{"id":59153,"date":"2024-08-26T18:20:19","date_gmt":"2024-08-26T15:20:19","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/180379\/SCHUTZWERK-SA-2024-004.txt"},"modified":"2024-08-26T18:20:19","modified_gmt":"2024-08-26T15:20:19","slug":"das-u-boot-buffer-overread","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/das-u-boot-buffer-overread\/","title":{"rendered":"Das U-Boot Buffer Overread"},"content":{"rendered":"<p>&#8212;&#8211;BEGIN PGP SIGNED MESSAGE&#8212;&#8211;<br \/>Hash: SHA512<\/p>\n<p>Title<br \/>=====<\/p>\n<p>SCHUTZWERK-SA-2024-004: Buffer overread in U-Boot DHCP<\/p>\n<p>Status<br \/>======<\/p>\n<p>PUBLISHED<\/p>\n<p>Version<br \/>=======<\/p>\n<p>1.0<\/p>\n<p>CVE reference<br \/>=============<\/p>\n<p>CVE-2024-42040<\/p>\n<p>Link<br \/>====<\/p>\n<p>https:\/\/www.schutzwerk.com\/advisories\/schutzwerk-sa-2024-004\/<\/p>\n<p>Text-only version:<br \/>https:\/\/www.schutzwerk.com\/advisories\/SCHUTZWERK-SA-2024-004.txt<\/p>\n<p>Affected products\/vendor<br \/>========================<\/p>\n<p>Das U-Boot, https:\/\/docs.u-boot.org<\/p>\n<p>Summary<br \/>=======<\/p>\n<p>Das U-Boot (U-Boot) is a widespread open-source boot loader used in <br \/>embedded devices to perform various low-level hardware initialization <br \/>tasks and boot the device&#8217;s operating system kernel. During an embedded <br \/>security assessment, we identified a buffer overread vulnerability <br \/>(CWE-126) in the DHCP implementation of U-Boot that could leak memory <br \/>onto the network. The amount of leaked data depends on the later use of <br \/>the hostname, DNS-server IP, gateway IP, or other DHCP options in <br \/>unencrypted network traffic. The vulnerability has been present since <br \/>the &#8220;Initial revision&#8221; commit (3861aa5) from 2002.<\/p>\n<p>Risk<br \/>====<\/p>\n<p>An attacker with access to the local network and faster response times <br \/>than the default DHCP server can trigger a memory leak by responding <br \/>with malicious DHCP offers to a vulnerable U-Boot DHCP client. In the <br \/>current implementation, only 4 Bytes of data can be leaked via gateway <br \/>or DNS server address. When net_hostname would be used and also sent <br \/>over the network, 32 Bytes could be retrieved. When the bp_vend field is <br \/>filled with zeroes besides the magic number, it could also lead the loop <br \/>to continue outside the packet to process data. This can cause further <br \/>data to be leaked when values like 0x1,0x3,0x6, and 0x12 are present in <br \/>that data. When further vulnerabilities can be found they might be <br \/>combined to achieve further harmful impact to the system.<\/p>\n<p>Description<br \/>===========<\/p>\n<p>After U-Boot sends an initial DHCP request, the vulnerable bootp_handler <br \/>gets registered as a callback for incoming packets. The handler first <br \/>checks if the received packet is the expected reply packet. If <br \/>VENDOR_MAGIC is in the first four bytes of bp-&gt;bp_vend, the address of <br \/>bp-&gt;bp_vend[4] and the total length of the packet is passed to <br \/>bootp_process_vendor (net\/bootp.c:381) without being reduced to <br \/>len-(offsetof(struct bootp_hdr,bp_vend)+4). There is also a missing <br \/>check whether the first four bytes of bp-&gt;pb_vend[] are in range of the <br \/>packet length before retrieving them to compare with htonl(VENDOR_MAGIC).<\/p>\n<p>In bootp_process_vendor, an incorrect end address is then calculated <br \/>based on the full packet length (net\/bootp.c:312) instead of the rest of <br \/>the bp_vend buffer size. Then, the function increases the ext pointer <br \/>until it no longer points to zero bytes within the too-long buffer range <br \/>or when one byte is 0xff. When a none-zero value is discovered the ext <br \/>pointer is passed to bootp_process_vendor_field.<\/p>\n<p>In bootp_process_vendor_field, the de-referenced value of the passed <br \/>pointer is used to select the case for processing the field, and its <br \/>length is de-referenced from ext+1. Based on the selected case, values <br \/>are then copied to variables and buffers like net_gateway.s_addr or <br \/>net_hostname from ext+2. The copied lengths are only limited by the size <br \/>of their destination. The end of the bp_vend structure or the end of the <br \/>packet is never checked in bootp_process_vendor_field.<\/p>\n<p>This allows an attacker, who can respond to DHCP requests, to craft a <br \/>packet that causes the code to copy the contents of the target&#8217;s RAM <br \/>directly following the received packet into parameters. These parameters <br \/>are sent via the network during later use, leaking the RAM content to <br \/>the attacker.<\/p>\n<p>Solution\/Mitigation<br \/>===================<\/p>\n<p>We recommend providing an adequate length to bootp_process_vendor to <br \/>prevent the while loop from stepping outside the packet frame and <br \/>checking in bootp_process_vendor_field if the copied data is still <br \/>within the packet structure&#8217;s range.<\/p>\n<p>Disclosure timeline<br \/>===================<\/p>\n<p>2024-06-21: Vulnerability discovered<br \/>2024-08-19: Vulnerability reported to public mailing list by request of <br \/>maintainer.<\/p>\n<p>Contact\/Credits<br \/>===============<\/p>\n<p>The vulnerability was discovered during an assessment by Simon Diepold <br \/>of SCHUTZWERK GmbH.<\/p>\n<p>References<br \/>==========<\/p>\n<p>Disclaimer<br \/>==========<\/p>\n<p>The information provided in this security advisory is provided &#8220;as is&#8221; and<br \/>without warranty of any kind. Details of this security advisory may be <br \/>updated<br \/>in order to provide as accurate information as possible. The most recent<br \/>version of this security advisory can be found at SCHUTZWERK GmbH&#8217;s website<br \/>( https:\/\/www.schutzwerk.com ).<\/p>\n<p>SCHUTZWERK Advisories: https:\/\/www.schutzwerk.com\/blog\/tags\/advisories\/<\/p>\n<p>SCHUTZWERK Advisory Policy: https:\/\/www.schutzwerk.com\/en\/advisories\/<br \/>&#8212;&#8211;BEGIN PGP SIGNATURE&#8212;&#8211;<\/p>\n<p>iQJOBAEBCgA4FiEEgLsg7Oj\/wY3LSF87GrXfkTIXLrsFAmbC+YgaHGFkdmlzb3Jp<br \/>ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrtSeRAAi6OrwHBpbFgKlyqROQnw<br \/>zYxmHTYBiWzBEEmI1zN+iNb5uQlnZXgBoodbEneiRmVQDSiT4zT\/DWe3EGV2TlRR<br \/>56hEIGvkvleURqCjwRYeYnPF3Ef\/XMTvTu\/x08h8UfGr7XNwhwCpANxUTE7aI01b<br \/>jZLa4jDv8vpNd7JKNF32S2Ak6GRjfEE9aEAxUKliNXCA5SU1gYvOWQ+BJ0oth7fN<br \/>grkTKffltk8dUBFy8TsrxcAG5ye4f1Dvm51dU8JNPBLkmouOrEvX1K4UTjvAyD8e<br \/>bCn2dXs2rDLfywrTPV0k2zj3APZiwhYxNA3MaTUGscZAIUMn3WE\/cUyYDpQDqOYx<br \/>wrZzz9K59m+x8F6c1lBUxlmU3t9Z15\/i\/tL6Kropb+HDxjWaLCZPG3dzdlR54\/fn<br \/>gvzS393FNWakNNAJIqN2jvvol+zvJGn2rsSsfp5CPEdrQEHgvQa0TkBOpdtFZ\/h1<br \/>muVFwj9yDup07yStTXRJHjg2WCH0LdL5x+mDfcBspjLflpVP\/0Yj+MnR8e3Eb7v\/<br \/>Cb12PeBHww9VObUhgbMecanSn6Epf7Nc5a5wIh5kEWKoviBYNY\/0cu7GDN+70PK4<br \/>JhD86Tww5RFJJfkLcJqlCAMC4AkAc7Sq5FS7WTK5Jx3Ymh\/+Lsuhx9ENq38VyVGh<br \/>tFe3V0joTUxg7Yy78PoEOrs=<br \/>=XKZo<br \/>&#8212;&#8211;END PGP SIGNATURE&#8212;&#8211;<\/p>\n<p>&#8212; <br \/>SCHUTZWERK GmbH, Pfarrer-Wei\u00df-Weg 12, 89077 Ulm, Germany<br \/>Zertifiziert \/ Certified ISO 27001, 9001 and TISAX<\/p>\n<p>Phone +49 731 977 191 0<\/p>\n<p>advisories@schutzwerk.com \/ www.schutzwerk.com<\/p>\n<p>Gesch\u00e4ftsf\u00fchrer \/ Managing Directors:<br \/>Jakob Pietzka, Michael Sch\u00e4fer<\/p>\n<p>Amtsgericht Ulm \/ HRB 727391<br \/>Datenschutz \/ Data Protection www.schutzwerk.com\/datenschutz<\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8212;&#8211;BEGIN PGP SIGNED MESSAGE&#8212;&#8211;Hash: SHA512 Title===== SCHUTZWERK-SA-2024-004: Buffer overread in U-Boot DHCP Status====== PUBLISHED Version======= 1.0 CVE reference============= CVE-2024-42040 Link==== https:\/\/www.schutzwerk.com\/advisories\/schutzwerk-sa-2024-004\/ Text-only version:https:\/\/www.schutzwerk.com\/advisories\/SCHUTZWERK-SA-2024-004.txt Affected products\/vendor======================== Das U-Boot, https:\/\/docs.u-boot.org Summary======= Das U-Boot (U-Boot) is a widespread open-source boot loader used in embedded devices to perform various low-level hardware initialization tasks and boot the device&#8217;s operating system &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59153","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59153","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59153"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59153\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59153"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59153"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59153"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}