Headline
CVE-2022-28665: TALOS-2022-1509 || Cisco Talos Intelligence Group
A memory corruption vulnerability exists in the httpd unescape functionality of FreshTomato 2022.1. A specially-crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability.The freshtomato-arm has a vulnerable URL-decoding feature that can lead to memory corruption.
Summary
A memory corruption vulnerability exists in the httpd unescape functionality of FreshTomato 2022.1. A specially-crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability.
Tested Versions
FreshTomato 2022.1
Product URLs
FreshTomato - https://www.freshtomato.org/
CVSSv3 Score
5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE
CWE-20 - Improper Input Validation
Details
FreshTomato is an open source firmware based on linux. The firmware offers several features for Broadcom-based routers.
The FreshTomato’s httpd component has a file named cgi.c that contains CGI helper functions. One of these functions is unescape:
static void unescape(char *s)
{
unsigned int c;
while ((s = strpbrk(s, "%+"))) { [1]
if (*s == '%') {
sscanf(s + 1, "%02x", &c); [2]
*s++ = (char) c; [3]
strcpy(s, s + 2); [4]
}
else if (*s == '+') {
*s++ = ' ';
}
}
}
This function takes as argument a string. If URL-encoded, this function will decode it. At [1], there is a loop that takes the next % or + in the string. If a % is found, then at [2] the following two characters are converted from hex values to a single character. At [3] the converted character replaces the % character and the string pointer advance. At [4] the string, after the already-parsed URL-encoded character is moved left by two positions, will replace the parsed characters. A string like “A…B%41%42” would go through the following steps:
|A|...|B|%|4|1|%|4|2|NULL| at [1]/[2]
|A|...|B|A|4|1|%|4|2|NULL| after [3]
|A|...|B|A|%|4|2|NULL|2|NULL| after [4]
Eventually, after a second iteration of the loop, we would end up like this:
|A|...|B|A|B|NULL|2|NULL|2|NULL| after [4]
CVE-2022-28664 - mips branch - httpd unescape memory corruption
The freshtomato-mips has a vulnerable URL-decoding feature that can lead to memory corruption. The unescape function assumes, wrongly, that after a % there are always at least two characters. If this is not the case, the instruction at [4] would cause an out-of-bounds read and write.
CVE-2022-28665 - arm branch - httpd unescape memory corruption
The freshtomato-arm has a vulnerable URL decoding feature that can lead to memory corruption. The unescape function assume, wrongly, that after a % there are always at least two characters. If this is not the case, the instruction at [4] would cause an out-of-bounds read and write.
Timeline
2022-04-11 - Initial vendor contact
2022-04-27 - Vendor Disclosure
2022-05-06 - Vendor Patch Release
2022-07-27 - Public Release
Discovered by Francesco Benvenuto of Cisco Talos.
Related news
Given the privileged position these devices occupy on the networks they serve, they are prime targets for attackers, so their security posture is of paramount importance.
By Francesco Benvenuto. Recently, I was performing some research on a wireless router and noticed the following piece of code: This unescape function will revert the URL encoded bytes to its original form. But something specifically caught my attention: There was no size check for the performed operations and the function assumes that after a ‘%’ there are always two bytes. So, what would happen if after ‘%’, only one character existed? The answer is that the s+3, in the strcpy, will access after the end of the string. So, it could lead to memory corruption. Then, I tried to exploit this bug on the router in question. But based on how the URL string was managed in that device, it was not possible. But it had the potential to crash other web servers that used this piece of code. That function belonged to the freshtomato library. So, I searched for the source code and noticed that at the beginning of the file containing that function, there was the following comment: It was code fr...
By Francesco Benvenuto. Recently, I was performing some research on a wireless router and noticed the following piece of code: This unescape function will revert the URL encoded bytes to its original form. But something specifically caught my attention: There was no size check for the performed operations and the function assumes that after a ‘%’ there are always two bytes. So, what would happen if after ‘%’, only one character existed? The answer is that the s+3, in the strcpy, will access after the end of the string. So, it could lead to memory corruption. Then, I tried to exploit this bug on the router in question. But based on how the URL string was managed in that device, it was not possible. But it had the potential to crash other web servers that used this piece of code. That function belonged to the freshtomato library. So, I searched for the source code and noticed that at the beginning of the file containing that function, there was the following comment: It was code fr...