Exploit the possiblities

Microchip TCP/IP Stack Unchecked Buffer

Microchip TCP/IP Stack Unchecked Buffer
Posted May 1, 2013

The function TCPIP_IPV6_ProcessFragmentationHeader() does not correctly validate the "fragment offset" field in the IPv6 fragmentation header. The standard vendor toolchain for PIC32 does not implement ASLR or stack cookies. The typical memory layout for a PIC32 application prevents shellcode from being executable, requiring ROP techniques. All applications using the Microchip TCP/IP Stack versions 6.00 through 6.02 (current) beta on PIC32 microcontrollers with IPv6 support enabled are affected.

tags | advisory, tcp, shellcode
MD5 | 56d7106cfbf44da844915e3aef4c8b99

Microchip TCP/IP Stack Unchecked Buffer

Change Mirror Download
Unchecked Buffer in Microchip TCP/IP Stack
Could Allow Remote Code Execution

=============================
==== General Information ====
=============================

== Executive Summary ==

The function TCPIP_IPV6_ProcessFragmentationHeader() does not
correctly validate the "fragment offset" field in the IPv6
fragmentation header. By sending a fragmented packet with fragment
offset > packet size, the packet's contents may be written to an
attacker-controlled offset beyond the end of a heap buffer.

The standard vendor toolchain for PIC32 does not implement ASLR or
stack cookies. The typical memory layout for a PIC32 application
prevents shellcode from being executable, requiring ROP techniques.

Note that this bug is located in layer 3 header parsing and thus a
system may be vulnerable even if no sockets are open.

== Recommendations ==

There is no patch available at this time. The vendor has stated that
since this is a beta they will not release an out-of-cycle patch and
will include the fix in the stable release.

See "Mitigations" section.

============================================
==== Affected and Non-Affected Software ====
============================================

== Affected Software ==

All applications using the Microchip TCP/IP Stack v6.00 - 6.02
(current) beta on PIC32 microcontrollers with IPv6 support enabled
are affected.

== Non-Affected Software ==

Version 5.x and earlier are not affected. As far as is known, IPv6
fragmentation support is only implemented for systems using the
PIC32's internal MAC and other board configurations are not affected.

===============================
==== Vulnerability Summary ====
===============================

Severity Critical
Impact Remote code execution
Disclosure status Vendor notified 04/01/2013
Vendor responded confirming exploitability 04/23/2013
Public release 05/01/2013
Exploit code? Bug located by source code audit, no PoC available.

===============================
==== Vulnerability Details ====
===============================

tcpip/ip.c lines 3566 and 3572 (same code)
MACGetArray(pNetIf->hIfMac, ptrFragment->packet + headerLen +
(fragmentHeader.offsetM.bits.fragmentOffset << 3), dataCount);

fragmentHeader.offsetM.bits.fragmentOffset is not validated before
being added to ptrFragment->packet. As a result, MACGetArray() can
overwrite dataCount bytes beyond the end of the array pointed to by
ptrFragment->packet.

=====================
==== Mitigations ====
=====================

Disable IPv6 support in the application at compile time.

Alternatively, use firewall rules to prevent fragmented IPv6 packets
reaching the target system from untrusted hosts.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    24 Files
  • 19
    Jan 19th
    15 Files
  • 20
    Jan 20th
    5 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close