Unchecked Buffer in Microchip TCP/IP Stack Could Allow Remote Code Execution ============================= ==== General Information ==== ============================= == Executive Summary == The function TCPIP_IPV6_ProcessFragmentationHeader() does not correctly validate the "fragment offset" field in the IPv6 fragmentation header. By sending a fragmented packet with fragment offset > packet size, the packet's contents may be written to an attacker-controlled offset beyond the end of a heap buffer. The standard vendor toolchain for PIC32 does not implement ASLR or stack cookies. The typical memory layout for a PIC32 application prevents shellcode from being executable, requiring ROP techniques. Note that this bug is located in layer 3 header parsing and thus a system may be vulnerable even if no sockets are open. == Recommendations == There is no patch available at this time. The vendor has stated that since this is a beta they will not release an out-of-cycle patch and will include the fix in the stable release. See "Mitigations" section. ============================================ ==== Affected and Non-Affected Software ==== ============================================ == Affected Software == All applications using the Microchip TCP/IP Stack v6.00 - 6.02 (current) beta on PIC32 microcontrollers with IPv6 support enabled are affected. == Non-Affected Software == Version 5.x and earlier are not affected. As far as is known, IPv6 fragmentation support is only implemented for systems using the PIC32's internal MAC and other board configurations are not affected. =============================== ==== Vulnerability Summary ==== =============================== Severity Critical Impact Remote code execution Disclosure status Vendor notified 04/01/2013 Vendor responded confirming exploitability 04/23/2013 Public release 05/01/2013 Exploit code? Bug located by source code audit, no PoC available. =============================== ==== Vulnerability Details ==== =============================== tcpip/ip.c lines 3566 and 3572 (same code) MACGetArray(pNetIf->hIfMac, ptrFragment->packet + headerLen + (fragmentHeader.offsetM.bits.fragmentOffset << 3), dataCount); fragmentHeader.offsetM.bits.fragmentOffset is not validated before being added to ptrFragment->packet. As a result, MACGetArray() can overwrite dataCount bytes beyond the end of the array pointed to by ptrFragment->packet. ===================== ==== Mitigations ==== ===================== Disable IPv6 support in the application at compile time. Alternatively, use firewall rules to prevent fragmented IPv6 packets reaching the target system from untrusted hosts.