Unchecked Buffer in Microchip TCP/IP Stack Could Allow Remote Code Execution Apr 30 2013 09:37PM
az bugreport subscriber gmail com
Unchecked Buffer in Microchip TCP/IP Stack
Could Allow Remote Code Execution

==== General Information ====

== Executive Summary ==

The function TCPIP_IPV6_ProcessFragmentationHeader() does not
correctly validate the "fragment offset" field in the IPv6
fragmentation header. By sending a fragmented packet with fragment
offset > packet size, the packet's contents may be written to an
attacker-controlled offset beyond the end of a heap buffer.

The standard vendor toolchain for PIC32 does not implement ASLR or
stack cookies. The typical memory layout for a PIC32 application
prevents shellcode from being executable, requiring ROP techniques.

Note that this bug is located in layer 3 header parsing and thus a
system may be vulnerable even if no sockets are open.

== Recommendations ==

There is no patch available at this time. The vendor has stated that
since this is a beta they will not release an out-of-cycle patch and
will include the fix in the stable release.

See "Mitigations" section.

==== Affected and Non-Affected Software ====

== Affected Software ==

All applications using the Microchip TCP/IP Stack v6.00 - 6.02
(current) beta on PIC32 microcontrollers with IPv6 support enabled
are affected.

== Non-Affected Software ==

Version 5.x and earlier are not affected. As far as is known, IPv6
fragmentation support is only implemented for systems using the
PIC32's internal MAC and other board configurations are not affected.

==== Vulnerability Summary ====

Severity Critical
Impact Remote code execution
Disclosure status Vendor notified 04/01/2013
Vendor responded confirming exploitability 04/23/2013
Public release 05/01/2013
Exploit code? Bug located by source code audit, no PoC available.

==== Vulnerability Details ====

tcpip/ip.c lines 3566 and 3572 (same code)
MACGetArray(pNetIf->hIfMac, ptrFragment->packet + headerLen +
(fragmentHeader.offsetM.bits.fragmentOffset << 3), dataCount);

fragmentHeader.offsetM.bits.fragmentOffset is not validated before
being added to ptrFragment->packet. As a result, MACGetArray() can
overwrite dataCount bytes beyond the end of the array pointed to by

==== Mitigations ====

Disable IPv6 support in the application at compile time.

Alternatively, use firewall rules to prevent fragmented IPv6 packets
reaching the target system from untrusted hosts.

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus