CVE-2023-2905: Cesanta Mongoose MQTT Message Parsing Heap Overflow#

AHA! has discovered an issue with Mongoose from Cesanta, and is publishing this disclosure in accordance with AHA!’s standard disclosure policy today, on Tuesday, August 8, 2023. CVE-2023-2905 has been assigned to this issue.

Any questions about this disclosure should be directed to [email protected].

Executive Summary#

Due to a failure in validating the length of a provided MQTT_CMD_PUBLISH parsed message with a variable length header, the dual-licensed Cesanta Mongoose embeddable web server version 7.10 is susceptible to a heap-based buffer overflow vulnerability in the default configuration. CVE-2023-2905 appears to be an instance of CWE-122. Version 7.9 and prior does not appear to be vulnerable.

Technical Details#

Below is the code used to parse mqtt messages with lines 365-370 being used to ensure that the variable length portion of the buffer is not larger than 4 bytes and breaking out of the loop if lc & 0x80 evaluates to false (based on the MSB).

src/mqtt.c

352 int mg_mqtt_parse(const uint8_t *buf, size_t len, uint8_t version,
353                   struct mg_mqtt_message *m) {
354   uint8_t lc = 0, *p, *end;
355   uint32_t n = 0, len_len = 0;
356
357   memset(m, 0, sizeof(*m));
358   m->dgram.ptr = (char *) buf;
359   if (len < 2) return MQTT_INCOMPLETE;
360   m->cmd = (uint8_t) (buf[0] >> 4);
361   m->qos = (buf[0] >> 1) & 3;
362
363   n = len_len = 0;
364   p = (uint8_t *) buf + 1;
365   while ((size_t) (p - buf) < len) {
366     lc = *((uint8_t *) p++);
367     n += (uint32_t) ((lc & 0x7f) << 7 * len_len);
368     len_len++;
369     if (!(lc & 0x80)) break;
370     if (len_len >= 4) return MQTT_MALFORMED;
371   }

Then lines 393-406 show the code path to the vulnerable function decode_variable_length, containing the remaining to be read mqtt buffer after additions to the p pointer on lines 394, 397, 402.

src/mqtt.c

393     case MQTT_CMD_PUBLISH: {
394       if (p + 2 > end) return MQTT_MALFORMED;
395       m->topic.len = (uint16_t) ((((uint16_t) p[0]) << 8) | p[1]);
396       m->topic.ptr = (char *) p + 2;
397       p += 2 + m->topic.len;
398       if (p > end) return MQTT_MALFORMED;
399       if (m->qos > 0) {
400         if (p + 2 > end) return MQTT_MALFORMED;
401         m->id = (uint16_t) ((((uint16_t) p[0]) << 8) | p[1]);
402         p += 2;
403       }
404       if (p > end) return MQTT_MALFORMED;
405       if (version == 5 && p + 2 < end) {
406         m->props_size = decode_variable_length((char *) p, &len_len);

The below shows the buffer from the crash file showing a 10 byte mqtt message with the 8th byte having the MSB set.

Thread 1 "fuzzer" hit Breakpoint 7, LLVMFuzzerTestOneInput (data=0xffffb4500790 "5\b", size=10) at test/fuzz.c:38

38        mg_mqtt_parse(data, size, 5, &mm);
(gdb) x/12bx data
0xffffb4500790: 0x35    0x08    0x00    0x01    0x00    0x00    0x5a    0x8a
0xffffb4500798: 0xff    0xff    0x00    0x00

This results in a variable length header being detected but only containing 3 bytes, as can be seen below

Thread 1 "fuzzer" hit Breakpoint 8, mg_mqtt_parse (buf=<optimized out>, len=<optimized out>, version=<optimized out>, m=<optimized out>) at src/mqtt.c:415
415             m->props_size = decode_variable_length((char *) p, &len_len);
(gdb) x/10x p
0xffffb0b00797: 0x8a    0xff    0xff    0x00    0x00    0x00    0x00    0x00
0xffffb0b0079f: 0x00    0x02

And finally, the decode_variable_length function code, which contains no bounds checks on the size of the buffer being read.

src/mqtt.c

 92 static uint32_t decode_variable_length(const char *buf,
 93                                        uint32_t *bytes_consumed) {
 94   uint32_t value = 0, multiplier = 1, offset;
 95
 96   for (offset = 0; offset < 4; offset++) {
 97     uint8_t encoded_byte = ((uint8_t *) buf)[offset];
 98     value += (encoded_byte & 0x7F) * multiplier;
 99     multiplier *= 128;
100
101     if (!(encoded_byte & 0x80)) break;
102   }
103
104   if (bytes_consumed != NULL) *bytes_consumed = offset + 1;
105
106   return value;
107 }

This allows for a read primitive of 1-3 bytes from a heap overflow.

Payload#

A base64 encoded blob of the payload needed to trigger the vulnerability can be found below.

NQgAAQAAWor//w==

Attacker Value#

Cesanta Mongoose is an embedded webserver library commonly used to add web server functionality to devices with vendor provided integrations. According to the project’s README, “Mongoose is used by hundreds of businesses, from Fortune500 giants like Siemens, Schneider Electric, Broadcom, Bosch, Google, Samsung, Qualcomm, Caterpillar to the small businesses.” Because it is an embedded software, often implemented in the context of IOT/ICS (Internet of Things / Industrial Control Systems), its presence may be difficult for affected end-users to audit for.

If an attacker has the capability of sending an MQTT message to the webserver (which would require direct network access to the network hosting the device), that attacker could use the above primitive in a chain to obtain remote code execution on an embedded device. The level of access would depend on the parent process that runs Mongoose. In most IOT/ICS contexts, this would typically result in the total compromise of the webserver, and, if it is not running in a privilege-restricted context, total compromise of the hosting device.

Remediation#

PR2274 fixes the issue on the main branch of the open source repository; the vendor has further advised that Mongoose Version 7.11 available for downstream users and implementors addresses the issue.

Credit#

This issue is being disclosed through the AHA! CNA and is credited to: zenofex and WanderingGlitch

Timeline#

  • 2023-05-25 (Thu): Initial findings presented at AHA! Meeting 0x00c8
  • 2023-06-22 (Thu): PoC validated and this disclosure drafted.
  • 2023-06-22 (Thu): Disclosed to the vendor via email at [email protected].
  • 2023-06-23 (Fri): Vendor acknowledged the vulnerability.
  • 2023-06-27 (Tue): Vendor fixed master branch with PR2274.
  • 2023-08-07 (Mon): Reached out to vendor for a status update.
  • 2023-08-08 (Tue): Vendor advised publishing this disclosure of CVE-2023-2905.