Bug 2255396 (CVE-2023-4233, ZDI-CAN-20996)

Summary: CVE-2023-4233 ofono: SMS Decoder Stack-based Buffer Overflow Remote Code Execution Vulnerability within the sms_decode_address_field() function
Product: [Other] Security Response Reporter: Sandipan Roy <saroy>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: sebastianenewell
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ofono 2.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug is triggered within the sms_decode_address_field() function during the SMS PDU decoding. It is assumed that the attack scenario is accessible from a compromised modem, a malicious base station, or just SMS.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2255397    
Bug Blocks: 2208145    

Description Sandipan Roy 2023-12-20 14:27:46 UTC
ofono is a Open Source Telephony on Linux
stack overflow bug is triggered within the sms_decode_address_field() function during SMS PDU decoding
here assumed that the attack scenario is accessible from a compromised modem or possibily accessible from a malicious base station or just SMS

partial code path is here
    - at_cmt_notify()
    - ofono_sms_deliver_notify()
    - sms_decode()
    - decode_deliver()
    - sms_decode_address_field()
```

~~~C++
gboolean sms_decode_address_field(const unsigned char *pdu, int len,
                                        int *offset, gboolean sc,
                                        struct sms_address *out)
{
        unsigned char addr_len;
        unsigned char addr_type;
        int byte_len;

        if (!next_octet(pdu, len, offset, &addr_len))
                return FALSE;

        if (sc && addr_len == 0) {
                out->address[0] = '\0';
                return TRUE;
        }

        if (!next_octet(pdu, len, offset, &addr_type))
                return FALSE;

        if (sc)
                byte_len = addr_len - 1;
        else
                byte_len = (addr_len + 1) / 2;

        if ((len - *offset) < byte_len)
                return FALSE;

        out->number_type = bit_field(addr_type, 4, 3);
        out->numbering_plan = bit_field(addr_type, 0, 4);

        if (out->number_type != SMS_NUMBER_TYPE_ALPHANUMERIC) {
                extract_bcd_number(pdu + *offset, byte_len, out->address);                      // overflow within extract_bcd_number(), addr_len is from SMS PDU
                *offset += byte_len;
        } else {
...
}

void extract_bcd_number(const unsigned char *buf, int len, char *out)
{
        static const char digit_lut[] = "0123456789*#abc\0";
        unsigned char oct;
        int i;

        for (i = 0; i < len; i++) {
                oct = buf[i];

                out[i * 2] = digit_lut[oct & 0x0f];
                out[i * 2 + 1] = digit_lut[(oct & 0xf0) >> 4];
        }

        out[i * 2] = '\0';
}
~~~

ASAN report
```
=================================================================
==116978==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd18b788ac at pc 0x556e7631ff99 bp 0x7ffd18b78450 sp 0x7ffd18b78440
WRITE of size 1 at 0x7ffd18b788ac thread T0
    #0 0x556e7631ff98 in extract_bcd_number src/smsutil.c:86
    #1 0x556e76322c72 in sms_decode_address_field src/smsutil.c:650
    #2 0x556e763237c3 in decode_deliver src/smsutil.c:761
    #3 0x556e76329456 in sms_decode src/smsutil.c:1567
    #4 0x556e762c508d in main src/main.c:225
    #5 0x7f635c42350f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #6 0x7f635c4235c8 in __libc_start_main_impl ../csu/libc-start.c:381
    #7 0x556e76064274 in _start (/root/ofono/src/ofonod+0x12b274)

Address 0x7ffd18b788ac is located in stack of thread T0 at offset 316 in frame
    #0 0x556e762c4edd in main src/main.c:205

  This frame has 1 object(s):
    [48, 316) 'sms1' (line 212) <== Memory access at offset 316 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow src/smsutil.c:86 in extract_bcd_number
Shadow bytes around the buggy address:
  0x1000231670c0: 01 f2 04 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
  0x1000231670d0: 00 00 00 00 00 00 f1 f1 f1 f1 04 f3 f3 f3 00 00
  0x1000231670e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
  0x1000231670f0: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00
  0x100023167100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100023167110: 00 00 00 00 00[04]f3 f3 f3 f3 f3 f3 f3 f3 00 00
  0x100023167120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100023167130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100023167140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100023167150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100023167160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==116978==ABORTING
```

Comment 1 Sandipan Roy 2023-12-20 14:28:08 UTC
Created ofono tracking bugs for this issue:

Affects: fedora-all [bug 2255397]

Comment 2 Debra Hallman 2024-02-04 07:45:14 UTC
I can't solve this bug.
Source: https://uno-online.io