LEDE/OpenWrt oseama 工具中发现的栈缓冲区下溢漏洞 #13797
Description
详细叙述
概要
在 LEDE/OpenWrt 的 oseama(Seama 固件镜像处理工具)中发现两个栈缓冲区下溢(stack buffer underflow)漏洞。
当解析 Seama 文件的 metasize 字段为 0 时,代码计算 metasize - 1 并写入 buf[metasize - 1],导致对 buf 之前的栈内存写入。
AddressSanitizer 在多个输入样本下稳定触发崩溃。 攻击者可利用该缺陷破坏栈上的关键数据,理论上存在任意代码执行风险,且漏洞易于触发且可复现。
细节
受影响组件
工具:oseama(Seama 容器/固件镜像处理工具)
源码位置:lede-master/package/utils/oseama/src/oseama.c
受影响函数与行号:
oseama_info_entities() — oseama.c:125-126(实际写入发生在第126行)
oseama_info() — oseama.c:205-206(实际写入发生在第206行)
原因分析:
两个函数中存在相同的危险模式:读取 metasize 字段后,用 fread 读取 metasize 字节到局部栈缓冲区 buf 中,然后执行如下处理:
end = (char *)&buf[metasize - 1]; // 未检查 metasize == 0 的情况
*end = '\0'; // 当 metasize == 0 时,metasize - 1 下溢,写入 buf-1
当 metasize == 0 时,metasize - 1 将在无符号情形下变为一个很大的值,导致地址指向 buf 之前的栈内存并写入 '\0' —— 即栈缓冲区下溢。该模式在多个函数中重复出现,属于边界检查不完整导致的漏洞。
PoC
下面提供完整的复现步骤:
构建(带 ASan 与调试信息)
切到源码目录
cd lede/package/utils/oseama/src
编译
gcc -g -fsanitize=address -Wall oseama.c md5.c -o oseama
PoC文件:
https://github.com/oneafter/Underflow/blob/main/repro1
https://github.com/oneafter/Underflow/blob/main/repro2
复现命令
复现第一个崩溃
./oseama info repro1
复现第二个崩溃
./oseama info repro2
ASAN报告
==300==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffce78e2cdf at pc 0x5562d8edd2e1 bp 0x7ffce78e2c50 sp 0x7ffce78e2c40
WRITE of size 1 at 0x7ffce78e2cdf thread T0
#0 0x5562d8edd2e0 in oseama_info /lede/package/utils/oseama/src/oseama.c:206
#1 0x5562d8edeea8 in main /lede/package/utils/oseama/src/oseama.c:547
#2 0x7fe5caa8bd8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
#3 0x7fe5caa8be3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f)
#4 0x5562d8edc4e4 in _start (/lede/package/utils/oseama/src/oseama+0x24e4)
Address 0x7ffce78e2cdf is located in stack of thread T0 at offset 63 in frame
#0 0x5562d8edcca9 in oseama_info /lede/package/utils/oseama/src/oseama.c:139
This frame has 2 object(s):
[32, 44) 'hdr' (line 141)
[64, 1088) 'buf' (line 145) <== Memory access at offset 63 underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /lede/package/utils/oseama/src/oseama.c:206 in oseama_info
Shadow bytes around the buggy address:
0x10001cf14540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10001cf14550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10001cf14560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10001cf14570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10001cf14580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10001cf14590: 00 00 00 00 f1 f1 f1 f1 00 04 f2[f2]00 00 00 00
0x10001cf145a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10001cf145b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10001cf145c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10001cf145d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10001cf145e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==300==ABORTING
影响
攻击类型:栈缓冲区下溢
可导致:
程序崩溃(拒绝服务,DoS)
覆盖栈上局部变量、返回地址低字节或保存的寄存器值,在某些运行环境与编译选项下,攻击者可能借此改变控制流;
在启发式与防护较弱(未启用或绕过 stack canary / ASLR / PIE / NX 等)的环境下,理论上存在构造利用链以实现任意代码执行(RCE)的风险。
受影响范围:
所有使用该 oseama 可执行文件的构建/处理流程(OpenWrt/LEDE 构建链、固件打包/解析工具链);
任何将 oseama 集成到自动化构建或固件处理流程并以高权限(例如 root)运行的系统;
供应链层面:恶意或损坏的 Seama 文件可在构建/处理阶段触发漏洞,从而影响下游固件生产。
重复 issue
- 没有类似的 issue
具体型号
All
详细日志
None.