ASUS DSL-AC3100 Router Firmware radvd Bugs

Lets look at packet processing in the router code

                case ND_OPT_RDNSS_INFORMATION:
                        rdnssinfo = (struct nd_opt_rdnss_info_local *) opt_str;
                        count = rdnssinfo->nd_opt_rdnssi_len;

                         /* Check the RNDSS addresses received */
                        switch (count) {
                                case 7:

Now opt_str is the options part of the packet. Does the code check that the packet is big enough to account for these options? No. There are a bunch of cases like this. All lead to out of bounds memory access.

Lets look at the current radvd source from a recent Linux distro

                case ND_OPT_RDNSS_INFORMATION: {
                        char rdnss_str[INET6_ADDRSTRLEN];
                        struct AdvRDNSS *rdnss = 0;
                        struct nd_opt_rdnss_info_local *rdnssinfo = (struct nd_opt_rdnss_info_local *)opt_str;
                        if (len < sizeof(*rdnssinfo))
                                return;
                        int count = rdnssinfo->nd_opt_rdnssi_len;

                        /* Check the RNDSS addresses received */
                        switch (count) {
                        case 7:

It's clearly been fixed. But the patches haven't been backported to the router firmware.

Comments

Post a comment

Popular posts from this blog

Heap Exploitation in Chrome's PartitionAlloc - part 1

Image
Dr Silvio Cesare @silviocesare Summary PartitionAlloc is the hardened heap allocator used in Google's Chrome web browser. It is susceptible to a number of attacks. This blog post describes the first attack in a series of posts. I will talk about freelist poisoning and how to make an allocation request return an arbitrary pointer. This can be used with application-logic to develop an arbitrary write primitive. Introduction In heap allocators, freelists maintain a group of free memory chunks that are available to be recycled by an allocation request. Freelist poisoning corrupts this list and injects a "fake chunk" pointer. A later allocation will return this fake chunk pointer. So it is possible to make an allocation request return an arbitrary pointer. I have blogged about freelist poisoning extensively. It is a common attack that many allocators are vulnerable to. https://blog.infosectcbr.com.au/2020/03/weaknesses-in-linux-kernel-heap.html https://blog.infos
Read more

Linux Kernel Stack Smashing

Dr Silvio Cesare @silviocesare   Summary In this blog post I’ll discuss how to exploit the Linux kernel via a stack smashing attack. I’ll be attacking the latest kernel version. I’ll also introduce a vulnerable device driver that I wrote so that I can focus on the exploitation development and not the vulnerability research.  A number of mitigations were introduced in recent years, such as Kernel Page Table Isolation and control register pinning, which makes some previous techniques obsolete. Techniques like ret2usr no longer work. But regardless, I am able to privesc and gain a rootshell. An overview of the attack The attack can be split up into a number of stages: ·         Defeat KASLR ·         Leak the stack canary ·         Stack smash and overwrite the canary and return address to trigger a ROP chain ·         ROP to change the current creds to UID 0 ·         ROP into the code that returns from a system call and continues execution i
Read more

Sudoedit heap overflow

Jayden Rivers @Awarau1 Introduction On January 27th 2021 Qualys released a report on a bug they had found in the commonly used Unix utility: sudo . The bug had been present in sudo for nearly 10 years. Their report, which can be found here CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit) | Qualys Security Blog , outlines the root cause and three possible methods of exploitation. Here, we give a brief overview of the relevant workings of sudo. Then we discuss the vulnerability as well as one possible exploitation method in depth. The details of exploitation will focus on our application of the technique known as “heap grooming” or “heap feng shui”. Lastly, we outline the fix.    Sudo (utility) Sudo, or “superuser do”, is a widely used utility which assists people in administrating their Unix systems. Many Unix derived operating systems have sudo packaged by default.  According to the sudo manual , “sudo allows a permitted user to execute a command as the superuser or a
Read more