From: "zdi-disclosures@trendmicro.com" <zdi-disclosures@trendmicro.com>
To: "ofono@lists.linux.dev" <ofono@lists.linux.dev>
Subject: ZDI-CAN-23460: New Vulnerability Report
Date: Thu, 29 Feb 2024 15:45:35 +0000 [thread overview]
Message-ID: <DM5PR0102MB347780D14317C7F10F52F345805F2@DM5PR0102MB3477.prod.exchangelabs.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 8401 bytes --]
The attachment could not be scanned for viruses because it is a password protected file.
ZDI-CAN-23460: oFono SMS Decoder Stack-based Buffer Overflow Privilege Escalation Vulnerability
-- CVSS -----------------------------------------
7.0: AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
-- ABSTRACT -------------------------------------
Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:
oFono - oFono
-- VULNERABILITY DETAILS ------------------------
* Version tested:2.3
* Installer file:-
* Platform tested:ubuntu 23.10 desktop edition
---
### Analysis
```
stack overflow bug is triggered within the decode_command() function during SMS PDU decoding
here assumed that the attack scenario is accessible from a compromised modem or possibily accessible from a malicious base station or just SMS
```
~~~C++
static gboolean decode_command(const unsigned char *pdu, int len,
struct sms *out)
{
unsigned char octet;
int offset = 0;
out->type = SMS_TYPE_COMMAND;
if (!next_octet(pdu, len, &offset, &octet))
return FALSE;
out->command.udhi = is_bit_set(octet, 6);
out->command.srr = is_bit_set(octet, 5);
if (!next_octet(pdu, len, &offset, &out->command.mr))
return FALSE;
if (!next_octet(pdu, len, &offset, &out->command.pid))
return FALSE;
if (!next_octet(pdu, len, &offset, &octet))
return FALSE;
out->command.ct = octet;
if (!next_octet(pdu, len, &offset, &out->command.mn))
return FALSE;
if (!sms_decode_address_field(pdu, len, &offset,
FALSE, &out->command.daddr))
return FALSE;
if (!next_octet(pdu, len, &offset, &out->command.cdl))
return FALSE;
if ((len - offset) < out->command.cdl)
return FALSE;
memcpy(out->command.cd, pdu + offset, out->command.cdl); // overflow here
return TRUE;
}
~~~
ASAN report
```
=================================================================
==7530==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffff560015c at pc 0x7ffff7870e93 bp 0x7fffffffdbf0 sp 0x7fffffffd398
WRITE of size 255 at 0x7ffff560015c thread T0
#0 0x7ffff7870e92 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:899
#1 0x5555555663e8 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
#2 0x5555555663e8 in decode_command src/smsutil.c:1474
#3 0x5555555663e8 in sms_decode src/smsutil.c:1590
#4 0x55555555b2ee in test_simple_deliver unit/test-sms.c:187
#5 0x7ffff773e85d (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x8585d) (BuildId: 200be351efe83301ebaffb390ac30b652a88bac1)
#6 0x7ffff773e78a (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x8578a) (BuildId: 200be351efe83301ebaffb390ac30b652a88bac1)
#7 0x7ffff773ed81 in g_test_run_suite (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x85d81) (BuildId: 200be351efe83301ebaffb390ac30b652a88bac1)
#8 0x7ffff773ee07 in g_test_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x85e07) (BuildId: 200be351efe83301ebaffb390ac30b652a88bac1)
#9 0x55555555af3d in main unit/test-sms.c:1759
#10 0x7ffff742814f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#11 0x7ffff7428208 in __libc_start_main_impl ../csu/libc-start.c:360
#12 0x55555555b114 in _start (/root/ofono/unit/test-sms+0x7114) (BuildId: 8578597d3d029fa411dd5f7740b8fdd713c8d322)
Address 0x7ffff560015c is located in stack of thread T0 at offset 348 in frame
#0 0x55555555b1ef in test_simple_deliver unit/test-sms.c:174
This frame has 2 object(s):
[48, 56) 'pdu_len' (line 177)
[80, 348) 'sms' (line 175) <== Memory access at offset 348 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:899 in __interceptor_memcpy
Shadow bytes around the buggy address:
0x7ffff55ffe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ffff55fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ffff55fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ffff5600000: f1 f1 f1 f1 f1 f1 00 f2 f2 f2 00 00 00 00 00 00
0x7ffff5600080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x7ffff5600100: 00 00 00 00 00 00 00 00 00 00 00[04]f3 f3 f3 f3
0x7ffff5600180: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x7ffff5600200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ffff5600280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ffff5600300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ffff5600380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==7530==ABORTING
```
-- CREDIT ---------------------------------------
This vulnerability was discovered by:
Lucas Leong (@_wmliang_) of Trend Micro Zero Day Initiative
-- FURTHER DETAILS ------------------------------
Supporting files:
If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number.
Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up to the deadline, please coordinate with us so that we may release our advisory detailing the issue. If the 120-day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations, so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time:
Zero Day Initiative
zdi-disclosures@trendmicro.com
The PGP key used for all ZDI vendor communications is available from:
http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc
-- INFORMATION ABOUT THE ZDI --------------------
Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.
Please contact us for further details or refer to:
http://www.zerodayinitiative.com
-- DISCLOSURE POLICY ----------------------------
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
For details about what personal information we collect and why, please see our Privacy Notice on our website at: Read privacy policy<http://www.trendmicro.com/privacy>
[-- Attachment #2: ZDI-CAN-23460.zip --]
[-- Type: application/x-zip-compressed, Size: 11250 bytes --]
reply other threads:[~2024-02-29 15:45 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DM5PR0102MB347780D14317C7F10F52F345805F2@DM5PR0102MB3477.prod.exchangelabs.com \
--to=zdi-disclosures@trendmicro.com \
--cc=ofono@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).