555559ee74 <set_frame_111+20>, __dest=0x616000000095) at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
#1 parse_dataobj_frame_layout (iter=0x7ffff5600090, user=0x616000000094) at src/stkutil.c:1786
#2 0x000055555557fbda in parse_dataobj (iter=iter@entry=0x7ffff5600090, type=<optimized out>, type@entry=STK_DATA_OBJECT_TYPE_FRAME_ID) at src/stkutil.c:2360
#3 0x00005555555927ca in parse_set_frames (iter=0x7ffff5600090, command=0x616000000080) at src/stkutil.c:3570
#4 parse_command_body (iter=0x7ffff5600090, command=0x616000000080) at src/stkutil.c:3805
#5 stk_command_new_from_pdu (pdu=<optimized out>, len=<optimized out>) at src/stkutil.c:3883
#6 0x00007ffff773e85e in test_case_run (tc=0x604000000050) at ../../../glib/gtestutils.c:3161
#7 g_test_run_suite_internal (suite=suite@entry=0x603000000370, path=0x0) at ../../../glib/gtestutils.c:3256
#8 0x00007ffff773e78b in g_test_run_suite_internal (suite=suite@entry=0x6030000002e0, path=path@entry=0x0) at ../../../glib/gtestutils.c:3275
#9 0x00007ffff773ed82 in g_test_run_suite (suite=suite@entry=0x6030000002e0) at ../../../glib/gtestutils.c:3355
#10 0x00007ffff773ee08 in g_test_run () at ../../../glib/gtestutils.c:2462
#11 g_test_run () at ../../../glib/gtestutils.c:2449
#12 0x000055555555c0a5 in main (argc=<optimized out>, argv=<optimized out>) at unit/test-stkutil.c:22317
(gdb) frame 1
#1 parse_dataobj_frame_layout (iter=0x7ffff5600090, user=0x616000000094) at src/stkutil.c:1786
1786 memcpy(fl->size, data + 1, fl->len);
(gdb) p /x *fl
$50 = {layout = 0x1, size = {0x0 <repeats 126 times>}, len = 0xfe}
(gdb) ni
parse_dataobj_frame_layout (iter=0x7ffff5600090, user=0x616000000094) at src/stkutil.c:1788
1788 return true;
(gdb) p /x *fl
$51 = {layout = 0x1, size = {0x41 <repeats 14 times>, 0x1, 0x41 <repeats 15 times>, 0x1, 0x41 <repeats 15 times>, 0x1, 0x41 <repeats 15 times>, 0x1, 0x41 <repeats 15 times>, 0x1, 0x41 <repeats 15 times>, 0x1, 0x41 <repeats 15 times>,
0x1, 0x41 <repeats 15 times>}, len = 0x41414141}
(gdb)
```
-- CREDIT ---------------------------------------
This vulnerability was discovered by:
Lucas Leong (@_wmliang_) of Trend Micro Zero Day Initiative
-- FURTHER DETAILS ------------------------------
Supporting files:
If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number.
Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up to the deadline, please coordinate with us so that we may release our advisory detailing the issue. If the 120-day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations, so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time:
Zero Day Initiative
zdi-disclosures@trendmicro.com
The PGP key used for all ZDI vendor communications is available from:
http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc
-- INFORMATION ABOUT THE ZDI --------------------
Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.
Please contact us for further details or refer to:
http://www.zerodayinitiative.com
-- DISCLOSURE POLICY ----------------------------
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
For details about what personal information we collect and why, please see our Privacy Notice on our website at: Read privacy policy<http://www.trendmicro.com/privacy>
[-- Attachment #2: ZDI-CAN-23459.zip --]
[-- Type: application/x-zip-compressed, Size: 64875 bytes --]
reply other threads:[~2024-02-29 15:43 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DM5PR0102MB34772A4F75D85840DAAD36EB805F2@DM5PR0102MB3477.prod.exchangelabs.com \
--to=zdi-disclosures@trendmicro.com \
--cc=ofono@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).