Security Advisory 2020-01-31-2 - libubox tagged binary data JSON serialization vulnerability (CVE-2020-7248)

Possibly exploitable vulnerability exists in the libubox library of OpenWrt, specifically in the parts related to JSON conversion of tagged binary data, so called blobs. An attacker could possibly exploit this behavior by providing specially crafted binary blob or JSON which would then be translated into blob internally.

This malicious blobmsg input would contain blob attribute holding large enough numeric value of type double which then processed by blobmsg_format_json would overflow the buffer array designated for JSON output allocated on the stack.

The libubox library is a core component in the OpenWrt project and utilized in other parts of the project. Those interdependencies are visible by looking up of the above mentioned vulnerable blobmsg_format_json function in the project's LXR[1], which reveals references in netifd, procd, ubus, rpcd, uhttpd.

Apart from this core components, there is also auc[2] package providing Attended sysUpgrade CLI in the packages feeds repository, which seems to be using this vulnerable function.

CVE-2020-7248 has been assigned to this issue.

In order to exploit this vulnerability, a malicious attacker would need to provide specially crafted binary blobs or JSON input to blobmsg_format_json, thus creating stack based overflow condition during serialization of the double value into the JSON buffer.

It was verified, that its possible to crash rpcd by following shell command:

$ ubus call luci getFeatures '{ "banik": 00192200197600198000198100200400.1922 }'

To fix this issue, update the affected libubox using the command below.

 opkg update; opkg upgrade libubox

The fix is contained in the following and later versions:

  • OpenWrt master: 2020-01-20 reboot-12063-g5c73bb12c82c
  • OpenWrt 19.07: 2019-01-29 v19.07.1-1-g4668ae3bed
  • OpenWrt 18.06: 2019-01-29 v18.06.7-1-g6bfde67581

To our knowledge, OpenWrt versions 18.06.0 to 18.06.6 and versions 19.07.0-rc1 to 19.07.0 are affected. The fixed packages will be integrated in the OpenWrt 19.07.1, 18.06.7 and subsequent releases. Older versions of OpenWrt (e.g. OpenWrt 15.05 and LEDE 17.01) are end of life and not supported any more.

Other users of libubox should update to the latest version ASAP.

The issues were discovered and fixed by Petr Štetiar and Jo-Philipp Wich.

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2020/02/20 08:48
  • by ynezz