Security issues in libliteeth/netboot.

[ghost]

not tested if exploitable

oob read over IP/UDP length

The IP/UDP implementation only checks if the receive data and declared sizes are big enough to contain a full UDP header. An attacker can set this to 0xffff, which leads to an out of bound read. (see rx_callback() in tftp.c and process_ip() in udp.c)

out of bounds write

In boot.c tftp_get() is called with "char json_buffer[1024]" as buffer. Because of missing bound checks in tftp_get() an attacker can overflow this buffer (see rx_callback() in tftp.c and netboot_from_json() in bios.c).

sender check

The tftp client don't check if the packages are from the sender he requested data. If an attacker sends faster then the requested tftpd, he can completely control the data.

tftp total_length overflow

May only be a theoretical bug, because the result is checked against <= 0. But if an attacker uses the missing IP/UDP length check he can overflow the total_length in rx_callback() (see tftp.c).

override already received data

The tftp client don't check if he receives data multiple times. An attacker can send a block the client has already received and override it.

arp cache poisoning

It looks like it's possible to just send an arp reply to override the mac address of the tftp server (see process_arp() in udp.c).

[enjoy-digital]

Thanks @satan1st, that's useful to know these security issues in the libliteeth/netboot feature. This is a debug feature to easily load binaries during the development but this will be interesting to improve these aspects in the future.