Security Advisory 2020-01-31-2 - libubox tagged binary data JSON serialization vulnerability (CVE-2020-7248)

DESCRIPTION
Possibly exploitable vulnerability exists in the libubox library of OpenWrt, specifically in the parts related to JSON conversion of tagged binary data, so called blobs. An attacker could possibly exploit this behavior by providing specially crafted binary blob or JSON which would then be translated into blob internally.

This malicious blobmsg input would contain blob attribute holding large enough numeric value of type double which then processed by blobmsg_format_json would overflow the buffer array designated for JSON output allocated on the stack.

The libubox library is a core component in the OpenWrt project and utilized in other parts of the project. Those interdependencies are visible by looking up of the above mentioned vulnerable blobmsg_format_json function in the project’s LXR[1], which reveals references in netifd, procd, ubus, rpcd, uhttpd.

Apart from this core components, there is also auc[2] package providing Attended sysUpgrade CLI in the packages feeds repository, which seems to be using this vulnerable function.

CVE-2020-7248 has been assigned to this issue.

REQUIREMENTS
In order to exploit this vulnerability, a malicious attacker would need to provide specially crafted binary blobs or JSON input to blobmsg_format_json, thus creating stack based overflow condition during serialization of the double value into the JSON buffer.

It was verified, that its possible to crash rpcd by following shell command:

$ ubus call luci getFeatures '{ "banik": 00192200197600198000198100200400.1922 }'

MITIGATIONS
To fix this issue, update the affected libubox using the command below.

 opkg update; opkg upgrade libubox

The fix is contained in the following and later versions:

• OpenWrt master: 2020-01-20 reboot-12063-g5c73bb12c82c

• OpenWrt 19.07: 2019-01-29 v19.07.1-1-g4668ae3bed

• OpenWrt 18.06: 2019-01-29 v18.06.7-1-g6bfde67581

AFFECTED VERSIONS
To our knowledge, OpenWrt versions 18.06.0 to 18.06.6 and versions 19.07.0-rc1 to 19.07.0 are affected. The fixed packages will be integrated in the OpenWrt 19.07.1, 18.06.7 and subsequent releases. Older versions of OpenWrt (e.g. OpenWrt 15.05 and LEDE 17.01) are end of life and not supported any more.

Other users of libubox should update to the latest version ASAP.
*[ASAP]: As soon as possible

CREDITS
The issues were discovered and fixed by Petr Štetiar and Jo-Philipp Wich.