Vulnerabilities > CVE-2017-7185 - Use After Free vulnerability in Cesanta Mongoose Embedded web Server Library and Mongoose OS
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
Use-after-free vulnerability in the mg_http_multipart_wait_for_boundary function in mongoose.c in Cesanta Mongoose Embedded Web Server Library 6.7 and earlier and Mongoose OS 1.2 and earlier allows remote attackers to cause a denial of service (crash) via a multipart/form-data POST request without a MIME boundary string.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
| description | Cesanta Mongoose OS - Use-After-Free. CVE-2017-7185. Dos exploit for Hardware platform. Tags: Use After Free |
| file | exploits/hardware/dos/41826.txt |
| id | EDB-ID:41826 |
| last seen | 2017-04-06 |
| modified | 2017-04-06 |
| platform | hardware |
| port | |
| published | 2017-04-06 |
| reporter | Exploit-DB |
| source | https://www.exploit-db.com/download/41826/ |
| title | Cesanta Mongoose OS - Use-After-Free |
| type | dos |
Packetstorm
| data source | https://packetstormsecurity.com/files/download/142021/CSNC-2017-003.txt |
| id | PACKETSTORM:142021 |
| last seen | 2017-04-10 |
| published | 2017-04-03 |
| reporter | Philipp Promeuschel |
| source | https://packetstormsecurity.com/files/142021/Mongoose-OS-1.2-Use-After-Free-Denial-Of-Service.html |
| title | Mongoose OS 1.2 Use-After-Free / Denial Of Service |
References
- http://www.securityfocus.com/archive/1/540355/100/0/threaded
- http://www.securityfocus.com/bid/97370
- https://github.com/cesanta/mongoose/commit/b8402ed0733e3f244588b61ad5fedd093e3cf9cc
- https://github.com/cesanta/mongoose-os/commit/042eb437973a202d00589b13d628181c6de5cf5b
- https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CVE-2017-7185_mongoose_os_use_after_free.txt
- https://www.exploit-db.com/exploits/41826/