Unchecked Buffer in Microchip TCP/IP Stack
Could Allow Remote Code Execution

=============================
==== General Information ====
=============================

== Executive Summary ==

The function TCPIP_IPV6_ProcessFragmentationHeader() does not 
correctly validate the "fragment offset" field in the IPv6 
fragmentation header. By sending a fragmented packet with fragment 
offset > packet size, the packet's contents may be written to an 
attacker-controlled offset beyond the end of a heap buffer.

The standard vendor toolchain for PIC32 does not implement ASLR or 
stack cookies. The typical memory layout for a PIC32 application 
prevents shellcode from being executable, requiring ROP techniques.

Note that this bug is located in layer 3 header parsing and thus a 
system may be vulnerable even if no sockets are open.

== Recommendations ==

There is no patch available at this time. The vendor has stated that 
since this is a beta they will not release an out-of-cycle patch and 
will include the fix in the stable release.

See "Mitigations" section.

============================================
==== Affected and Non-Affected Software ====
============================================

== Affected Software ==

All applications using the Microchip TCP/IP Stack v6.00 - 6.02 
(current) beta on PIC32 microcontrollers with IPv6 support enabled 
are affected.

== Non-Affected Software ==

Version 5.x and earlier are not affected. As far as is known, IPv6 
fragmentation support is only implemented for systems using the 
PIC32's internal MAC and other board configurations are not affected.

===============================
==== Vulnerability Summary ====
===============================

Severity           Critical
Impact             Remote code execution
Disclosure status  Vendor notified                            04/01/2013
                   Vendor responded confirming exploitability 04/23/2013
                   Public release                             05/01/2013
Exploit code?      Bug located by source code audit, no PoC available.

===============================
==== Vulnerability Details ====
===============================

tcpip/ip.c lines 3566 and 3572 (same code)
MACGetArray(pNetIf->hIfMac, ptrFragment->packet + headerLen +
(fragmentHeader.offsetM.bits.fragmentOffset << 3), dataCount);

fragmentHeader.offsetM.bits.fragmentOffset is not validated before 
being added to ptrFragment->packet. As a result, MACGetArray() can 
overwrite dataCount bytes beyond the end of the array pointed to by 
ptrFragment->packet.

=====================
==== Mitigations ====
=====================

Disable IPv6 support in the application at compile time.

Alternatively, use firewall rules to prevent fragmented IPv6 packets 
reaching the target system from untrusted hosts.