what you don't know can hurt you

Microchip TCP/IP Stack Unchecked Buffer

Microchip TCP/IP Stack Unchecked Buffer
Posted May 1, 2013

The function TCPIP_IPV6_ProcessFragmentationHeader() does not correctly validate the "fragment offset" field in the IPv6 fragmentation header. The standard vendor toolchain for PIC32 does not implement ASLR or stack cookies. The typical memory layout for a PIC32 application prevents shellcode from being executable, requiring ROP techniques. All applications using the Microchip TCP/IP Stack versions 6.00 through 6.02 (current) beta on PIC32 microcontrollers with IPv6 support enabled are affected.

tags | advisory, tcp, shellcode
MD5 | 56d7106cfbf44da844915e3aef4c8b99

Microchip TCP/IP Stack Unchecked Buffer

Change Mirror Download
Unchecked Buffer in Microchip TCP/IP Stack
Could Allow Remote Code Execution

=============================
==== General Information ====
=============================

== Executive Summary ==

The function TCPIP_IPV6_ProcessFragmentationHeader() does not
correctly validate the "fragment offset" field in the IPv6
fragmentation header. By sending a fragmented packet with fragment
offset > packet size, the packet's contents may be written to an
attacker-controlled offset beyond the end of a heap buffer.

The standard vendor toolchain for PIC32 does not implement ASLR or
stack cookies. The typical memory layout for a PIC32 application
prevents shellcode from being executable, requiring ROP techniques.

Note that this bug is located in layer 3 header parsing and thus a
system may be vulnerable even if no sockets are open.

== Recommendations ==

There is no patch available at this time. The vendor has stated that
since this is a beta they will not release an out-of-cycle patch and
will include the fix in the stable release.

See "Mitigations" section.

============================================
==== Affected and Non-Affected Software ====
============================================

== Affected Software ==

All applications using the Microchip TCP/IP Stack v6.00 - 6.02
(current) beta on PIC32 microcontrollers with IPv6 support enabled
are affected.

== Non-Affected Software ==

Version 5.x and earlier are not affected. As far as is known, IPv6
fragmentation support is only implemented for systems using the
PIC32's internal MAC and other board configurations are not affected.

===============================
==== Vulnerability Summary ====
===============================

Severity Critical
Impact Remote code execution
Disclosure status Vendor notified 04/01/2013
Vendor responded confirming exploitability 04/23/2013
Public release 05/01/2013
Exploit code? Bug located by source code audit, no PoC available.

===============================
==== Vulnerability Details ====
===============================

tcpip/ip.c lines 3566 and 3572 (same code)
MACGetArray(pNetIf->hIfMac, ptrFragment->packet + headerLen +
(fragmentHeader.offsetM.bits.fragmentOffset << 3), dataCount);

fragmentHeader.offsetM.bits.fragmentOffset is not validated before
being added to ptrFragment->packet. As a result, MACGetArray() can
overwrite dataCount bytes beyond the end of the array pointed to by
ptrFragment->packet.

=====================
==== Mitigations ====
=====================

Disable IPv6 support in the application at compile time.

Alternatively, use firewall rules to prevent fragmented IPv6 packets
reaching the target system from untrusted hosts.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close