| tiêu đề | Dotouch XproUPF v2.0.0-release-088aa7c4 imp |
|---|
| Mô tả | #Title
UPF Session Hijacking via Duplicate PDR Injection and Higher-Priority Malicious FAR Redirection
#Description
The UPF exhibits a critical logic vulnerability in PFCP session handling. The system fails to enforce the uniqueness of PDR IDs within a single PFCP session, allowing multiple PDR entries with the same ID to coexist. When an attacker submits a crafted PFCP Session Modification Request that includes a duplicated PDR ID with a lower Precedence value (higher priority) than the existing legitimate rule, the UPF datapath misinterprets the rule hierarchy. Consequently, the UPF prioritizes the malicious PDR and its associated FAR, redirecting user-plane traffic to an attacker-controlled outer-header destination.
#Step to Reproduce
Establish a legitimate PFCP session on the target UPF.
Identify an existing, active PDR ID (e.g., PDR ID: 3) and its associated legitimate FAR.
Send a crafted PFCP Session Modification Request targeting the active session.
In the request, inject a duplicated PDR entry using the same PDR ID identified in Step 2.
Set the Precedence value of the malicious PDR lower than the legitimate rule to ensure it takes priority during datapath processing.
Configure the malicious PDR's FAR with Outer Header Creation pointing to an attacker-controlled IP/TEID.
Trigger traffic matching the victim session.
Observe the traffic being redirected to the attacker-controlled endpoint due to the higher-priority malicious rule match.
# Impact
Successful exploitation results in full user-plane session hijacking. This leads to several critical security consequences:
Traffic Interception/Eavesdropping: Unauthorized monitoring of sensitive user data.
Man-in-the-Middle (MitM): Ability to inspect, modify, or drop traffic before forwarding.
Denial of Service: Traffic can be blackholed by redirection to non-existent endpoints.
Integrity/Confidentiality Risk: Compromised traffic flows may expose private information or allow for malicious payload injection.
#Confirmation Statement
This issue has been confirmed by the security team from Dotouch. For further technical validation or coordination, please contact Jay at [email protected]. |
|---|
| Người dùng | LinZiyu (UID 94035) |
|---|
| Đệ trình | 21/04/2026 11:01 (cách đây 2 các tháng) |
|---|
| Kiểm duyệt | 09/05/2026 11:29 (18 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 362450 [Dotouch XproUPF 2.0.0-release-088aa7c4 nâng cao đặc quyền] |
|---|
| điểm | 17 |
|---|