By Francesco Benvenuto.
Recently, I was performing some research on a wireless router and noticed the following piece of code:
This unescape function will revert the URL encoded bytes to its original form. But something specifically caught my attention: There was no size check for the performed operations and the function assumes that after a ‘%’ there are always two bytes. So, what would happen if after ‘%’, only one character existed? The answer is that the s+3, in the strcpy, will access after the end of the string. So, it could lead to memory corruption. Then, I tried to exploit this bug on the router in question. But based on how the URL string was managed in that device, it was not possible. But it had the potential to crash other web servers that used this piece of code. That function belonged to the freshtomato library. So, I searched for the source code and noticed that at the beginning of the file containing that function, there was the following comment:
It was code from Broadcom. I searched for pieces of those comments on Google and found some projects using that code. Then, I also used grep.app writing a regex trying to catch the layout of the bug and found other projects. Some of these projects were code that can be tinkered with and/or in web server scenarios. So, we tested the code and eventually contacted multiple vendors regarding vulnerabilities in their respective products.
The similarities between the code utilized by each of the different projects is so similar that it is reasonable to assume that the code is taken from the same initial source. Seeing as how the code originally held a Broadcom copyright, it is likely that the code was part of a reference implementation that Broadcom released to help customers implement an HTTP server using a product from Broadcom. This vulnerability becomes more interesting as the vulnerable products are looked in more depth, including the open-source software ArduPilot. This software is an open-source autonomous vehicle package, not tied to Broadcom in any way, so the vulnerable code made its way into the code base without a direct reference implementation. This sort of extended code reuse is extraordinarily difficult to track down even with modern-day secure coding practices due to code being slightly modified to suit each use case specifically. For these reasons, it is extraordinarily important for developers to be vigilant in reviewing external functionality that are modified and inserted into a code base, as well as for security researchers to investigate issues that could easily be slightly mutated across multiple software packages.
Below are the vulnerabilities we disclosed and helped fix as part of this discovery. TALOS-2022-1509 TALOS-2022-1511 and TALOS-2022-1512 have been patched by their respective companies or maintainers. Talos additionally confirmed TALOS-2022-1510 is present in revisions 32270 to at least revision 48599 but was unpatched at the time of publishing, so later versions are also likely vulnerable.
TALOS-2022-1509 (CVE-2022-28664 - CVE-2022-28665)
A memory corruption vulnerability in the httpd’s unescape functionality of FreshTomato, version 2022.1. A specially crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability.
A memory corruption vulnerability in the httpd’s unescape functionality of DD-WRT from Revision 32270 to Revision 48599 — a Linux-based firmware for embedded systems. Later versions of this product could also be vulnerable, as Talos recently confirmed that the issue was unpatched. A specially crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability.
A memory corruption vulnerability in both the official Asuswrt firmware as well as the Asuswrt-Merlin New Gen open-source firmware alternative for Asus wireless routers. The vulnerability exists in the httpd’s unescape functionality of these firmwares. A specially crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability. ASUSWRT, the company’s user interface software for managing Asus devices, is also affected by this vulnerability.
A memory corruption vulnerability in the cgi.c’s unescape functionality of ArduPilot APWeb from master branch 50b6b7ac to master branch 46177cb9. ArduPilot is an open-source software suite that allows users to program autonomous flying and driving devices like drones. A specially crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability.