Headline
Vulnerability Spotlight: How a code re-use issue led to vulnerabilities across multiple products
By Francesco Benvenuto. Recently, I was performing some research on a wireless router and noticed the following piece of code:
This unescape function will revert the URL encoded bytes to its original form. But something specifically caught my attention: There was no size check for the performed operations and the function assumes that after a ‘%’ there are always two bytes. So, what would happen if after ‘%’, only one character existed? The answer is that the s+3, in the strcpy, will access after the end of the string. So, it could lead to memory corruption. Then, I tried to exploit this bug on the router in question. But based on how the URL string was managed in that device, it was not possible. But it had the potential to crash other web servers that used this piece of code. That function belonged to the freshtomato library. So, I searched for the source code and noticed that at the beginning of the file containing that function, there was the following comment:
It was code from Broadcom. I searched for pieces of those comments on Google and found some projects using that code. Then, I also used grep.app writing a regex trying to catch the layout of the bug and found other projects. Some of these projects were code that can be tinkered with and/or in web server scenarios. So, we tested the code and eventually contacted multiple vendors regarding vulnerabilities in their respective products.
The similarities between the code utilized by each of the different projects is so similar that it is reasonable to assume that the code is taken from the same initial source. Seeing as how the code originally held a Broadcom copyright, it is likely that the code was part of a reference implementation that Broadcom released to help customers implement an HTTP server using a product from Broadcom. This vulnerability becomes more interesting as the vulnerable products are looked in more depth, including the open-source software ArduPilot. This software is an open-source autonomous vehicle package, not tied to Broadcom in any way, so the vulnerable code made its way into the code base without a direct reference implementation. This sort of extended code reuse is extraordinarily difficult to track down even with modern-day secure coding practices due to code being slightly modified to suit each use case specifically. For these reasons, it is extraordinarily important for developers to be vigilant in reviewing external functionality that are modified and inserted into a code base, as well as for security researchers to investigate issues that could easily be slightly mutated across multiple software packages.
Below are the vulnerabilities we disclosed and helped fix as part of this discovery. TALOS-2022-1509 TALOS-2022-1511 and TALOS-2022-1512 have been patched by their respective companies or maintainers. However, we are disclosing TALOS-2022-1510 without a patch, due to the vendor’s failure to adhere to Cisco’s 90-day deadline as part of the vulnerability disclosure policy.
TALOS-2022-1509 (CVE-2022-28664 - CVE-2022-28665) A memory corruption vulnerability in the httpd’s unescape functionality of FreshTomato, version 2022.1. A specially crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability.
TALOS-2022-1510 (CVE-2022-27631) A memory corruption vulnerability in the httpd’s unescape functionality of DD-WRT from Revision 32270 to Revision 48599 — a Linux-based firmware for embedded systems. A specially crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability.
TALOS-2022-1511 (CVE-2022-26376) A memory corruption vulnerability in both the official Asuswrt firmware as well as the Asuswrt-Merlin New Gen open-source firmware alternative for Asus wireless routers. The vulnerability exists in the httpd’s unescape functionality of these firmwares. A specially crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability. ASUSWRT, the company’s user interface software for managing Asus devices, is also affected by this vulnerability.
TALOS-2022-1512 (CVE-2022-28711) A memory corruption vulnerability in the cgi.c’s unescape functionality of ArduPilot APWeb from master branch 50b6b7ac to master branch 46177cb9. ArduPilot is an open-source software suite that allows users to program autonomous flying and driving devices like drones. A specially crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability.
By Francesco Benvenuto.
Recently, I was performing some research on a wireless router and noticed the following piece of code:
This unescape function will revert the URL encoded bytes to its original form. But something specifically caught my attention: There was no size check for the performed operations and the function assumes that after a ‘%’ there are always two bytes. So, what would happen if after ‘%’, only one character existed? The answer is that the s+3, in the strcpy, will access after the end of the string. So, it could lead to memory corruption.
Then, I tried to exploit this bug on the router in question. But based on how the URL string was managed in that device, it was not possible. But it had the potential to crash other web servers that used this piece of code. That function belonged to the freshtomato library. So, I searched for the source code and noticed that at the beginning of the file containing that function, there was the following comment:
It was code from Broadcom. I searched for pieces of those comments on Google and found some projects using that code. Then, I also used grep.app writing a regex trying to catch the layout of the bug and found other projects. Some of these projects were code that can be tinkered with and/or in web server scenarios. So, we tested the code and eventually contacted multiple vendors regarding vulnerabilities in their respective products.
The similarities between the code utilized by each of the different projects is so similar that it is reasonable to assume that the code is taken from the same initial source. Seeing as how the code originally held a Broadcom copyright, it is likely that the code was part of a reference implementation that Broadcom released to help customers implement an HTTP server using a product from Broadcom. This vulnerability becomes more interesting as the vulnerable products are looked in more depth, including the open-source software ArduPilot. This software is an open-source autonomous vehicle package, not tied to Broadcom in any way, so the vulnerable code made its way into the code base without a direct reference implementation. This sort of extended code reuse is extraordinarily difficult to track down even with modern-day secure coding practices due to code being slightly modified to suit each use case specifically. For these reasons, it is extraordinarily important for developers to be vigilant in reviewing external functionality that are modified and inserted into a code base, as well as for security researchers to investigate issues that could easily be slightly mutated across multiple software packages.
Below are the vulnerabilities we disclosed and helped fix as part of this discovery. TALOS-2022-1509 TALOS-2022-1511 and TALOS-2022-1512 have been patched by their respective companies or maintainers. However, we are disclosing TALOS-2022-1510 without a patch, due to the vendor’s failure to adhere to Cisco’s 90-day deadline as part of the vulnerability disclosure policy.
**TALOS-2022-1509 (CVE-2022-28664 - CVE-2022-28665) **
A memory corruption vulnerability in the httpd’s unescape functionality of FreshTomato, version 2022.1. A specially crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability.
**TALOS-2022-1510 (CVE-2022-27631) **
A memory corruption vulnerability in the httpd’s unescape functionality of DD-WRT from Revision 32270 to Revision 48599 — a Linux-based firmware for embedded systems. A specially crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability.
**TALOS-2022-1511 (CVE-2022-26376) **
A memory corruption vulnerability in both the official Asuswrt firmware as well as the Asuswrt-Merlin New Gen open-source firmware alternative for Asus wireless routers. The vulnerability exists in the httpd’s unescape functionality of these firmwares. A specially crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability. ASUSWRT, the company’s user interface software for managing Asus devices, is also affected by this vulnerability.
**TALOS-2022-1512 (CVE-2022-28711) **
A memory corruption vulnerability in the cgi.c’s unescape functionality of ArduPilot APWeb from master branch 50b6b7ac to master branch 46177cb9. ArduPilot is an open-source software suite that allows users to program autonomous flying and driving devices like drones. A specially crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability.
Related news
Given the privileged position these devices occupy on the networks they serve, they are prime targets for attackers, so their security posture is of paramount importance.
A slew of critical advisories this week showcase an exploding edge device attack surface for SMBs, which have limited cybersecurity protection, visibility, and maintenance available.
Taiwanese company ASUS on Monday released firmware updates to address, among other issues, nine security bugs impacting a wide range of router models. Of the nine security flaws, two are rated Critical and six are rated High in severity. One vulnerability is currently awaiting analysis. The list of impacted products are GT6, GT-AXE16000, GT-AX11000 PRO, GT-AXE11000, GT-AX6000, GT-AX11000,
Categories: Exploits and vulnerabilities Categories: News Tags: ASUS Tags: router Tags: models Tags: CVE-2022-26376 Tags: CVE-2018-1160 Tags: Netatalk Tags: disable WAN ASUS has released firmware updates for several router models fixing two critical and several other security issues. (Read more...) The post Update now! ASUS fixes nine security flaws appeared first on Malwarebytes Labs.
ASUS Router RT-AX3000 Firmware versions prior to 3.0.0.4.388.23403 uses sensitive cookies without 'Secure' attribute. When an attacker is in a position to be able to mount a man-in-the-middle attack, and a user is tricked to log into the affected device through an unencrypted ('http') connection, the user's session may be hijacked.
A memory corruption vulnerability exists in the httpd unescape functionality of FreshTomato 2022.1. A specially-crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability.The `freshtomato-arm` has a vulnerable URL-decoding feature that can lead to memory corruption.
A memory corruption vulnerability exists in the httpd unescape functionality of DD-WRT Revision 32270 - Revision 48599. A specially-crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability.
A memory corruption vulnerability exists in the httpd unescape functionality of Asuswrt prior to 3.0.0.4.386_48706 and Asuswrt-Merlin New Gen prior to 386.7.. A specially-crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability.
A memory corruption vulnerability exists in the cgi.c unescape functionality of ArduPilot APWeb master branch 50b6b7ac - master branch 46177cb9. A specially-crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability.