Show pagesourceOld revisionsBacklinksBack to top × Table of Contents Security Advisory 2020-01-31-2 - libubox tagged binary data JSON serialization vulnerability (CVE-2020-7248) DESCRIPTION REQUIREMENTS MITIGATIONS AFFECTED VERSIONS CREDITS REFERENCES Security Advisory 2020-01-31-2 - libubox tagged binary data JSON serialization vulnerability (CVE-2020-7248) DESCRIPTION Possibly exploitable vulnerability exists in the libubox library of OpenWrt, specifically in the parts related to JSON conversion of tagged binary data, so called blobs. An attacker could possibly exploit this behavior by providing specially crafted binary blob or JSON which would then be translated into blob internally. This malicious blobmsg input would contain blob attribute holding large enough numeric value of type double which then processed by blobmsg_format_json would overflow the buffer array designated for JSON output allocated on the stack. The libubox library is a core component in the OpenWrt project and utilized in other parts of the project. Those interdependencies are visible by looking up of the above mentioned vulnerable blobmsg_format_json function in the project's LXR[1], which reveals references in netifd, procd, ubus, rpcd, uhttpd. Apart from this core components, there is also auc[2] package providing Attended sysUpgrade CLI in the packages feeds repository, which seems to be using this vulnerable function. CVE-2020-7248 has been assigned to this issue. REQUIREMENTS In order to exploit this vulnerability, a malicious attacker would need to provide specially crafted binary blobs or JSON input to blobmsg_format_json, thus creating stack based overflow condition during serialization of the double value into the JSON buffer. It was verified, that its possible to crash rpcd by following shell command: $ ubus call luci getFeatures '{ "banik": 00192200197600198000198100200400.1922 }' MITIGATIONS To fix this issue, update the affected libubox using the command below. opkg update; opkg upgrade libubox The fix is contained in the following and later versions: OpenWrt master: 2020-01-20 reboot-12063-g5c73bb12c82c OpenWrt 19.07: 2019-01-29 v19.07.1-1-g4668ae3bed OpenWrt 18.06: 2019-01-29 v18.06.7-1-g6bfde67581 AFFECTED VERSIONS To our knowledge, OpenWrt versions 18.06.0 to 18.06.6 and versions 19.07.0-rc1 to 19.07.0 are affected. The fixed packages will be integrated in the OpenWrt 19.07.1, 18.06.7 and subsequent releases. Older versions of OpenWrt (e.g. OpenWrt 15.05 and LEDE 17.01) are end of life and not supported any more. Other users of libubox should update to the latest version ASAP. CREDITS The issues were discovered and fixed by Petr Štetiar and Jo-Philipp Wich. REFERENCES https://lxr.openwrt.org/ident?i=blobmsg_format_json https://github.com/openwrt/packages/blob/master/utils/auc/src/auc.c#L676 This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.OKMore information about cookies Last modified: 2020/02/20 03:48by ynezz