| タイトル | Cesanta Mongoose 7.20 Stack-based Buffer Overflow |
|---|
| 説明 | Stack buffer overflow in Mongoose v7.20 mDNS
In `handle_mdns_record()` in `mongoose.c` allocates a fixed 282-byte stack buffer to build mDNS responses:
https://github.com/cesanta/mongoose/blob/eefec28b50bd9b2f08efd2477d033907f27cd837/mongoose.c#L509
```c
uint8_t buf[sizeof(struct mg_dns_header) + 256 + sizeof(mdns_answer) + 4];
// = 12 + 256 + 10 + 4 = 282 bytes
```
When responding to a PTR query, the function packs **four DNS records** (PTR + SRV + TXT + A) sequentially into this single buffer without any bounds checking. The buffer was sized for a single DNS name (256 bytes) but a PTR response for a device with standard mDNS service metadata easily exceeds 282 bytes.
The critical unbounded copy is in `build_txt_record()`:
```c
memcpy(p, r->txt.buf, r->txt.len), p += r->txt.len; // NO BOUNDS CHECK
```
By the time `build_txt_record()` is called, the pointer `p` is already ~218 bytes into the 282-byte buffer (after PTR + SRV records), leaving only ~64 bytes. Any TXT record larger than ~64 bytes overflows the stack.
### Impact
The overflow corrupts saved registers (`$s0`-`$s8`) and the return address (`$ra`) on the MIPS stack. When `handle_mdns_record()` returns, execution jumps to a corrupted address, crashing the process.
### Disclosure
Vendor contacted Feb 26 and CONFIRMED the vulnerability.
### Exploit
Due to the nature of the library, I could not target a single device or hardware configuration, so I had to create one myself via qemu, no ASLR, no PIE, no stack canaries (typical embedded/IoT firmware). I am attaching the DoS exploit.
[redacted] |
|---|
| ユーザー | the_evilsocket (UID 96063) |
|---|
| 送信 | 2026年03月02日 17:37 (1 月 ago) |
|---|
| モデレーション | 2026年04月02日 09:43 (1 month later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 354826 [Cesanta Mongoose 迄 7.20 mDNS Record mongoose.c handle_mdns_record buf メモリ破損] |
|---|
| ポイント | 17 |
|---|