Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <4e14406504524640@localhost>
Date: Thu, 30 Sep 2021 23:01:37 +0200
From: Philipp Takacs <philipp+enjoy-digital@...eaucracy.de>
To: oss-security@...ts.openwall.com
Cc: florent@...oy-digital.fr
Subject: security issues in Litex IP stack

Hi

I have found some security issues by a code review of litex[0]. The
issues where reported to Enjoy-Digital on 21.02.2021 but not fixed yet.
I haven't tested, if these issues are exploitable.

1. oob read over IP/UDP length

The IP/UDP implementation only checks if the receive data and declared
sizes are big enough to contain a full UDP header. An attacker can set
this to 0xffff, which leads to an out of bound read. (see rx_callback()
in tftp.c and process_ip() in udp.c)

2. out of bounds write

In boot.c tftp_get() is called with "char json_buffer[1024]" as buffer.
Because of missing bound checks in tftp_get() an attacker can overflow
this buffer (see rx_callback() in tftp.c and netboot_from_json() in bios.c).

3. sender check
  
The tftp client don't check if the packages are from the sender he
requested data. If an attacker sends faster then the requested tftpd, he
can completely control the data.

4. tftp total_length overflow

May only be a theoretical bug, because the result is checked against <= 0.
But if an attacker uses the missing IP/UDP length check he can overflow
the total_length in rx_callback() (see tftp.c).

5. override already received data

The tftp client don't check if he receives data multiple times. An attacker
can send a block the client has already received and override it.

6. arp cache poisoning

It looks like it's possible to just send an arp reply to override the
mac address of the tftp server (see process_arp() in udp.c).

Philipp Takacs

[0] https://github.com/enjoy-digital/litex

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.