Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Denial of Service vulnerability caused by improper exception handling while parsing of CoAP messages #135

Open
cve-reporting opened this issue Dec 27, 2018 · 1 comment
Open

Denial of Service vulnerability caused by improper exception handling while parsing of CoAP messages #135

cve-reporting opened this issue Dec 27, 2018 · 1 comment

Comments

@cve-reporting
Copy link

Multiple sample applications from CoAPthon library are vulnerable to Denial of Service attacks caused by maliciously crafted CoAP messages.
Method Serialize.deserialize() improperly handle multiple exception types leading to crash of applications (including standard CoAP server, CoAP client, CoAP reverse proxy, example collect CoAP server and client).

Example payloads and unhandled exceptions:

  1. File: crash_000_UnicodeDecodeError.raw (attached)

Error message:
File "CoAPthon-master/coapthon/serializer.py", line 335, in convert_to_raw
return bytearray(value, "utf-8")
UnicodeDecodeError: 'ascii' codec can't decode byte 0xb9 in position 5: ordinal not in range(128)

  1. File: crash_001_TypeError.raw

Error message:
File "CoAPthon-master/coapthon/messages/message.py", line 390, in add_option
raise TypeError("Option : %s is not repeatable", option.name)
TypeError: ('Option : %s is not repeatable', 'If-None-Match')

  1. File: crash_002_UnboundLocalError.raw

Error message:
File "CoAPthon-master/coapthon/serializer.py", line 307, in read_option_value_len_from_byte
length = s.unpack_from(values[pos:])[0] + 269
UnboundLocalError: local variable 's' referenced before assignment

  1. File: crash_003_OverflowError.raw

Error message:
File "CoAPthon-master/coapthon/serializer.py", line 339, in convert_to_raw
return bytearray(value)
OverflowError: cannot fit 'long' into an index-sized integer

  1. File: crash_004_IndexError.raw

Error message:
File "CoAPthon-master/coapthon/serializer.py", line 304, in read_option_value_len_from_byte
length = struct.unpack("!B", values[pos])[0] + 13
IndexError: string index out of range

Proposed CVSS score:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5 - High)

Mitigation:
All exception types should be handled in the main loop of CoAPthon applications (including standard CoAP server, CoAP client, CoAP reverse proxy, example collect CoAP server and client), to provide uninterruptible service.
CoAPthon_crashes.zip

Issue was reported via email on 23rd of February 2018 to CoAPthon developers and registered in CVE database (reserved id is: CVE-2018-12680).
@cve-reporting
Copy link
Author

Following versions of CoAPthon are vulnerable: 3.1, 4.0.0, 4.0.1 4.0.2.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cve-reporting