{"schema":"libjg2-1", "vpath":"/git/", "avatar":"/git/avatar/", "alang":"", "gen_ut":1760995866, "reponame":"libwebsockets", "desc":"libwebsockets lightweight C networking library", "owner": { "name": "Andy Green", "email": "andy@warmcat.com", "md5": "c50933ca2aa61e0fe2c43d46bb6b59cb" },"url":"https://libwebsockets.org/repo/libwebsockets", "f":3, "items": [ {"schema":"libjg2-1", "cid":"3dce70fecfeec27b5fcf2b6938cc00c6", "commit": {"type":"commit", "time": 1759939404, "time_ofs": 60, "oid_tree": { "oid": "6ef046728129b662317a25357fd8d86e9cd3f2fd", "alias": []}, "oid":{ "oid": "2bb9598562b37c942ba5b04bcde3f7fdf66a9d3a", "alias": []}, "msg": "NN-2025-0103: ADNS crafted response overflow", "sig_commit": { "git_time": { "time": 1759939404, "offset": 60 }, "name": "Andy Green", "email": "andy@warmcat.com", "md5": "c50933ca2aa61e0fe2c43d46bb6b59cb" }, "sig_author": { "git_time": { "time": 1758717038, "offset": 60 }, "name": "Nozomi Network Labs", "email": "labs-advisory@nozominetworks.com", "md5": "e570194d13a3ff6c89099f07c6cf4a59" }}, "body": "NN-2025-0103: ADNS crafted response overflow\n\nThis document contains sensitive information collected during our\nsecurity research activities related with the Libwebsockets library made\nby Andy Green (warmcat).\n\n+-------------------------------------------------------------------------------------------------------+\n| Report information |\n+:\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d:+:\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d:+\n| Vendor | warmcat |\n+-------------------------------------+-----------------------------------------------------------------+\n| Vendor URL | https://libwebsockets.org/git/libwebsockets |\n+-------------------------------------+-----------------------------------------------------------------+\n| Affected component | Ecostruxure Automation Expert |\n+-------------------------------------+-----------------------------------------------------------------+\n| Affected version | 4.4 |\n+-------------------------------------+-----------------------------------------------------------------+\n| Vulnerability | CWE-121: Stack-based Buffer Overflow |\n+-------------------------------------+-----------------------------------------------------------------+\n| Proposed CVSS v3.1 Base Score | 7.5 |\n+-------------------------------------+-----------------------------------------------------------------+\n| Proposed CVSS v3.1 Vector | CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |\n+-------------------------------------+-----------------------------------------------------------------+\n\n+-----------------------------------------------------------------------------+\n| Security Researcher(s) |\n+:\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d:+:\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d:+\n| Name | **Email address** |\n+-------------------------------------+---------------------------------------+\n| Raffaele Bova | labs-advisory@nozominetworks.com |\n+-------------------------------------+---------------------------------------+\n\n**\u005c**\n\nLibwebsockes is a C library that provides client and server\nimplementation for various protocols (e.g., HTTP, websockets, MQTT) and\nmore.\n\nNozomi Networks Lab discovered a \u0022CWE-121: Stack-based Buffer Overflow\u0022\nin the latest software version of libwebsockets, specifically in the\nasync-dns component.\n\nThe vulnerability allows an attacker that can inspect DNS requests made\nby the victim (e.g. being in the same wireless network) to forge a DNS\nresponse packet that overflows the stack and may lead to arbitrary code\nexecution (depending on the platform and compiler options).\n\nThe issue resides in `lws_adns_parse_label` function in\n`lib/system/async-dns/async-dns-parse.c`; this function iteratively parses\na label however it does not correctly check the number of bytes written\nin the destination buffer.\n\nSpecifically, the size of the dest output buffer is specified in the `dl`\nargument, however during the read of each substring of the label only\nthe length of the current substring of the label is accounted for not\noverflowing the destination buffer, but previous reads are not accounted\nfor.\n\nThis means that a label of arbitrary size and content can be supplied\nand is copied onto the stack, however it must be split into substrings\nof size less than `dl`.\n\nTo trigger the vulnerability an attacker must be able to sniff the DNS\nrequest packet to send a response with a matching identifier, otherwise\nthe implantation correctly ignores the response.\n\nWe have provided a harness for testing, for ease of use copy the harness\nin a subdirectory, for example in minimal-examples-lowlevel/api-tests/,\nand build it\n\n```\ncmake -B build -DLWS_WITH_SYS_ASYNC_DNS\u003d1 -DLWS_WITH_SSL\u003d0\n-DCMAKE_C_FLAGS\u003d\u0022-fsanitize\u003daddress\u0022 . \u0026\u0026 make -C build lws-test-async-dns\n```\n\nThen it can be run `./build/bin/lws-test-async-dns \u003c poc_stackbof`\n\n\n\nWe suggest keeping track of the number of bytes currently written on the\ndest buffer, this could be done by saving the original dest pointer,\ndecrementing dl on each substring memcpy, or using an auxiliary\nvariable.\n" , "diff": "diff --git a/lib/system/async-dns/async-dns-parse.c b/lib/system/async-dns/async-dns-parse.c\nindex 1509192..50f0fff 100644\n--- a/lib/system/async-dns/async-dns-parse.c\n+++ b/lib/system/async-dns/async-dns-parse.c\n@@ -35,7 +35,7 @@ lws_adns_parse_label(const uint8_t *pkt, int len, const uint8_t *ls, int budget,\n \tconst uint8_t *e \u003d pkt + len, *ols \u003d ls;\n \tchar pointer \u003d 0, first \u003d 1;\n \tuint8_t ll;\n-\tint n;\n+\tint n, readsize \u003d 0;\n \n \tif (len \u003c DHO_SIZEOF || len \u003e 1500)\n \t\treturn -1;\n@@ -93,7 +93,7 @@ again1:\n \t\treturn -1;\n \t}\n \n-\tif ((unsigned int)ll + 2 \u003e dl) {\n+\tif ((unsigned int)(ll + 2 + readsize) \u003e dl) {\n \t\tlwsl_notice(\u0022%s: qname too large\u005cn\u0022, __func__);\n \n \t\treturn -1;\n@@ -106,6 +106,7 @@ again1:\n \t(*dest)[ll + 1] \u003d '\u005c0';\n \t*dest +\u003d ll + 1;\n \tls +\u003d ll;\n+\treadsize +\u003d ll + 1;\n \n \tif (pointer) {\n \t\tif (*ls)\n","s":{"c":1760971171,"u": 2345}} ],"g": 1015,"chitpc": 0,"ehitpc": 0,"indexed":0 , "ab": 0, "si": 0, "db":0, "di":0, "sat":0, "lfc": "7d0a"}