-
Notifications
You must be signed in to change notification settings - Fork 478
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Multiple Out-of-Bound Read in parseAarqPdu /src/libiec61850/src/mms/iso_acse/acse.c #512
Comments
gnbon
changed the title
Out-of-Bound Read in parseAarqPdu /src/libiec61850/src/mms/iso_acse/acse.c:306:21
Multiple Out-of-Bound Read in parseAarqPdu /src/libiec61850/src/mms/iso_acse/acse.c
Jun 11, 2024
mzillgith
added a commit
that referenced
this issue
Jun 12, 2024
In fix libiec61850/src/mms/iso_acse/acse.c Lines 276 to 284 in d0f52a2
In this case, line 278 will end up referencing buffer[-1] .poc-oobr-60.zip |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
An Out-of-Bound Read vulnerability was discovered in the
parseAarqPdu
function of the acse.c file in the libiec61850 library through fuzzing. This vulnerability is triggered when parsing the 0xa6, 0xa7, 0xbe tags.Details
The vulnerability occurs in the
parseAarqPdu
function when processing the 0xa6, 0xa7, 0xbe tags. When bufPos index used to read from the input buffer is not properly validated, leading to an out-of-bounds read.Let's consider when the execution reaches the following code:
libiec61850/src/mms/iso_acse/acse.c
Lines 266 to 270 in 790e3e6
If the end of the file contains bytes like a7 00, the tag variable will be set to 0xa7, and bufPos will point to the end of the file + 1. Due to the lack of proper boundary checks after this point, an out-of-bound read vulnerability can occur.
For example, when processing the 0xa7 tag:
libiec61850/src/mms/iso_acse/acse.c
Lines 304 to 306 in 790e3e6
The same occurs when parsing the 0xa6, 0xbe tags here:
libiec61850/src/mms/iso_acse/acse.c
Lines 291 to 293 in 790e3e6
libiec61850/src/mms/iso_acse/acse.c
Lines 342 to 343 in 790e3e6
Impact:
An attacker can use this vulnerability to leak data by sending deliberately crafted input data to trigger abnormal behavior in the program. This can potentially lead to information disclosure or other unintended consequences.
Recommendation:
To mitigate this vulnerability, it is crucial to perform thorough boundary checks regardless of the size of the input data. The code should be modified to ensure that bufPos never exceeds the valid range of the buffer. Additionally, proper input validation and error handling should be implemented to gracefully handle cases where the input data size is unexpected or malformed.
PoC
A proof-of-concept exploit has been provided in the attached file. This PoC demonstrates how the vulnerability can be triggered by sending specially crafted input data to the affected functions.
acse-crash-a7-poc.zip
Address Sanitizer
CVE Assignment Request:
I kindly request the assignment of a Common Vulnerabilities and Exposures (CVE) identifier for the Out-of-Bound Read vulnerability.
The text was updated successfully, but these errors were encountered: