From: "zdi-disclosures@trendmicro.com" <zdi-disclosures@trendmicro.com>
To: "ofono@lists.linux.dev" <ofono@lists.linux.dev>
Subject: ZDI-CAN-23193: New Vulnerability Report
Date: Thu, 29 Feb 2024 15:38:56 +0000 [thread overview]
Message-ID: <DM5PR0102MB3477CC4030B490BF74F083B8805F2@DM5PR0102MB3477.prod.exchangelabs.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 4761 bytes --]
The attachment could not be scanned for viruses because it is a password protected file.
ZDI-CAN-23193: oFono CUSD Stack-based Buffer Overflow Code Execution Vulnerability
-- CVSS -----------------------------------------
7.8: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
-- ABSTRACT -------------------------------------
Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:
oFono - oFono
-- VULNERABILITY DETAILS ------------------------
* Version tested: 16.0.3
* Installer file: agl-demo-platform-crosssdk-raspberrypi4-64.wic.xz
* Platform tested: Raspberry Pi
---
### Analysis
```
A stack overflow exists in the ussd feature. The AT command "+CUSD" is registered with g_at_chat_register so
ofono can handle it at any moment after the register, the callback that handles the parameters is cusd_notify. cusd_notify calls cusd_parse, and the stack overflow lives in this function:
```
```
static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
{
[...]
unsigned char msg[160];
[...]
if (!g_at_result_iter_next_string(&iter, &content))
goto out;
switch (charset) {
[...]
case SMS_CHARSET_8BIT:
case SMS_CHARSET_UCS2:
msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg);
break; }
DBG("msg ptr %p msg len %ld", msg_ptr, msg_len);
[...] }
```
```
The decode_hex_own_buf function is called with the hex-encoded string which is controlled by the modem, and -1 as len parameter. The value -1 in len means that the strlen() of the input buffer is used as size.
The output buffer msg has a fixed size of 160 bytes, but the input buffer has no limit in size. This results in a stack buffer overflow after the msg buffer, this can be used to gain code execution (it requires the stack cookie to be known, or a binary without stack cookies).
Note that in the Ofono source code (in mainline), this bug is present 3 times as it is duplicated for three different drivers : ��� drivers/huaweimodem/ussd.c
��� drivers/atmodem/ussd.c
��� drivers/speedupmodem/ussd.c
```
-- CREDIT ---------------------------------------
This vulnerability was discovered by:
Synacktiv (@Synacktiv) working with Trend Micro Zero Day Initiative
-- FURTHER DETAILS ------------------------------
Supporting files:
If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number.
Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up to the deadline, please coordinate with us so that we may release our advisory detailing the issue. If the 120-day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations, so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time:
Zero Day Initiative
zdi-disclosures@trendmicro.com
The PGP key used for all ZDI vendor communications is available from:
http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc
-- INFORMATION ABOUT THE ZDI --------------------
Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.
Please contact us for further details or refer to:
http://www.zerodayinitiative.com
-- DISCLOSURE POLICY ----------------------------
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
For details about what personal information we collect and why, please see our Privacy Notice on our website at: Read privacy policy<http://www.trendmicro.com/privacy>
[-- Attachment #2: ZDI-CAN-23193.zip --]
[-- Type: application/x-zip-compressed, Size: 1914368 bytes --]
reply other threads:[~2024-02-29 15:42 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DM5PR0102MB3477CC4030B490BF74F083B8805F2@DM5PR0102MB3477.prod.exchangelabs.com \
--to=zdi-disclosures@trendmicro.com \
--cc=ofono@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).