-
Notifications
You must be signed in to change notification settings - Fork 689
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: Remotely reachable stack buffer overflow due to the use of unishox2_decompress_simple #3841
Comments
I just had a closer look to determine if the firmware for all targets has stack canaries enabled. I found that for 2.3.10.d19607b Beta all ARM based boards do not have stack canaries:
This includes some pretty popular devices: RAK4631 and T-Echo. The xtensa (ESP32) targets all had stack canaries enabled. If you want to reproduce this, these are the steps I followed to prepare the device sending out a malicious message:
import meshtastic
import meshtastic.serial_interface
import unishox2
iface = meshtastic.serial_interface.SerialInterface(devPath="/dev/cu.usbmodem(...)")
compressed_data, original_size = unishox2.compress(" " * 119 + "\x00" + "AAA" + "C")
geochat = meshtastic.atak_pb2.GeoChat(message="hi", to=compressed_data)
pckt = meshtastic.atak_pb2.TAKPacket(chat=geochat)
pckt.is_compressed = True
print(pckt)
print(pckt.SerializeToString())
iface.sendData(pckt, channelIndex=0, portNum=72) I found that unishox2 compresses a sequence a lot of spaces to 4 bytes, regardless of how many there are. This also means that it's impossible to guess based on the length of a message how long the decompressed message will be. This issue is in fact exploitable on a number of devices to gain full control over that device simply by sending a message, so I recommend treating this as a vulnerability. |
Category
Other
Hardware
Not Applicable
Firmware Version
2.3.7.30fbcab
Description
There is a stack buffer overflow when decompressing ATAK messages here:
firmware/src/modules/AtakPluginModule.cpp
Line 114 in 75dc8cc
firmware/src/modules/AtakPluginModule.cpp
Line 119 in 75dc8cc
firmware/src/modules/AtakPluginModule.cpp
Line 126 in 75dc8cc
firmware/src/modules/AtakPluginModule.cpp
Line 133 in 75dc8cc
The function
unishox2_decompress_simple
does not take the size of the output buffer into account, always assuming it has enough space for the result. Therefore, if an ATAK message contains a compressed field that decompresses into more bytes than is reserved in ameshtastic_TAKPacket
, then this will write out of the bounds of thatuncompressed
field, overwriting other values on the stack (potentially even a pushed return address).This is actually the same issue as what triggered #3573, except there it was compression that triggered the overflow. The user who reported it sent a base64-encoded message near the maximum size. Due to the high entropy of the message the unishox2 compression actually increased its length from 220 to 245 bytes, also causing an out of bounds write on the stack. Before #3606 was merged it looks like decompression there was affected too with received messages.
The correct function to call would be
unishox2_decompress
/unishox2_compress
and making sure thatUNISHOX_API_WITH_OUTPUT_LEN
is defined as 1. (#3606 disabled the use of unishox2 for "app" messages, but I'm not sure if not doing the same in the ATAK plugin was an oversight.)This is a vulnerability that could be exploited by sending a malicious message to a Meshtastic node (the ATAK plugin does not need to actively used just sending a message of this type on a channel the node is on is enough). In the firmware I looked at (the LilyGo T3-S3), this would not be directly exploitable to gain RCE due to the use of stack cookies, but I don't know if that's the case for all supported hardware. Even without knowing the stack cookie value, this can be used to repeatedly crash a node.
Relevant log output
No response
The text was updated successfully, but these errors were encountered: