search

cetic / 6lbr

A deployment-ready 6LoWPAN Border Router solution based on Contiki
github.com/cetic/6lbr/wiki
Other
337 stars 195 forks source link

webserver buffer overflow when processing requested url #414

Open sploitem opened 3 years ago

sploitem commented 3 years ago

if u enter url like this: [bbbb::100]/AAAAAAAAAAAAAAAAA.....AAAAAAAA (len = 1000)

it will crash with stack smashing.

because of strcat - https://github.com/cetic/6lbr/blob/develop/examples/6lbr/apps/6lbr-webserver/httpd.c#L119

sploitem commented 3 years ago

i think this is exploitable on arm debian since there is no stack smashing detection.

SalvaHasan commented 3 years ago

@sploitem I'm facing the same issue, 6lbr.log : HTTP: File '/favicon.ico' not found and WEB: Buffer overflow which results in 6lbr crashing every few minutes. Have you found any solutions?

sploitem commented 3 years ago

@sploitem I'm facing the same issue, 6lbr.log : HTTP: File '/favicon.ico' not found and WEB: Buffer overflow which results in 6lbr crashing every few minutes. Have you found any solutions?

On my machine HTTP: File '/favicon.ico' not found and WEB: Buffer overflow didn't result in crash.

SalvaHasan commented 3 years ago

In my case the [bbbb::100] becomes unreachable as soon as buffer overflows appears in 6lbr.log

sploitem commented 3 years ago

In my case the [bbbb::100] becomes unreachable as soon as buffer overflows appears in 6lbr.log

I don't think this issue is a root cause of your crash, 'cause this issue requires a request with a long url like this: [bbbb::101]/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.html

Check the 6lbr log for operation due to it's restart.

sploitem commented 3 years ago

Also i suggest you to use contiki-ng instead this one.

SalvaHasan commented 3 years ago

In my case the [bbbb::100] becomes unreachable as soon as buffer overflows appears in 6lbr.log

I don't think this issue is a root cause of your crash, 'cause this issue requires a request with a long url like this: [bbbb::101]/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.html

Check the 6lbr log for operation due to it's restart.

Yeah I don't enter any long URL. Mine crashes when I start to navigate the tabs (sensors, config, admin etc.) on the webpage and the log only shows Web: buffer overflow

How can I use 6lbr from contiki-NG? I configured cetic 6lbr this using this guide and built it using make WITH_CONTIKI=0 CONTIKI=~/contiki-ng WERROR=0 all. Is there any proper guide to use 6lbr from contiki-NG?

sploitem commented 3 years ago

Your 6lbr was built with contiki or contiki-ng ? Which page\tab causes a crash ?

SalvaHasan commented 3 years ago

Your 6lbr was built with contiki or contiki-ng ? Which page\tab causes a crash ?

It was built using contiki-ng and the crash was random it wasn't caused by any specific tab. I changed the 6lbr interface config from bridge mode to routing mode, 6lbr.conf: RAW_ETH=0 BRIDGE=0 DEV_ETH=eth0 DEV_TAP=tap0 This fixed the issue for me.

sploitem commented 9 months ago

CVE-2021-46901