Vulnerabilities > CVE-2017-2895 - Out-of-bounds Read vulnerability in Cesanta Mongoose 6.8

047910
CVSS 8.2 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
LOW
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
cesanta
CWE-125

Summary

An exploitable arbitrary memory read vulnerability exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A specially crafted MQTT SUBSCRIBE packet can cause an arbitrary out-of-bounds memory read potentially resulting in information disclosure and denial of service. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.

Vulnerable Configurations

Part Description Count
Application
Cesanta
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Overread Buffers
    An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.

Seebug

bulletinFamilyexploit
description### Summary An exploitable arbitrary memory read vulnerability exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A specially crafted MQTT SUBSCRIBE packet can cause an arbitrary out-of=bounds memory read potentially resulting in information disclosure and denial of service. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability. ### Tested Versions Cesanta Mongoose 6.8 ### Product URLs https://cesanta.com/ ### CVSSv3 Score 8.2 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H ### CWE CWE-190: Integer Overflow or Wraparound ### Details Mongoose is a monolithic library implementing a number of networking protocols, including HTTP, MQTT, MDNS and others. It is designed with embedded devices in mind and as such is used in many IoT devices and runs on virtually all platforms. While parsing an MQTT packet SUBSCRIBE command, topic string size as encoded in the packet is trusted without any additional validation. This arbitrary length value is used in pointer arithmetic and can cause out-of-bounds memory access. The vulnerability occurs in function `mg_mqtt_next_subscribe_topic`: ``` int mg_mqtt_next_subscribe_topic(struct mg_mqtt_message *msg, struct mg_str *topic, uint8_t *qos, int pos) { unsigned char *buf = (unsigned char *) msg->payload.p + pos; if ((size_t) pos >= msg->payload.len) { return -1; topic->len = buf[0] << 8 | buf[1]; [1] topic->p = (char *) buf + 2; *qos = buf[2 + topic->len]; [2] return pos + 2 + topic->len + 1; ``` In the above code, at [1] two bytes from message buffer are read as `topic->len` and then immediatelly used at [2] to calculate offset to `qos`. No check is performed to insure it would be inside the bounds of the buffer which is limited in size. This issue can be triggered multiple times and with careful control of the memory layout could be abused to leak memory and cause denial of service. The vulnerability can be triggered by sending the supplied proof of concept packet to the sample mqtt_broker application supplied with the library. ### Crash Information ``` Address Sanitizer output: ==118728==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000014986 at pc 0x00000051e4c5 bp 0x7fffffffaf50 sp 0x7fffffffaf48 READ of size 1 at 0x619000014986 thread T0 #0 0x51e4c4 (/home/user/mongoose/examples/mqtt_broker/mqtt_broker+0x51e4c4) #1 0x515174 (/home/user/mongoose/examples/mqtt_broker/mqtt_broker+0x515174) #2 0x4fa825 (/home/user/mongoose/examples/mqtt_broker/mqtt_broker+0x4fa825) #3 0x4fea17 (/home/user/mongoose/examples/mqtt_broker/mqtt_broker+0x4fea17) #4 0x50a8e7 (/home/user/mongoose/examples/mqtt_broker/mqtt_broker+0x50a8e7) #5 0x50efa8 (/home/user/mongoose/examples/mqtt_broker/mqtt_broker+0x50efa8) #6 0x4fc145 (/home/user/mongoose/examples/mqtt_broker/mqtt_broker+0x4fc145) #7 0x4eb5ea (/home/user/mongoose/examples/mqtt_broker/mqtt_broker+0x4eb5ea) #8 0x7ffff683882f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #9 0x419978 (/home/user/mongoose/examples/mqtt_broker/mqtt_broker+0x419978) AddressSanitizer can not describe address in more detail (wild memory access suspected). SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/user/mongoose/examples/mqtt_broker/mqtt_broker+0x51e4c4) Shadow bytes around the buggy address: 0x0c327fffa8e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fffa8f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fffa900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fffa910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fffa920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c327fffa930:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fffa940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fffa950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fffa960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fffa970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fffa980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): ddressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==118728==ABORTING ``` ### Timeline * 2017-08-30 - Vendor Disclosure * 2017-10-31 - Public Release
idSSV:96807
last seen2017-11-19
modified2017-11-08
published2017-11-08
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-96807
titleCesanta Mongoose MQTT SUBSCRIBE Topic Length Information Leak(CVE-2017-2895)

Talos

idTALOS-2017-0402
last seen2019-05-29
published2017-10-31
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0402
titleCesanta Mongoose MQTT SUBSCRIBE Topic Length Information Leak