Submit #770063: Cesanta Mongoose 7.20 Heap-based Buffer Overflowinfo

TitelCesanta Mongoose 7.20 Heap-based Buffer Overflow
BeschreibungHeap buffer overflow in Mongoose v7.20 TLS 1.3 implementation, exploitable for RCE. In `mg_tls_recv_cert()` (mongoose.c), when parsing a client certificate's RSA public key, the modulus is copied into a fixed-size buffer without bounds checking: https://github.com/cesanta/mongoose/blob/master/mongoose.c#L14197 ```c // mongoose.c — mg_tls_recv_cert() memmove(tls->pubkey, ci->pubkey.buf, ci->pubkey.len); // ^^^^^^^^^^ ^^^^^^^^^^^^^^^^^ // 528-byte buffer attacker-controlled length (from X.509 cert DER) ``` The `tls->pubkey` field is a 528-byte buffer inside `tls_data`, which is heap-allocated. An attacker providing a crafted X.509 certificate with an oversized RSA modulus can overflow this buffer, writing arbitrary data across the heap into the `mg_connection` struct. ### Impact The `mg_connection->fn` function pointer (at offset `+0x80`) is overwritten with the address of attacker-controlled shellcode placed earlier in the modulus. When CA verification fails (as expected for a forged cert), Mongoose calls `mg_error()` → `mg_call(c, MG_EV_ERROR)` → `c->fn()`, jumping to the shellcode. ### Disclosure Vendor contacted Feb 26 and CONFIRMED the vulnerability. ### Exploit Due to the nature of the library, I could not target a single device or hardware configuration, so I had to create one myself via qemu, no ASLR, no PIE, no stack canaries (typical embedded/IoT firmware). I am attaching the fully weaponized exploit, here is the chain: 1. **TLS 1.3 handshake** — Full ClientHello/ServerHello with X25519 key exchange and ChaCha20-Poly1305 2. **Crafted Certificate** — X.509 cert with oversized RSA modulus (6136 bytes vs 528-byte buffer) 3. **Heap overflow** — `memmove` writes shellcode + NOP sled + fn pointer across ~5600 bytes of heap 4. **Control flow hijack** — `mg_connection->fn` overwritten to point to shellcode on the executable heap 5. **Trigger** — CA verification fails → `mg_error()` → `c->fn()` → reverse shell as root [redacted]
Benutzer
 the_evilsocket (UID 96063)
Einreichung02.03.2026 17:27 (vor 1 Monat)
Moderieren02.04.2026 09:43 (1 month later)
StatusAkzeptiert
VulDB Eintrag354825 [Cesanta Mongoose bis 7.20 TLS 1.3 mongoose.c mg_tls_recv_cert pubkey Pufferüberlauf]
Punkte17

ZurückÜbersichtWeiter

Want to know what is going to be exploited?

We predict KEV entries!