[OpenWrt-Devel] Security Advisory 2020-01-31-2 - libubox tagged binary data JSON serialization vulnerability (CVE-2020-7248)

Jo-Philipp Wich jo at mein.io
Fri Jan 31 13:59:53 PST 2020


DESCRIPTION

Possibly exploitable vulnerability exists in the libubox library of OpenWrt,
specifically in the parts related to JSON conversion of tagged binary data,
so called blobs.  An attacker could possibly exploit this behavior by
providing specially crafted binary blob or JSON which would then be translated
into blob internally.

This malicious blobmsg input would contain blob attribute holding large enough
numeric value of type double which then processed by blobmsg_format_json would
overflow the buffer array designated for JSON output allocated on the stack.

The libubox library is a core component in the OpenWrt project and utilized in
other parts of the project. Those interdependencies are visible by looking up
of the above mentioned vulnerable blobmsg_format_json function in the
project's LXR[1], which reveals references in netifd, procd, ubus, rpcd,
uhttpd.

Apart from this core components, there is also auc[2] package providing
Attended sysUpgrade CLI in the packages feeds repository, which seems to be
using this vulnerable function.

CVE-2020-7248 has been assigned to this issue.


REQUIREMENTS

In order to exploit this vulnerability, a malicious attacker would need to
provide specially crafted binary blobs or JSON input to blobmsg_format_json,
thus creating stack based overflow condition during serialization of the
double value into the JSON buffer.

It was verified, that its possible to crash rpcd by following shell command:

  $ ubus call luci getFeatures \
      '{ "banik": 00192200197600198000198100200400.1922 }'


MITIGATIONS

To fix this issue, update the affected libubox using the command below.

   opkg update; opkg upgrade libubox

The fix is contained in the following and later versions:

 - OpenWrt master: 2020-01-20 reboot-12063-g5c73bb12c82c
 - OpenWrt 19.07:  2019-01-29 v19.07.1-1-g4668ae3bed
 - OpenWrt 18.06:  2019-01-29 v18.06.7-1-g6bfde67581



AFFECTED VERSIONS

To our knowledge, OpenWrt versions 18.06.0 to 18.06.6 and versions 19.07.0-rc1
to 19.07.0 are affected. The fixed packages will be integrated in the OpenWrt
19.07.1, 18.06.7 and subsequent releases. Older versions of OpenWrt (e.g.
OpenWrt 15.05 and LEDE 17.01) are end of life and not supported any more.

Other users of libubox should update to the latest version ASAP.


CREDITS

The issues were discovered and fixed by Petr Štetiar and Jo-Philipp Wich.


REFERENCES

1. https://lxr.openwrt.org/ident?i=blobmsg_format_json
2. https://github.com/openwrt/packages/blob/master/utils/auc/src/auc.c#L676

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20200131/0d00df6a/attachment.sig>


More information about the openwrt-devel mailing list