Package: braa
Version: 0.82-7
Severity: grave
Tags: security
braa 0.82 contains an out-of-bounds stack read in braa_InternalDecodeBER()
(braaasn.c). When parsing a BER long-form length field, the code reads
length bytes without checking that the buffer contains enough data:
int noct = len & 0x7f; /* attacker-controlled: 0-127 */
for(j = 0; j < noct; j++)
len |= data[j + 1]; /* NO bounds check - reads beyond packet */
A 3-byte crafted UDP SNMP response (SEQUENCE tag, len=0xff, 1 data byte)
causes the loop to read up to 125 bytes beyond the stack-allocated receive
buffer pbuff[] (queries.c:502), disclosing adjacent stack memory.
The fix is present in upstream 0.9.1:
https://github.com/mteg/braa/releases/tag/v0.9.1
The package should be updated from 0.82-7 to 0.9.1.
Note: 0.9.1 still contains an uninitialized variable 'compl' when parsing
negative integers with len > 4 (braaasn.c), but this has no memory safety
impact.
Reported by: Igor Garofano <[email protected]>
Coordinated with: Moritz Muehlenhoff <[email protected]>
*Igor Garofano*
Cyber Security Specialist
*+39-3922283057*
*EC-council CTIA, CEH v10, CHFI, ITIL v3, Splunk, IBM Qradar Siem
Foundation, Oracle Cloud Architect Associate, **Google Cloud Architect,**
NSE4.*
