Monero: Buffer out of bound read in miniupnpc xml parser

2018-04-18T09:32:51
ID H1:340012
Type hackerone
Reporter yukichen
Modified 2018-04-25T05:49:15

Description

Summary:

This is a buffer oob read vulnerability in miniupnpc when parsing xml response. This vulnerability could result in denial of service attack in monero client to in local area Network.

Description:

In miniupnpc, file "Minixml.c":

The funnction parseelt:

static void parseelt(struct xmlparser * p) { ... if(memcmp(p->xml, "<![CDATA[", 9) == 0) // (1) Failed to do bound check prior to "memcmp" here { / CDATA handling / p->xml += 9; data = p->xml; i = 0; while(memcmp(p->xml, "]]>", 3) != 0) ... }

Here it tries to match the CDATA section in the xml file using memcmp. However, it does not check whether it has already reached the end of the xml buffer. By sending a specially crafted xml response, we can make it read out of bounds of the xml buffer, which may crash the client.

Releases Affected:

It affects all monero clients which use miniupnpc.

I have tested with the Windows, 64-bit (Command-Line Tools Only), version 0.12.0.0 Lithium Luna, downloaded from: https://getmonero.org/downloads/

The environment I used to test was Windows 10 64-bits.

Steps To Reproduce:

Step 1. Enable page heap for monerod.exe:

The page heap on windows helps to crash the program at the first place when memory corruption issue (buffer overrun, uaf...) happens, similar to tools like valgrind, ASAN.

See: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/gflags-and-pageheap

1.1 Install WinDbg to get gflags Install the Debugging tools for windows, which contains the gflags.exe tool.

1.2 Enable page heap for monerod.exe Execute the following command: "c:\Program Files\Debugging Tools for Windows (x64)\gflags.exe" /i monerod.exe +hpa

Step 2. Start the malicious upnp server:

python poc.py --listen 127.0.0.1:65000 --target havoc

Step3. Start monerod:

monerod.exe --test-drop-download

Step 4. Wait for monerod crash

The crash stack trace:

(5c10.56c0): Access violation - code c0000005 (!!! second chance !!!) *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Users\test\Desktop\monero\monero-win-x64-v0.12.0.0\monero-v0.12.0.0\monerod.exe - monerod+0x448737: 0000000001768737 4c3908 cmp qword ptr [rax],r9 ds:00000000200b0fff=???????????????? 0:000> k Child-SP RetAddr Call Site 000000000294d5f0 0000000001767edb monerod+0x448737 000000000294d660 0000000001970b5b monerod+0x447edb 000000000294d7a0 00000000019792ff monerod!ZN5boost7archive6detail11oserializerINS0_24portable_binary_oarchiveEN8nodetool26anchor_peerlist_entry_baseIN4epee9net_utils15network_addressEEEEC2Ev+0x1addb 000000000294e6b0 0000000001987503 monerod!ZN5boost7archive6detail11oserializerINS0_24portable_binary_oarchiveEN8nodetool26anchor_peerlist_entry_baseIN4epee9net_utils15network_addressEEEEC2Ev+0x2357f 000000000294e960 0000000001986aa2 monerod!ZN5boost7archive6detail11oserializerINS0_24portable_binary_oarchiveEN8nodetool26anchor_peerlist_entry_baseIN4epee9net_utils15network_addressEEEEC2Ev+0x31783 000000000294ead0 0000000001331c96 monerod!ZN5boost7archive6detail11oserializerINS0_24portable_binary_oarchiveEN8nodetool26anchor_peerlist_entry_baseIN4epee9net_utils15network_addressEEEEC2Ev+0x30d22 000000000294eca0 0000000001336735 monerod+0x11c96 000000000294ede0 00000000017fdb73 monerod+0x16735 000000000294ee70 0000000001ab0f0b monerod+0x4ddb73 000000000294f000 00000000013213c7 monerod!ZNK5boost7archive6detail11oserializerINS0_24portable_binary_oarchiveEN8nodetool26anchor_peerlist_entry_baseIN4epee9net_utils15network_addressEEEE16save_object_dataERNS1_14basic_oarchiveEPKv+0x112c1b 000000000294f860 00000000013214fb monerod+0x13c7 000000000294f930 00007ffa6b921fe4 monerod+0x14fb 000000000294f960 00007ffa6d7bf061 KERNEL32!BaseThreadInitThunk+0x14 000000000294f990 0000000000000000 ntdll!RtlUserThreadStart+0x21

Supporting Material/References:

  • List any additional material (e.g. screenshots, logs, etc.)

Impact

A malicious attacker may crash the monero clients within the same local network area.