Two vulnerabilities, both in ConnMann a root service for managing network connections, a stack-based overflow and a stack leak. First was a stack-based overflow in uncompressing DNS records. First it would copy the uncompressed resource record, type, class and a null byte to a tmp buffer. Increment the pointers, then copy the fixed portion (10bytes) and increment the pointers. The problem was that while it would do a bounds check on the variable size content, it wouldn’t bounds check the fixed size copy. Leading to a linear overflow.

There was also another more subtle bug in how it would calculate the pointer increments. Namely the strncpy would be called with the remaining buffer size for maxlen, but the pointer increment would just be the strlen without regard for the buffer size. Allowing an attacker to increment over the canary and not overwrite it. Which I thought was a cool trick, not really widely applicable but still a fun trick.

The second issue was a stack leak, in a central listener for DHCP packets the packet buffer is allocated on the stack but not zeroed. SO if you end a packet with an option code but no option data it’ll read an uninitialized stack area. They were conveniently able to read both stack addresses to know where the stack was and return addresses from library function calls to know where libraries were located. Where there was some randomization, the spacing between libraries was not randomized.